The OWASP API Security Top 10 are mitigated in the development of web APIs.
Ensure APIs validate and restrict outbound requests to prevent SSRF attacks that exploit user-supplied URIs. For example, enforce allowlists to limit external requests to trusted domains and block unauthorized internal network access; Validate and sanitize user-provided URLs to prevent manipulation of backend requests; Restrict server-to-server communications by applying network segmentation and firewall rules; Implement least privilege access for API requests to prevent unauthorized interactions with internal systems; Continuously monitor and log outgoing API requests to detect and respond to suspicious activity in real time.
Ensure secure resource fetching by isolating it within the network and applying strict validation controls. For example, restrict access to internal resources by ensuring resource-fetching mechanisms only retrieve authorized remote resources; Implement allowlists to define trusted remote origins (e.g., Google Drive, Gravatar), permitted URL schemes and ports, and acceptable media types for each functionality to prevent unauthorized access; Disable HTTP redirections to prevent attackers from redirecting requests to malicious destinations; Use secure and well-maintained URL parsers to avoid inconsistencies that could lead to security vulnerabilities; Enforce input validation and sanitization on all client-supplied data to prevent injection attacks; Avoid sending raw responses directly to clients, ensuring responses are properly processed and filtered before transmission.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-15-07-01-01 | Isolate resource fetching mechanism | Isolate the functionality responsible for fetching remote resources into a separate network segment. This minimizes the potential impact of SSRF attacks by restricting access to internal systems. | Development | Security Engineers, IT Operations |
| SSS-02-15-07-01-02 | Implement allow lists for remote origins and url schemes | Use allow lists to restrict the remote origins (e.g., Google Drive, Gravatar) from which resources can be fetched. Also, define allowable URL schemes (e.g., HTTP, HTTPS) and ports for safe requests. | Development | Security Engineers, Backend Developers |
| SSS-02-15-07-01-03 | Enforce accepted media types | Define and enforce accepted media types for each functionality to ensure that only legitimate and expected content is processed. | Development | Security Engineers, Backend Developers |
| SSS-02-15-07-01-04 | Disable http redirections | Disable HTTP redirection functionality to prevent attackers from redirecting requests to internal services or unintended destinations. | Development | Security Engineers, Web Developers |
| SSS-02-15-07-01-05 | Use a well-structured url parser | Implement a well-tested and maintained URL parser to avoid parsing inconsistencies that can lead to SSRF vulnerabilities. | Development | Backend Developers, Security Engineers |
| SSS-02-15-07-01-06 | Validate and sanitize client-supplied input | Validate and sanitize all client-supplied input data, including URLs, to ensure they do not contain malicious content that could exploit SSRF vulnerabilities. | Development | Security Engineers, Backend Developers |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1851) OWASP Top 10 API Security Risk OWASP Top 10 API Security Risk |