Skip to main content
SSRF flaws occur when a web application fetches a remote resource without validating the user-supplied URL. This allows attackers to force the application to send crafted requests to unexpected destinations, even when protected by a firewall, VPN, or network ACL.
CodeAnt AI detects Server-Side Request Forgery (SSRF) vulnerabilities across 12 languages: Python, Java, JavaScript, Go, C#, Ruby, PHP, Kotlin, Rust, Scala, C++, Terraform.

Detected Vulnerabilities

Severity: Critical

Description

The application accepts user-supplied URLs and makes server-side HTTP requests to those URLs without sufficient validation, allowing attackers to target internal services.

Impact

Access to internal services, cloud metadata endpoints (169.254.169.254), internal APIs, and other network resources not intended to be publicly accessible. Can lead to credential theft, data exfiltration, and remote code execution.

Remediation

Validate and sanitize all user-supplied URLs. Use allowlists for permitted domains and IP ranges. Block requests to private IP ranges and metadata endpoints. Use network segmentation to limit server-side request capabilities.
Severity: High

Description

The application can be tricked into making requests on behalf of an attacker, acting as a confused deputy that leverages its own elevated privileges to access restricted resources.

Impact

Attackers leverage the application’s network position and credentials to access cloud metadata, internal microservices, databases, and other resources behind the network perimeter.

Remediation

Implement strict URL validation. Deny requests to internal IP ranges. Use dedicated service accounts with minimal permissions. Implement request signing for internal service communication.