By /

Server-Side Request Forgery (SSRF vulnerability) in Laravel

Server-Side Request Forgery (SSRF) in Laravel is a critical web application vulnerability that occurs when an attacker tricks the server into making HTTP requests to unintended or malicious internal or external systems. This flaw often arises when developers fail to properly validate user-supplied URLs or endpoints that interact with server-side resources.

Best 7 Ways to Fix SSRF Vulnerability in Laravel Securely

In Laravel, due to the flexibility of tools like Guzzle HTTP, SSRF can sneak in subtly if proper precautions aren’t taken. This blog post will guide you through 7 actionable solutions, complete with real-world Laravel coding examples, to prevent SSRF. We’ll also show how our free website vulnerability scanner online can help you discover such vulnerabilities during your development or testing phase.

🔍 What is SSRF in Laravel and Why is it Dangerous?

When Laravel apps fetch remote data based on user input, they often use tools like Guzzle, cURL, or file_get_contents(). Without strict validation, this creates a window for attackers to access internal services (like metadata endpoints or internal APIs), potentially exposing sensitive data or escalating to full-blown server access.

7️⃣ Ways to Fix SSRF Vulnerability in Laravel

🚨 Example 1: Insecure Guzzle Usage in Laravel

use GuzzleHttp\Client;

public function fetchRemoteData(Request $request)
{
    $url = $request->input('url');
    $client = new Client();
    $response = $client->get($url);
    return $response->getBody()->getContents();
}

Problem:

The $url parameter comes directly from user input without any validation. An attacker could pass an internal IP like http://127.0.0.1/admin and access internal services.

Solution 1: Whitelisting Trusted Domains

$allowedDomains = ['api.trustedservice.com', 'services.example.com'];
$parsedUrl = parse_url($url);
$host = $parsedUrl['host'] ?? '';

if (!in_array($host, $allowedDomains)) {
    abort(403, 'Unauthorized domain access');
}

🎯 Pro Tip:

Always whitelist instead of blacklisting, as blacklists can easily be bypassed with clever URL manipulation.

🧠 Example 2: SSRF via file_get_contents()

$content = file_get_contents($request->input('file_url'));

Problem:

This function will follow URLs blindly, including internal resources like http://169.254.169.254 (used for AWS metadata).

Solution 2: Validate URL Scheme and Host

$url = $request->input('file_url');
$parsed = parse_url($url);

if (!in_array($parsed['scheme'], ['http', 'https']) ||
    preg_match('/^169\.254\.|^127\.|^localhost|^0\.0\.0\.0/', $parsed['host'])) {
    abort(403, 'Access to local network resources is prohibited.');
}
📸 Screenshot of the Website Vulnerability Scanner tool showing how it scans for SSRF vulnerabilities:
Here, you can see the interface of our free tools webpage, where we offer multiple security checks. Visit Pentest Testing’s Free Tools to perform quick security tests.
Here, you can see the interface of our free tools webpage, where we offer multiple security checks. Visit Pentest Testing’s Free Tools to perform quick security tests.

🔐 Example 3: Laravel with curl_exec()

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $request->input('target'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$response = curl_exec($ch);
curl_close($ch);

Problem:

Directly passing user input into CURLOPT_URL is dangerous without validation.

Solution 3: Use gethostbyname() to block private IPs

$target = $request->input('target');
$parsed = parse_url($target);
$host = $parsed['host'];
$ip = gethostbyname($host);

if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) === false) {
    abort(403, 'Private IP addresses are not allowed.');
}

🛠️ Tools to Detect SSRF in Laravel

  1. Free SSRF Vulnerability Scanner from Pentest Testing Corp.
  2. OWASP ZAP / Burp Suite
  3. Laravel-specific SSRF detection rules in static analysis tools
📸 An image of the vulnerability assessment report generated by your tool to check Website Vulnerability:
The vulnerability report provides detailed insights into different vulnerability issues, which you can use to enhance your application’s security.
The vulnerability report provides detailed insights into different vulnerability issues, which you can use to enhance your application’s security.

🌐 Related Resources and Articles You May Like

🚫 Common SSRF Payloads Used by Attackers

http://127.0.0.1:80/
http://localhost/admin
http://169.254.169.254/latest/meta-data/
http://internal-api.company.local/

Use these filters to block such patterns.

🔐 Laravel Middleware for SSRF Vulnerability Protection

You can even create a custom middleware to centralize SSRF protection logic:

namespace App\Http\Middleware;

use Closure;

class ValidateExternalUrl
{
    public function handle($request, Closure $next)
    {
        $url = $request->input('url');
        $host = parse_url($url, PHP_URL_HOST);
        $ip = gethostbyname($host);

        if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) === false) {
            abort(403, 'SSRF protection triggered.');
        }

        return $next($request);
    }
}

Then register this middleware on routes or globally.

Final Thoughts

Server-Side Request Forgery (SSRF vulnerability) in Laravel can lead to serious breaches if not addressed during development. As Laravel developers, it’s critical to implement input validation, restrict internal network access, and utilize automated tools like ours for a Website Security check to detect flaws proactively.

If your Laravel app fetches remote resources in any form, now’s the time to audit those requests. Remember: “Validate once, test twice, deploy secure.”

Free Consultation

If you have any questions or need expert assistance, feel free to schedule a Free consultation with one of our security engineers>>

Free Consultation

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top