Recommendation¶

To guard against request forgery, it is advisable to avoid putting user input directly into a network request. If a flexible network request mechanism is required, it is recommended to maintain a list of authorized request targets and choose from that list based on the user input provided.

Example¶

The following example shows an HTTP request parameter being used directly in a URL request without validating the input, which facilitates an SSRF attack. The requesthttp.Get(...) is vulnerable since attackers can choose the value oftarget to be anything they want. For instance, the attacker can choose"internal.example.com/#" as the target, causing the URL used in the request to be"https://internal.example.com/#.example.com/data".

A request tohttps://internal.example.com may be problematic if that server is not meant to be directly accessible from the attacker’s machine.

packagemainimport("net/http")funchandler(whttp.ResponseWriter,req*http.Request){target:=req.FormValue("target")// BAD: `target` is controlled by the attackerresp,err:=http.Get("https://"+target+".example.com/data/")iferr!=nil{// error handling}// process request responseuse(resp)}

One way to remedy the problem is to use the user input to select a known fixed string before performing the request:

packagemainimport("net/http")funchandler1(whttp.ResponseWriter,req*http.Request){target:=req.FormValue("target")varsubdomainstringiftarget=="EU"{subdomain="europe"}else{subdomain="world"}// GOOD: `subdomain` is controlled by the serverresp,err:=http.Get("https://"+subdomain+".example.com/data/")iferr!=nil{// error handling}// process request responseuse(resp)}

References¶

• OWASP:SSRF

• Common Weakness Enumeration:CWE-918.