SiteShadow
Back to vulnerability library
Detected byPro-tier static analysisPro

SS01 SSRF Risk Patterns

What this means

SiteShadow flagged SSRF *policy-level* risk patterns: the server makes outbound requests where the destination (host/IP/path/redirect chain) is influenced by untrusted input.

Why it matters

SSRF can expose internal services or cloud metadata.

Safer examples

1) Allowlist destinations (best default)

from urllib.parse import urlparse

allowed_hosts = {"api.stripe.com", "webhook.partner.com"}
u = urlparse(user_url)
if u.hostname not in allowed_hosts:
    raise ValueError("Destination not allowed")

2) Normalize + block private/metadata ranges

Block localhost, RFC1918, link-local, and cloud metadata ranges (and watch out for redirects and DNS rebinding).

3) Harden outbound request behavior

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.