AntiSSRF is an open-source code library from Microsoft that validates URLs and network connections to reduce server-side request forgery (SSRF) risks in web applications. It supports .NET and Node.js applications and is distributed under the MIT license. The library works as a drop-in component, giving developers a way to check untrusted input before their applications make outbound requests.
What the library targets
Server-side request forgery is a web security vulnerability in which an attacker manipulates a server-side application into making network requests to an arbitrary endpoint. An attacker who succeeds can direct the target server to connect to internal networks or send sensitive data to an untrusted endpoint on the internet. Listed consequences include exposure of internal services, leakage of sensitive data, service disruption, and remote code execution.
A common path to these vulnerabilities involves customer-supplied strings that form or build a URL. When those strings go unvalidated, they can enable SSRF, which can result in token theft. The project treats all incoming HTTP requests as untrusted, including user-provided URLs and identifiers, data from external APIs and webhooks, configuration values that users can influence, and requests from a service’s own backend components. Data that does not appear to be a URL, such as a workspace name concatenated into one, falls under the same requirement for validation.
How it works
AntiSSRF validates URLs and network connections automatically and refuses input it deems unsafe. It supplies an agent that prevents HTTP requests from reaching internal or sensitive IP addresses.
Configuration centers on an AntiSSRFPolicy object. Its properties let developers define allowed and denied addresses, deny all unspecified IPs, permit or block plain-text HTTP, and set required and denied headers. A URIValidator component provides domain checks, including methods that confirm whether a URI sits within an Azure Key Vault domain or an Azure Storage domain.
The .NET library serves web clients that use HttpClient objects. The Node.js library handles requests that use Node.js HTTP and HTTPS agents. Documentation includes Node.js samples for Axios, follow-redirects, and node-fetch.
Microsoft AntiSSRF is available for free on GitHub.
Must read:
Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!
