php.lang.security.php-ssrf.php-ssrf

Author
unknown
Download Count*
License
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Dangerous function $FUNCS with payload $DATA
Run Locally
Run in CI
Defintion
rules:
- id: php-ssrf
patterns:
- pattern-either:
- pattern: |
$VAR=$DATA;
...
$FUNCS(...,$VAR, ...);
- pattern: $FUNCS(...,$DATA, ...);
- metavariable-pattern:
metavariable: $DATA
patterns:
- pattern-either:
- pattern: $_GET
- pattern: $_POST
- pattern: $_COOKIE
- pattern: $_REQUEST
- metavariable-pattern:
metavariable: $FUNCS
patterns:
- pattern-either:
- pattern: curl_setopt
- pattern: fopen
- pattern: file_get_contents
- pattern: curl_init
- pattern: readfile
message: The web server receives a URL or similar request from an upstream
component and retrieves the contents of this URL, but it does not
sufficiently ensure that the request is being sent to the expected
destination. Dangerous function $FUNCS with payload $DATA
metadata:
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
cwe:
- "CWE-918: Server-Side Request Forgery (SSRF)"
category: security
technology:
- php
owasp:
- A10:2021 - Server-Side Request Forgery (SSRF)
cwe2022-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
confidence: LOW
vulnerability_class:
- Server-Side Request Forgery (SSRF)
languages:
- php
severity: ERROR
Examples
php-ssrf.php
<?php
function test1(){
//ruleid: php-ssrf
$ch = curl_init($_GET['r']);
}
function test2(){
//ruleid: php-ssrf
$url = $_GET['r'];
$ch = curl_init($url);
}
function test3(){
$ch = curl_init();
//ruleid: php-ssrf
curl_setopt($ch, CURLOPT_URL, $_POST['image_url']);
}
function test4(){
$ch = curl_init();
//ruleid: php-ssrf
$url = $_GET['r'];
curl_setopt($ch, CURLOPT_URL, $url);
}
function test5(){
//ruleid: php-ssrf
$url = $_GET['r'];
$file = fopen($url, 'rb');
}
function test6(){
//ruleid: php-ssrf
$file = fopen($_POST['r'], 'rb');
}
function test7(){
//ruleid: php-ssrf
$url = $_POST['r'];
$file = file_get_contents($url);
}
function test8(){
//ruleid: php-ssrf
$file = file_get_contents($_POST['r']);
}
function test9(){
//ok: php-ssrf
$file = file_get_contents("index.php");
}
function test10(){
//ok: php-ssrf
$url = $_POST['r'];
$file = fopen("/tmp/test.txt", 'rb');
}
?>
Short Link: https://sg.run/OAw2