Skip to content

CWE-918: Server-Side Request Forgery (SSRF)

Overview

This guidance helps you interpret and remediate findings from DAST (Dynamic Application Security Testing) tools. The scanner detected that the application makes server-side HTTP requests to URLs controlled by user input. Evidence includes successful requests to internal IP addresses (http://127.0.0.1, http://169.254.169.254 for cloud metadata), responses containing data from internal services, out-of-band callbacks to attacker infrastructure, or timing differences indicating internal network scanning. The scanner submits URLs in parameters like ?url=, ?proxy=, or ?fetch= and observes server-side request behavior.

Analyzing the Dynamic Scan Result

What the DAST Scanner Found

DAST findings for CWE-918 typically indicate that server-side outbound requests were made to destinations influenced by user input, such as:

  • Requests to unexpected network locations
  • Differences in application behavior based on supplied URLs
  • Evidence of server-initiated requests to internal or restricted resources

Evidence is based on observed outbound request behavior at runtime, not on request payload syntax.

Mapping DAST Findings to Source Code

CWE-918 does not map to a single vulnerable parameter. The issue resides in how the application constructs and executes outbound requests.

When tracing this issue in code, review:

  • Services that perform HTTP or network requests
  • How destinations are derived or selected
  • URL parsing and canonicalization logic
  • Redirect handling behavior
  • Network-layer trust assumptions

Remediation

Core Principle: Never allow untrusted input to determine the destination or scope of server-side outbound requests; all outbound request targets must be strictly defined and enforced by the server.

→ For comprehensive remediation guidance, see Static CWE-918 Guidance

Language-Specific Guidance

The static guidance provides detailed remediation steps for many languages. If you need language-specific examples:

Verification and Follow-Up Testing

After applying the fix:

1. Verify Outbound Request Constraints

  • Confirm outbound destinations are restricted to approved targets
  • Ensure redirects and alternate resolution paths cannot bypass restrictions

2. Test Edge Cases

  • Redirect handling
  • DNS resolution behavior
  • Error and timeout paths

Re-run DAST Scanner

Re-run the dynamic scanner to confirm unsafe outbound request behavior is no longer observed.

Additional Resources