Skip to content

Module to prevent SSRF when sending requests in NodeJS. Blocks request to local and private IP addresses

License

Notifications You must be signed in to change notification settings

y-mehta/ssrf-req-filter

Repository files navigation

ssrf-req-filter - Prevent SSRF Attacks 🛡️

npm NPM

Server-Side Request Forgery (SSRF)

SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself. One of the enablers for this vector is the mishandling of URLs. Read More

Install

npm install ssrf-req-filter

Usage

  • Axios:
const ssrfFilter = require('ssrf-req-filter');
const url = 'https://127.0.0.1'
axios.get(url, {httpAgent: ssrfFilter(url), httpsAgent: ssrfFilter(url)})
      .then((response) => {
        console.log(`Success`);
      })
      .catch((error) => {
        console.log(`${error.toString().split('\n')[0]}`);
      })
      .then(() => {

      });
  • Node-fetch:
const ssrfFilter = require('ssrf-req-filter');
const fetch = require("node-fetch");
const url = 'https://127.0.0.1'
fetch(url, {
    agent: ssrfFilter(url)
  })
  .then((response) => {
    console.log(`Success`);
  })
  .catch(error => {
    console.log(`${error.toString().split('\n')[0]}`);
  });

Note: It's recommended to overwrite both httpAgent and httpsAgent in Axios with ssrf-req-filter. Otherwise, SSRF mitigation can be bypassed via cross protocol redirects. Refer to Doyensec's research for more information.

Credits: Implementation inspired By https://github.com/welefen/ssrf-agent