CWE-918 SSRF
What this means
SiteShadow flagged code where the server makes outbound requests to a destination influenced by untrusted input (URL parameters, request body, headers, webhook data).
Why it matters
SSRF can expose internal services or cloud metadata.
- Cloud credential theft: SSRF can hit metadata endpoints and steal IAM tokens.
- Internal network access: attackers can reach internal services not exposed publicly.
- Pivoting: SSRF can chain into RCE/data theft via internal admin panels.
Safer examples
1) Allowlist destinations (recommended)
const allowedHosts = new Set(["api.stripe.com", "webhook.partner.com"]);
const u = new URL(req.body.url);
if (!allowedHosts.has(u.host)) throw new Error("Destination not allowed");2) Block private/metadata ranges and handle redirects safely
Block localhost, RFC1918, link-local, and cloud metadata; limit redirects and prevent DNS rebinding where feasible.
3) Apply tight outbound controls
- Short timeouts
- Limit schemes to
https - Restrict ports to expected values
How SiteShadow detects it (high level)
- Detects outbound HTTP client usage and tracks whether the destination is derived from untrusted input.
- Flags missing allowlists/validation, especially when redirects are enabled.
References
- CWE-918: https://cwe.mitre.org/data/definitions/918.html
---