Description

Detects potential Server-Side Request Forgery (SSRF) vulnerabilities in Express.js applications where unsanitized user input flows into axios HTTP requests. This could allow attackers to make unauthorized requests to internal services or sensitive endpoints by manipulating request URLs.

Detection Strategy

• Identifies Express.js route handlers and controller functions

• Tracks request parameters and user-controlled data through the code

• Looks for axios HTTP client method calls (get, post, etc.)

• Reports issues when user input directly influences axios request URLs without proper validation

• Checks if URL parameters in axios calls are constructed using request parameters or other user-controlled data sources

Vulnerable code example

const express = require('express');
const axios = require('axios');

const app = express();

app.get('/fetch', async (req, res) => {
  const url = req.query.url;
  ...

✅ Secure code example

const express = require('express');
const axios = require('axios');
const validUrl = require('valid-url');

const app = express();
app.use(express.json());

// Define allowed domains and methods for security...