The Microsoft AntiSSRF library is a security-developed, exhaustively-tested secure code library that provides robust URL validation to mitigate the risk of Server-Side Request Forgery (SSRF) vulnerabilities. It is an easy-to-use drop-in library with minimal adoption effort for developers, available for both .NET and Node.js applications.
Server-Side Request Forgery (also known as SSRF) is a critical web security vulnerability in which an attacker can manipulate the server-side application to make network requests to an arbitrary endpoint. Through this vulnerability, the attacker manipulates the target web server to connect to internal, sensitive networks or exfiltrate sensitive data to an untrusted endpoint on the Internet.
SSRF can lead (but is not limited) to:
- Exposure of internal services
- Leakage of sensitive data
- Service disruption
- Remote code execution
All incoming HTTP requests are untrusted. Any data originating from outside your service's immediate trust boundary must be treated as potentially malicious. This includes:
- User-provided URLs, filenames, or identifiers
- Data from external APIs, webhooks, or partner services
- Configuration values, metadata, or file contents that users can influence
- Requests from your own service's backend applications or other components within the same environment (query parameters, headers, form fields, etc.)
Even data that doesn't initially appear to be a URL should be treated as one. For example, a workspace name or resource identifier that gets concatenated into a URL. All untrusted input used in URL construction MUST be validated.
A common scenario in many online services is handling requests from customers containing customer-supplied strings that are, or are used to construct a URL. These strings are often not validated properly, leading to vulnerabilities such as Server-Side Request Forgery which can result in token theft.
AntiSSRF helps mitigate these risks by:
- Automatically validating URLs and network connections and rejecting/refusing unsafe input
- Providing an agent that ensures HTTP requests cannot reach internal or sensitive IP addresses
- NuGet Package: Microsoft.Security.AntiSSRF
- Documentation: AntiSSRF .NET API Documentation
- Quick Start: Getting Started Guide
- Library README: .NET README
- npm Package: @microsoft/antissrf
- Documentation: AntiSSRF Node.js API Documentation
- Quick Start: Getting Started Guide
- Library README: Node.js README
We welcome contributions! Please see our contribution resources:
- Contributing Guide: CONTRIBUTING.md
- Report Issues: GitHub Issues
- License: LICENSE
- Security Policy: SECURITY.md
- Code of Conduct: CODE_OF_CONDUCT.md
- Support: SUPPORT.md
- AntiSSRF Documentation: Microsoft AntiSSRF Documentation
- OWASP SSRF Guide: Server-Side Request Forgery Prevention Cheat Sheet
- PortSwigger Web Security Academy: Server-side request forgery (SSRF)
- CWE-918: Server-Side Request Forgery (SSRF)
- Dusseldorf: Dynamic SSRF Testing Tool - Microsoft's open-source tool for dynamic SSRF testing and validation