Unsanitized user input in HTTP request (SSRF)

Overview

• Rule ID: javascript_express_server_side_request_forgery

• Applicable Languages: Javascript

• Weakness ID: CWE-918

Description

Incorporating unsanitized user input directly into URLs for data retrieval exposes your application to server-side request forgery (SSRF) attacks. This vulnerability occurs when URLs include user-provided data without proper validation or sanitization.

Remediation Guidelines

• Do not directly use user input to construct URLs for backend requests, as this can lead to SSRF vulnerabilities.

  Copy

  axios.get(`https://${req.params.host}`); // unsafe
  

• Do validate or sanitize user input before using it in URLs. Prefer using a predefined list of allowed hosts and map user input to this list to ensure only safe and expected URLs are constructed.

  Copy

  var host = "default-api.com";
  if (req.params.host === "something-else") {
  host = "other-api.com";
  }
  
  axios.get(`https://${host}`);

References

• OWASP - Server-Side Request Forgery (SSRF) prevention cheat sheet

• CWE-918: Server-Side Request Forgery (SSRF)

• OWASP Top 10: A10:2021 - Server-side Request Forgery (SSRF)

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL