Skip to main content

Mitigate Server Side Request Forgery

Learning Objectives

After completing this unit, you’ll be able to:

  • Define a Server Side Request Forgery (SSRF) vulnerability.
  • Identify an SSRF vulnerability in Lightning Platform applications.
  • Prevent an SSRF vulnerability using code- and org-level protections.

What Is Server Side Request Forgery?

Server-side request forgery (SSRF) is a security vulnerability in web applications where an attacker can make unauthorized requests, both internal and external, on behalf of the server. In an SSRF attack, the malicious application tricks the server into making requests to internal and external services or systems, potentially leading to unauthorized access or data exposure.

To illustrate this vulnerability, let’s consider our School District Management developer org once again. Imagine we have an application that fetches information about students from an internal service that is hosted on a non-routable address. The application is designed to make a GET request to the server whose address is contained in the API request to retrieve the student's details, for example studentApi=https://192.168.0.1/student.

Now, suppose an attacker observes that the requests sent from the client contain a path value that may be exploitable. Cloud services often expose a REST interface on a metadata endpoint (such as http://169.254.169.254). In addition, some NoSQL databases may be configured to expose unauthenticated REST interfaces on internal interfaces. An attacker would intercept the API call from the client, replace the endpoint value of the student service with a call to the metadata service and exfiltrate sensitive service configuration data from the internal metadata endpoint.

Preventing SSRF Attacks

Preventing SSRF attacks involves implementing measures to validate and restrict the scope of requests. Effective prevention techniques include a combination of the following.

Validate and Sanitize Inputs

Ensure that input values, such as the studentApivalue in our example, are properly validated and sanitized to prevent the injection of malicious URLs.

Implement Allowlisting

Restrict the allowed destinations for outgoing requests by enforcing the URL schema, port, and destination allowlist, disabling HTTP redirections. Only allow requests to specified, trusted endpoints.

Use URL Parsing Libraries

Utilize URL parsing libraries to parse and validate URLs before making requests. This helps ensure that the requested URLs conform to expected patterns.

Network Segmentation

Implement network segmentation to restrict the server's ability to make requests to internal resources, limiting the impact of any potential SSRF attacks.

Salesforce Platform Protections Against SSRF

Salesforce provides built-in protections against SSRF for developers. Requests made against Salesforce resources include safeguards to prevent the exploitation of SSRF vulnerabilities. Additionally, Lightning application developers can use the following best practices to minimize the risk of SSRF.

Avoid GET Requests

Similar to CSRF prevention, developers should avoid using HTTP GET requests. Instead, prefer using POST or PUT requests to minimize risk of SSRF data exfiltration.

Validate Origin Headers

When integrating Salesforce Lightning applications with third-party APIs, validate the origin header in HTTP requests. Ensure that the request originates from a trusted source to prevent potential SSRF exploits.

Implement Anti-SSRF Tokens

Developers can add custom anti-SSRF tokens to XMLHttpRequests within Lightning by using setRequestHeader(). This adds an additional layer of protection against SSRF attacks.

SSRF on Lightning Page Load Events

Another area prone to SSRF vulnerabilities is during server-side Data Manipulation Language (DML) operations triggered by page-loading events like onInit or afterRender. To mitigate the risk, ensure that DML operations are only initiated in response to user interactions, such as clicking a button or selecting an option.

Now that you understand how to safeguard against SSRF vulnerabilities, you can design secure applications on the Salesforce platform, protecting your users' clients from unauthorized access and data exposure. Additionally, securing your development on the server side ensures a robust defense against potential security threats.

Share your Trailhead feedback over on Salesforce Help.

We'd love to hear about your experience with Trailhead - you can now access the new feedback form anytime from the Salesforce Help site.

Learn More Continue to Share Feedback