Unsanitized user input in HTTP request (SSRF)

Overview

• Rule ID: javascript_lang_http_url_using_user_input

• Applicable Languages: Javascript

• Weakness ID: CWE-918

Description

Building URLs from user input exposes your application to Server-Side Request Forgery (SSRF) attacks. This vulnerability enables attackers to trick the application into making unauthorized HTTP requests.

Remediation Guidelines

• Avoid directly including user input in URLs for HTTP requests. This practice can expose your application to Server-Side Request Forgery (SSRF) vulnerabilities.

  Copy

  const response = axios.get(`https://${req.params.host}`); // risky
  
  

• Validate or map user input against a predefined set of allowed values before incorporating it into URLs. This method helps reduce the risk of SSRF attacks.

  Copy

  const hosts = new Map([
    ["option1", "api1.com"],
    ["option2", "api2.com"]
  ])
  
  const host = hosts.get(req.params.host)
  const response = axios.get(`https://${host}`)

References

• CWE-918: Server-Side Request Forgery (SSRF)

• OWASP Top 10: A10:2021 - Server-side Request Forgery (SSRF)

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL