The OWASP Top 10 Proactive Controls are used in the development of web applications.
Ensure servers are protected against SSRF attacks, which exploit vulnerable request handling to perform unintended actions on internal or external services. For example, enforce strict allowlists for outbound requests, blocking unauthorized access to internal networks and sensitive resources; Validate and sanitize user-supplied URLs to prevent manipulation of server-side requests; Implement network segmentation to limit the server’s ability to reach restricted services; Enforce least privilege access for server-to-server communications, ensuring that requests cannot be abused for privilege escalation; Continuously monitor and log outgoing requests to detect and respond to suspicious activity.
Implement multiple layers of defense to prevent Server-Side Request Forgery (SSRF) attacks. -Validate and sanitize input to ensure that only expected and safe URLs can be processed. -Use an allowlist for outbound requests, restricting access to only trusted domains and blocking unauthorized external or internal resources. -Secure XML parsers to prevent XML External Entity (XXE) attacks, disabling external entity resolution when parsing XML. -Account for Unicode encoding and character transformations when performing input validation to prevent attackers from bypassing filters with obfuscated payloads. By validating input, enforcing allowlists, securing XML parsers, and handling character encoding properly, organizations can effectively mitigate SSRF risks and prevent unauthorized server-side requests.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-12-10-01-01 | Implement input validation | Validate all user inputs to prevent unauthorized or malformed data from reaching the system. Ensure that input data is sanitized and validated against expected formats to prevent SSRF attacks. | Development | Security Engineers, Software Developers |
| SSS-02-12-10-01-02 | Use an allow-list for outgoing requests | If outgoing requests are necessary, ensure that the target domains and IP addresses are checked against a predefined allow-list. Only allow trusted services and hosts to be contacted. | Development | Security Engineers, DevOps Teams |
| SSS-02-12-10-01-03 | Secure xml parsers to prevent xee | If XML is used for processing data, configure the XML parser securely to prevent XML External Entity (XEE) attacks, which could be leveraged by SSRF attackers. Disable support for external entities and DTDs. | Development | Security Engineers, Backend Developers |
| SSS-02-12-10-01-04 | Be cautious with unicode and character transformations | Carefully handle Unicode and other character transformations during input validation. Attackers can exploit encoding vulnerabilities to bypass filtering mechanisms, so ensure proper encoding checks are implemented. | Development | Security Engineers, Software Developers |
| SSS-02-12-10-01-05 | Monitor and restrict internal services access | Restrict access to internal services and resources from external systems. Ensure that only authorized requests can reach internal APIs or services, and monitor any unusual access patterns. | Post-deployment | Security Engineers, IT Operations |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1849) OWASP Proactive Controls OWASP Proactive Controls |