Safeguard
Tag

ssrf

Safeguard articles tagged "ssrf" — guides, analysis, and best practices for software supply chain and application security.

25 articles

Application Security

URL parser confusion: how inconsistent parsing enables SSRF and auth bypass

Sixteen URL-parsing libraries tested, five inconsistency classes found, eight CVEs assigned — one wrong backslash can turn a validated URL into an SSRF.

Jul 16, 20266 min read
Open Source Security

Common Go module vulnerability patterns and how govulncheck helps

Two real CVEs in Go's path/filepath package and a growing SSRF problem in webhook handlers show why Go's safety guarantees don't cover application logic.

Jul 14, 20266 min read
Application Security

Safely Parsing Untrusted URLs in Node.js

Node's legacy url.parse() is deprecated (DEP0169), and parser mismatches between it, the WHATWG URL API, and fetchers are a documented root cause of SSRF and open redirects.

Jul 13, 20266 min read
Application Security

Robust URL Validation in Python: Stopping SSRF and Open Redirects

One misparsed IP string cost Capital One 106 million records. Here's how to validate URLs in Python without repeating that mistake.

Jul 11, 20266 min read
Security Guides

OWASP A10: Server-Side Request Forgery (SSRF) — A Deep-Dive Guide

Server-Side Request Forgery ranks #10 in the OWASP Top 10 (2021). A deep dive into cloud metadata theft, real CVEs like ProxyLogon, and how to stop SSRF in 2026.

Jul 8, 20267 min read
Security Guides

Preventing SSRF in Python Applications

Server-side request forgery turns your own backend into an attacker's proxy, reaching internal services and cloud metadata endpoints you never meant to expose.

Jul 8, 20265 min read
Security Guides

Axios Security Guide (2026)

Axios is the most popular HTTP client in the JavaScript ecosystem — and its SSRF and credential-leak CVEs make its version and configuration security-relevant. Here is how to run it safely.

Jul 7, 20266 min read
Application Security

Preventing SSRF in Node.js applications

A single unvalidated URL in a fetch or axios call can let an attacker reach 169.254.169.254 and steal cloud credentials — as the 2019 Capital One breach showed.

Jul 7, 20266 min read
Security Guides

Preventing SSRF in Node.js Applications

Server-Side Request Forgery is the bug that turns a harmless URL field into a doorway to your cloud metadata service. Here is how SSRF works in Node.js and how to shut it down with allowlists and DNS-safe validation.

Jul 3, 20266 min read
Security Guides

SSRF Prevention in Go: Blocking Metadata, Redirects, and DNS Rebinding

A single unvalidated URL passed to net/http can hand an attacker your cloud metadata credentials. Here's how SSRF actually works against Go services — and the DialContext-level defense that stops it.

Jul 2, 20265 min read
Vulnerability Guides

What Is XXE (XML External Entity Injection)?

XXE abuses an XML parser's ability to load external entities to read local files, reach internal services, or knock a server offline. Here is how to stop it.

Jul 1, 20265 min read
Vulnerability Analysis

ProxyLogon (CVE-2021-26855) Explained: The Exchange SSRF That Opened a Pre-Auth Door

CVE-2021-26855, ProxyLogon, is a server-side request forgery in Microsoft Exchange that let unauthenticated attackers impersonate the server — the first link in a chain to full remote code execution.

Jul 1, 20265 min read
ssrf — Safeguard Blog