SSRF Protection
Server-Side Request Forgery (SSRF) is a critical vulnerability class where an application is tricked into making requests to internal or unintended network locations.
The URL Media Inspector implements a strict, multi-layer defense against SSRF.
How it Works
- DNS Resolution: Before initiating an HTTP connection, the target hostname is resolved to an IP address.
- IP Verification: The resolved IP address is verified against a strict denylist of internal networks.
- Connection Pinning: The HTTP request is established directly to the verified IP address using the original hostname in the
Hostheader, preventing DNS rebinding attacks.
Blocked Ranges
The system strictly blocks connections to the following subnets:
127.0.0.0/8(Localhost)10.0.0.0/8(Private Network)172.16.0.0/12(Private Network)192.168.0.0/16(Private Network)169.254.0.0/16(AWS/GCP Metadata Service)0.0.0.0/8(Current Network)
Handling Redirects
When follow_redirects is enabled, the SSRF verification process repeats for every hop in the redirect chain. If a remote server redirects to an internal IP, the request is immediately aborted with an SSRF_BLOCKED error code.