ssrf
Safeguard articles tagged "ssrf" — guides, analysis, and best practices for software supply chain and application security.
25 articles
URL parser confusion: how inconsistent parsing enables SSRF and auth bypass
Sixteen URL-parsing libraries tested, five inconsistency classes found, eight CVEs assigned — one wrong backslash can turn a validated URL into an SSRF.
Common Go module vulnerability patterns and how govulncheck helps
Two real CVEs in Go's path/filepath package and a growing SSRF problem in webhook handlers show why Go's safety guarantees don't cover application logic.
Safely Parsing Untrusted URLs in Node.js
Node's legacy url.parse() is deprecated (DEP0169), and parser mismatches between it, the WHATWG URL API, and fetchers are a documented root cause of SSRF and open redirects.
Robust URL Validation in Python: Stopping SSRF and Open Redirects
One misparsed IP string cost Capital One 106 million records. Here's how to validate URLs in Python without repeating that mistake.
OWASP A10: Server-Side Request Forgery (SSRF) — A Deep-Dive Guide
Server-Side Request Forgery ranks #10 in the OWASP Top 10 (2021). A deep dive into cloud metadata theft, real CVEs like ProxyLogon, and how to stop SSRF in 2026.
Preventing SSRF in Python Applications
Server-side request forgery turns your own backend into an attacker's proxy, reaching internal services and cloud metadata endpoints you never meant to expose.
Axios Security Guide (2026)
Axios is the most popular HTTP client in the JavaScript ecosystem — and its SSRF and credential-leak CVEs make its version and configuration security-relevant. Here is how to run it safely.
Preventing SSRF in Node.js applications
A single unvalidated URL in a fetch or axios call can let an attacker reach 169.254.169.254 and steal cloud credentials — as the 2019 Capital One breach showed.
Preventing SSRF in Node.js Applications
Server-Side Request Forgery is the bug that turns a harmless URL field into a doorway to your cloud metadata service. Here is how SSRF works in Node.js and how to shut it down with allowlists and DNS-safe validation.
SSRF Prevention in Go: Blocking Metadata, Redirects, and DNS Rebinding
A single unvalidated URL passed to net/http can hand an attacker your cloud metadata credentials. Here's how SSRF actually works against Go services — and the DialContext-level defense that stops it.
What Is XXE (XML External Entity Injection)?
XXE abuses an XML parser's ability to load external entities to read local files, reach internal services, or knock a server offline. Here is how to stop it.
ProxyLogon (CVE-2021-26855) Explained: The Exchange SSRF That Opened a Pre-Auth Door
CVE-2021-26855, ProxyLogon, is a server-side request forgery in Microsoft Exchange that let unauthenticated attackers impersonate the server — the first link in a chain to full remote code execution.