CME-1304

SSRF Prevention (Outbound Request Allowlist)

Harden Application Medium Confidence

Description

Application-level validation that restricts outbound requests and file access to an allowlist of permitted destinations, schemes, and paths. Blocks requests to internal metadata endpoints (169.254.169.254), localhost, private RFC1918 ranges, and file:// or gopher:// schemes. Prevents attackers from using the application as a proxy to access internal resources.

CVSS Vector Impacts

Metric Transition Rationale
Confidentiality (C) H L Cannot reach internal services, cloud metadata, or local files via SSRF
Attack Complexity (AC) L H Destination allowlist blocks common SSRF bypass techniques

CWE Relationships

CWE-918

Verification

Test application with SSRF payloads targeting internal endpoints

$ curl -s http://app/fetch?url=http://169.254.169.254/latest/meta-data/ -o /dev/null -w '%{http_code}'
# Expected: 400 or 403
Platform: any
← CME-1303: Application-Level Filesystem Access Confinement CME-1305: SQL Injection Prevention (Parameterized Queries) →