CWE-918 SSRF
Coverage: 14 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 13Other-pattern 1 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.
What this means
SiteShadow flagged code where the server makes outbound requests to a destination influenced by untrusted input (URL parameters, request body, headers, webhook data).
Why it matters
SSRF can expose internal services or cloud metadata.
- Cloud credential theft: SSRF can hit metadata endpoints and steal IAM tokens.
- Internal network access: attackers can reach internal services not exposed publicly.
- Pivoting: SSRF can chain into RCE/data theft via internal admin panels.
Safer examples
1) Allowlist destinations (recommended)
const allowedHosts = new Set(["api.stripe.com", "webhook.partner.com"]);
const u = new URL(req.body.url);
if (!allowedHosts.has(u.host)) throw new Error("Destination not allowed");
2) Block private/metadata ranges and handle redirects safely
Block localhost, RFC1918, link-local, and cloud metadata; limit redirects and prevent DNS rebinding where feasible.
3) Apply tight outbound controls
- Short timeouts
- Limit schemes to
https - Restrict ports to expected values
How SiteShadow detects it (high level)
- Detects outbound HTTP client usage and tracks whether the destination is derived from untrusted input.
- Flags missing allowlists/validation, especially when redirects are enabled.
References
- CWE-918: https://cwe.mitre.org/data/definitions/918.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.