How to Prevent Server-Side Request Forgery SSRF Attacks in PHP

Our PHP web applications can use URL submissions to preview a link’s contents, integrate third-party services, or even import data from external sources for convenience and functionality.

If we aren’t extremely careful about validating and sanitizing URL inputs, however, threat actors can submit malicious URLs to initiate SSRF attacks.

For example, a threat actor might try to submit a URL (structured like the example input below) that points to an internal service or some other sensitive endpoint within our application’s network.

http://localhost:8080/admin

This basic example SSRF URL is attempting to gain access to internal admin interfaces (or other similar services) that obviously aren’t intended to be publicly accessible.

Thankfully, we can use a free SSRF detection API to check URLs like this for SSRF attacks and assess their threat level. Using PHP code examples provided below, we can easily incorporate this API into our PHP application.

The prior example URL input above would return the following response:

{
  "CleanURL": false,
  "ThreatLevel": "High"
}

The threat level of this URL is appropriately deemed “high” because it’s directly attempting to expose internal resources to an external user.

When submitting URLs in our API request, we can also supply a string of domains we’d like to block under any circumstances. We can structure that input like the below example:

{
  "URL": "http://localhost:8080/admin",
  "BlockedDomains": [
    "malicious-domain.com"
  ]
}

Before we structure our API call, we’ll just need a free Cloudmersive API key to authorize our requests. This will allow us to make up to 800 API calls per month with zero additional commitments.

With our API key ready to go, we can first install the PHP client with Composer by executing the following command:

composer require cloudmersive/cloudmersive_security_api_client

Next, we can use the below code examples to call the function, and we can paste our API key in the ‘YOUR_API_KEY’ placeholder snippet:

<?php
require_once(__DIR__ . '/vendor/autoload.php');

// Configure API key authorization: Apikey
$config = Swagger\Client\Configuration::getDefaultConfiguration()->setApiKey('Apikey', 'YOUR_API_KEY');



$apiInstance = new Swagger\Client\Api\NetworkThreatDetectionApi(
    
    
    new GuzzleHttp\Client(),
    $config
);
$request = new \Swagger\Client\Model\UrlSsrfThreatDetectionRequestFull(); // \Swagger\Client\Model\UrlSsrfThreatDetectionRequestFull | Input URL request

try {
    $result = $apiInstance->networkThreatDetectionDetectSsrfUrl($request);
    print_r($result);
} catch (Exception $e) {
    echo 'Exception when calling NetworkThreatDetectionApi->networkThreatDetectionDetectSsrfUrl: ', $e->getMessage(), PHP_EOL;
}
?>

No more code required! Now we can easily check URL inputs for SSRF attacks, get key information about the severity of potential SSRF threats, and block threatening domains all in one low-code API call.