What is the best practice to fix SSRF?
I want to make a bookmarking app. It will automatically fetch data from entered by user URL. I know that if I just send any user-entered URLs it causes SSRF. I think I can use an external HTTP proxy to prevent GET requests to localhost. Where should I place a proxy? Can HTTP proxy like Dante connect to the localhost?
security web-applications websecurity ssrf
asked Jan 2 at 4:19
CookieCookie
87110
add a comment |
I want to make a bookmarking app. It will automatically fetch data from entered by user URL. I know that if I just send any user-entered URLs it causes SSRF. I think I can use an external HTTP proxy to prevent GET requests to localhost. Where should I place a proxy? Can HTTP proxy like Dante connect to the localhost?
security web-applications websecurity ssrf
asked Jan 2 at 4:19
CookieCookie
87110
add a comment |
I want to make a bookmarking app. It will automatically fetch data from entered by user URL. I know that if I just send any user-entered URLs it causes SSRF. I think I can use an external HTTP proxy to prevent GET requests to localhost. Where should I place a proxy? Can HTTP proxy like Dante connect to the localhost?
security web-applications websecurity ssrf
asked Jan 2 at 4:19
CookieCookie
87110
I want to make a bookmarking app. It will automatically fetch data from entered by user URL. I know that if I just send any user-entered URLs it causes SSRF. I think I can use an external HTTP proxy to prevent GET requests to localhost. Where should I place a proxy? Can HTTP proxy like Dante connect to the localhost?
security web-applications websecurity ssrf
security web-applications websecurity ssrf
asked Jan 2 at 4:19
CookieCookie
87110
asked Jan 2 at 4:19
CookieCookie
87110
asked Jan 2 at 4:19
CookieCookie
87110
asked Jan 2 at 4:19
CookieCookie
87110
asked Jan 2 at 4:19
CookieCookie
87110
87110
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
To prevent SSRF vulnerabilities in your web applications, it is strongly advised to use a white list of allowed domains and protocols from where the web server can fetch remote resources. Also, as a rule of thumb, you should avoid using user input directly in functions that can make requests on behalf of the server.And there are multiple ways to do this either in application configuration or use a WAF perhaps.
answered Jan 3 at 5:23
Soumen MukherjeeSoumen Mukherjee
1,170517
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54001147%2fwhat-is-the-best-practice-to-fix-ssrf%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
To prevent SSRF vulnerabilities in your web applications, it is strongly advised to use a white list of allowed domains and protocols from where the web server can fetch remote resources. Also, as a rule of thumb, you should avoid using user input directly in functions that can make requests on behalf of the server.And there are multiple ways to do this either in application configuration or use a WAF perhaps.
answered Jan 3 at 5:23
Soumen MukherjeeSoumen Mukherjee
1,170517
add a comment |
To prevent SSRF vulnerabilities in your web applications, it is strongly advised to use a white list of allowed domains and protocols from where the web server can fetch remote resources. Also, as a rule of thumb, you should avoid using user input directly in functions that can make requests on behalf of the server.And there are multiple ways to do this either in application configuration or use a WAF perhaps.
answered Jan 3 at 5:23
Soumen MukherjeeSoumen Mukherjee
1,170517
add a comment |
To prevent SSRF vulnerabilities in your web applications, it is strongly advised to use a white list of allowed domains and protocols from where the web server can fetch remote resources. Also, as a rule of thumb, you should avoid using user input directly in functions that can make requests on behalf of the server.And there are multiple ways to do this either in application configuration or use a WAF perhaps.
answered Jan 3 at 5:23
Soumen MukherjeeSoumen Mukherjee
1,170517
To prevent SSRF vulnerabilities in your web applications, it is strongly advised to use a white list of allowed domains and protocols from where the web server can fetch remote resources. Also, as a rule of thumb, you should avoid using user input directly in functions that can make requests on behalf of the server.And there are multiple ways to do this either in application configuration or use a WAF perhaps.
answered Jan 3 at 5:23
Soumen MukherjeeSoumen Mukherjee
1,170517
answered Jan 3 at 5:23
Soumen MukherjeeSoumen Mukherjee
1,170517
answered Jan 3 at 5:23
Soumen MukherjeeSoumen Mukherjee
1,170517
answered Jan 3 at 5:23
Soumen MukherjeeSoumen Mukherjee
1,170517
1,170517
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54001147%2fwhat-is-the-best-practice-to-fix-ssrf%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
