Disclaimer: This platform is for educational and authorized security testing only.
Bricxt SquadCybersecurity Education & Ethical Hacking Labs

SSRF

Classify URLs and enforce outbound allowlists; block risky schemes and internal ranges.

Classification

  • Block 169.254.169.254, 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
  • Block file://, gopher://, ftp:// (unless required and sandboxed)
  • Resolve DNS and re-check IP before connecting

Prevention

  • Allowlist hosts or exact URLs; use outbound proxy
  • Disable redirects or re-validate on redirect
  • Timeouts and small response limits

Copy-Ready Safe Examples

const url = new URL(input);
if (!ALLOWLIST.has(url.host)) throw new Error("blocked");
if (["file:", "gopher:"].includes(url.protocol)) throw new Error("blocked");
// Resolve DNS to IP and block private ranges before fetch
const proxy = "http://egress-proxy.local";
// Route all outbound traffic via proxy; enforce ACL at proxy layer