—

Why it Matters

Server-Side Request Forgery (SSRF) happens when attackers trick your Magento server into making HTTP requests to locations they choose. This could allow them to reach internal services, metadata endpoints on cloud providers, or even other systems inside your network that are not supposed to be exposed.

If external requests are not validated, attackers may bypass firewalls or steal sensitive data. Restricting which hosts can be contacted and validating all URLs helps close this attack vector. Proper SSRF protections reduce the risk of data leaks and lateral movement inside your infrastructure.

Verification Steps

# Review custom modules for outbound HTTP requests
grep -R "curl_init" app/code
grep -R "file_get_contents(" app/code
grep -R "->request(" app/code

# Check if requests validate allowed hosts or use a whitelist

Remediation / Fix Guidance

1. Use Magento’s HTTP client or frameworks that support request validation.
2. Allow only specific, trusted domains (use a whitelist or DNS pinning).
3. Block requests to local addresses like 127.0.0.1 or 169.254.169.254 (cloud metadata).
4. Set reasonable timeouts and disable following redirects automatically.

Examples

// Unsafe, accepts any URL input
$url = $_GET['url'];
$response = file_get_contents($url);

// Safe, only allows requests to trusted hosts
$allowed = ['https://api.payment.com', 'https://api.shipping.com'];
if (in_array($url, $allowed, true)) {
    $response = $httpClient->get($url);
}

References

• OWASP Top 10 — A10: Server-Side Request Forgery (SSRF)