Bảo MậtSSRF khiến server gửi request đến internal services (AWS metadata 169.254.169.254, internal APIs) thay vì external URLs — phòng chống bằng allowlist domains, block private IP ranges, và IMDSv2 trên AWS; DNS rebinding cần check IP ngay trước khi connect.
SSRF (Server-Side Request Forgery) xảy ra khi attacker khiến server gửi requests đến URLs mà attacker kiểm soát — bao gồm internal services không accessible từ internet (AWS metadata service 169.254.169.254, internal APIs, databases). Ví dụ: webhook URL validation — fetch(req.body.webhookUrl) → attacker truyền http://169.254.169.254/latest/meta-data/iam/security-credentials/ để đọc AWS IAM credentials. Tại sao nguy hiểm: server thường có quyền truy cập nội bộ rộng hơn external clients; cloud metadata services thường accessible từ container nhưng không từ internet. Phòng chống: Allowlist: chỉ cho phép fetch đến specific domains; không thể fetch sang domains không có trong allowlist. Block private IP ranges: validate URL trước khi fetch — reject 10.x.x.x, 172.16.x.x-172.31.x.x, 192.168.x.x, 127.x.x.x, 169.254.x.x (link-local); Node.js: resolve hostname → check IP range. SSRF prevention library: ssrf-req-filter npm package — tự động block private IPs. Network-level controls: container/serverless không có quyền network đến metadata service (IMDSv2 trên AWS — require token). DNS rebinding attack: attacker kiểm soát DNS, resolve public IP khi validate, resolve private IP khi fetch — fix bằng cách bind socket và check IP ngay trước khi connect. Lưu ý: check URL một lần rồi fetch lần khác → DNS rebinding attack opportunity.
SSRF causes a server to send requests to internal services (AWS metadata 169.254.169.254, internal APIs) instead of external URLs — prevent with domain allowlists, blocking private IP ranges, and IMDSv2 on AWS; DNS rebinding requires checking the IP immediately before connecting.
SSRF occurs when an attacker causes a server to make requests to URLs they control — including internal services not accessible from the internet (AWS metadata service 169.254.169.254, internal APIs, databases). Example: webhook URL validation — fetch(req.body.webhookUrl) → attacker passes http://169.254.169.254/latest/meta-data/iam/security-credentials/ to read AWS IAM credentials. Why it's dangerous: servers typically have broader internal network access than external clients; cloud metadata services are often reachable from containers but not from the internet. Prevention: Allowlist: only allow fetching from specific domains; block any domain not on the allowlist. Block private IP ranges: validate the URL before fetching — reject 10.x.x.x, 172.16.x.x-172.31.x.x, 192.168.x.x, 127.x.x.x, 169.254.x.x (link-local); in Node.js: resolve hostname → check IP range. SSRF prevention library: ssrf-req-filter npm package automatically blocks private IPs. Network-level controls: container/serverless should have no network access to metadata services (IMDSv2 on AWS requires a token). DNS rebinding attack: attacker controls DNS, resolves to a public IP during validation then a private IP during fetch — fix by binding the socket and checking the IP immediately before connecting. Pitfall: checking the URL once then fetching later → opportunity for DNS rebinding attacks.