Skip to main content
SSRF Prevention (Part 3 SSRF Series)
How to prevent SSRF
- It is easier to filter the returned information and verify the response of the remote server to the request. If the web application is to get a certain type of file. Then verify that the returned information meets the standards before displaying the returned results to the user.
- Disable unwanted protocols and only allow http and https requests. Prevent problems like file: //, gopher: //, ftp: //, etc.
- Set URL whitelist or restrict intranet IP (use gethostbyname () to determine if it is an intranet IP)
- limit the requested port to the port commonly used by http, such as 80, 443, 8080, 8090 ( Restricted request port can only be web port, only allow access to HTTP and HTTPS requests)
- Unified error information to avoid users from judging the port status of the remote server based on the error information.
- Restricting Intranet IPs That Cannot Be Accessed to Prevent Attacks on the Intranet
- Block return details