SSRF Protection
Protection Module: ServerSideRequestForgery
Prevents Server-Side Request Forgery (SSRF) attacks by validating and filtering outbound HTTP requests.
Available for:
- ASP.NET Core
- ASP.NET Framework
- Azure Functions
How It Works
SSRF Protection monitors outbound HTTP requests to prevent access to internal resources or unauthorized external services.
Detection Methods:
- Private IP Range Detection - Blocks requests to
10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 - Localhost Detection - Identifies
127.0.0.1,localhost,[::1] - Cloud Metadata API Detection - Blocks AWS/Azure/GCP metadata endpoints
- URL Redirect Analysis - Validates redirect chains
- DNS Rebinding Prevention - Detects DNS time-of-check attacks
- Protocol Validation - Restricts to HTTP/HTTPS only
Protected Resources:
- AWS Metadata API (
169.254.169.254) - Azure Instance Metadata (
169.254.169.254) - GCP Metadata Server (
metadata.google.internal) - Kubernetes API (
10.96.0.1) - Internal network ranges
- Localhost services
Configuration
JSON
{
"protections": {
"ServerSideRequestForgery": {
"enabled": true,
"action": "block"
}
}
}{
"protections": {
"ServerSideRequestForgery": {
"enabled": true,
"action": "block"
}
}
}ASP.NET Core
C#
builder.Services.AddBytehideMonitor(monitor => monitor
.WithProtection(ProtectionModuleType.ServerSideRequestForgery, ActionType.Block)
);builder.Services.AddBytehideMonitor(monitor => monitor
.WithProtection(ProtectionModuleType.ServerSideRequestForgery, ActionType.Block)
);Advanced Configuration
JSON
{
"protections": {
"ServerSideRequestForgery": {
"enabled": true,
"action": "block",
"config": {
"allowPrivateIPs": false,
"allowLocalhost": false,
"allowCloudMetadata": false,
"allowedDomains": ["api.example.com"],
"blockedDomains": ["internal.company.com"],
"maxRedirects": 3
}
}
}
}{
"protections": {
"ServerSideRequestForgery": {
"enabled": true,
"action": "block",
"config": {
"allowPrivateIPs": false,
"allowLocalhost": false,
"allowCloudMetadata": false,
"allowedDomains": ["api.example.com"],
"blockedDomains": ["internal.company.com"],
"maxRedirects": 3
}
}
}
}Attack Examples
AWS Metadata Access
HTTP
GET /fetch?url=http://169.254.169.254/latest/meta-data/
Status: BLOCKEDGET /fetch?url=http://169.254.169.254/latest/meta-data/
Status: BLOCKEDPrivate IP Access
HTTP
GET /proxy?url=http://192.168.1.1/admin
Status: BLOCKEDGET /proxy?url=http://192.168.1.1/admin
Status: BLOCKEDLocalhost Access
HTTP
GET /fetch?url=http://localhost:8080/internal-api
Status: BLOCKEDGET /fetch?url=http://localhost:8080/internal-api
Status: BLOCKEDDNS Rebinding
HTTP
GET /proxy?url=http://attacker.com (resolves to 127.0.0.1)
Status: BLOCKEDGET /proxy?url=http://attacker.com (resolves to 127.0.0.1)
Status: BLOCKEDConfiguration Parameters
| Parameter | Description | Default |
|---|---|---|
allowPrivateIPs | Allow requests to private IP ranges | false |
allowLocalhost | Allow requests to localhost | false |
allowCloudMetadata | Allow cloud metadata API access | false |
allowedDomains | Whitelist of allowed domains | [] |
blockedDomains | Blacklist of blocked domains | [] |
maxRedirects | Maximum allowed redirects | 3 |
Platform Compatibility
| Platform | Support |
|---|---|
| ASP.NET Core | ✔ |
| ASP.NET Framework | ✔ |
| Azure Functions | ✔ |
Related Protections
Actions
Configure responses