# Unsanitized user input in HTTP request (SSRF)

## Overview

* **Rule ID**: `javascript_lang_http_url_using_user_input`
* **Applicable Languages**: Javascript
* **Weakness ID**: CWE-918

## Description

Building URLs from user input exposes your application to Server-Side Request Forgery (SSRF) attacks. This vulnerability enables attackers to trick the application into making unauthorized HTTP requests.

## Remediation Guidelines

* **Avoid** directly including user input in URLs for HTTP requests. This practice can expose your application to Server-Side Request Forgery (SSRF) vulnerabilities.

  ```java
  const response = axios.get(`https://${req.params.host}`); // risky


  ```
* **Validate or map** user input against a predefined set of allowed values before incorporating it into URLs. This method helps reduce the risk of SSRF attacks.

  ```java
  const hosts = new Map([
    ["option1", "api1.com"],
    ["option2", "api2.com"]
  ])

  const host = hosts.get(req.params.host)
  const response = axios.get(`https://${host}`)
  ```

## References

* [**CWE-918: Server-Side Request Forgery (SSRF)**](https://cwe.mitre.org/data/definitions/918.html)
* [**OWASP Top 10: A10:2021 - Server-side Request Forgery (SSRF)**](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_\(SSRF\)/)

## Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our [**SAST TOOL**](https://scopy.sec1.io/login)