CheatSheetSeries icon indicating copy to clipboard operation
CheatSheetSeries copied to clipboard
verified publisher icon OWASP

Update: Server_Side_Request_Forgery_Prevention_Cheat_Sheet

Open JLLeitschuh opened this issue 3 months ago • 4 comments

What is missing or needs to be updated?

Sometimes you need to be able to support arbitrary web requests in a context, but doing so is fraught with risks. It would be good to capture a standard/base set of IP addresses that need to be blocked in a deny-list approach when dealing with SSRF.

One case I had to work with was a project called ComputerCraft. They offer a scripting engine in Lua that lets you make arbitrary network requests within the context of the Minecraft Server running the Mod.

In order to adequately protect against this vulnerability, they needed to add quite a few IP address ranges to their deny-list:

https://github.com/cc-tweaked/CC-Tweaked/blob/b9ed66983d714bcb5c6bf15b428e01a035106dbf/projects/core/src/main/java/dan200/computercraft/core/apis/http/options/AddressPredicate.java#L112-L157

Capturing this list somewhere in the CheatSheet series may be helpful for those use-cases where an allow-list isn't possible and a deny-list is required.

How should this be resolved?

Add a section that states explicitly that a deny-list is not advised, and is prone to bypasses, but in that case, these are the set of IP ranges that we advise being forbidden.

JLLeitschuh avatar Sep 06 '25 00:09 JLLeitschuh

I think so long as you explain - briefly - the risk of deny-list validation, I am ok with a surgical mention. We want to keep people away from this unless its necessary like you described.

Does that work for you?

jmanico avatar Sep 13 '25 10:09 jmanico

That seems reasonable to me

JLLeitschuh avatar Sep 16 '25 19:09 JLLeitschuh

Hi Maintainers! I’d like to take this.

Plan:

  • Reiterate that allow-lists are preferred for SSRF egress; deny-lists are brittle and bypass-prone.
  • Add a short “If you must use a deny-list” subsection to the SSRF Prevention Cheat Sheet that: • Enumerates key IPv4/IPv6 special-purpose / non-routable ranges to block (with links to the authoritative IANA registries rather than hard-coding every edge case).
    • Lists major cloud instance-metadata endpoints to block (AWS / GCP / Azure; note hostname/IP where applicable).
    • Calls out DNS rebinding / parser quirks / dual-stack fallbacks, and recommends egress via a proxy plus logging/alerting on deny-list hits.
  • Update References to include IANA IPv4/IPv6 special-purpose registries and vendor IMDS docs.
  • I’ll also sanity-check against the ComputerCraft/CC-Tweaked deny-list example cited in the issue for coverage.

Deliverables: Markdown edits + updated References; local build/lint/link checks pass.

ETA: I can open a PR within 3–5 days. If this scope looks good, I’ll proceed.

pankajtaneja5 avatar Sep 19 '25 03:09 pankajtaneja5

The OP may want to take this on, but I'll take the first PR - we just want to make sure @JLLeitschuh approves of the edit, thank you both!

jmanico avatar Sep 19 '25 10:09 jmanico