GuardAPI Logo
GuardAPI

Fix SSRF (Server Side Request Forgery) in Beego

SSRF in Beego applications typically manifests when developers use the `httplib` module to fetch remote resources using unsanitized user input. By providing internal IP addresses (127.0.0.1) or cloud metadata endpoints (169.254.169.254), an attacker can pivot into your internal network. To kill this bug, you must implement strict URL parsing, protocol enforcement, and IP allowlisting.

The Vulnerable Pattern

package controllers

import (
“github.com/beego/beego/v2/server/web”
“github.com/beego/beego/v2/client/httplib”
)


type ProxyController struct {
web.Controller
}


func (c *ProxyController) Get() {
// VULNERABLE: Direct use of user-supplied URL
targetURL := c.GetString(“url”)
req := httplib.Get(targetURL)
resp, err := req.String()
if err != nil {
c.Ctx.WriteString(“Error fetching resource”)
return
}
c.Ctx.WriteString(resp)
}

The Secure Implementation

The fix involves three layers of defense: 1. Protocol Validation: Restrict schemes to HTTP/HTTPS only to prevent 'file://' or 'gopher://' attacks. 2. Hostname Allowlisting: Only permit requests to known, trusted external domains. 3. DNS Resolution Check: Before making the request, resolve the hostname to an IP and verify it is not a loopback (127.0.0.1), private (RFC 1918), or link-local address. This prevents attackers from using your server as a proxy to scan internal services or grab cloud instance metadata.

package controllers

import (
“net”
“net/url”
“strings”
“github.com/beego/beego/v2/server/web”
“github.com/beego/beego/v2/client/httplib”
)


func isSafe(rawURL string) bool {
u, err := url.Parse(rawURL)
if err != nil || (u.Scheme != “http” && u.Scheme != “https”) {
return false
}
// Allowlist approach
allowedDomains := []string{“api.trusted.com”, “cdn.assets.io”}
for _, domain := range allowedDomains {
if u.Hostname() == domain { return true }
}
// IP validation to prevent internal hits
addrs, _ := net.LookupIP(u.Hostname())
for _, addr := range addrs {
if addr.IsLoopback() || addr.IsPrivate() {
return false
}
return false
}


type SecureController struct {
web.Controller
}


func (c *SecureController) Get() {
target := c.GetString(“url”)
if !isSafe(target) {
c.CustomAbort(403, “Forbidden target”)
return
}
req := httplib.Get(target)
resp, _ := req.String()
c.Ctx.WriteString(resp)
}

System Alert • ID: 6164
Target: Beego API
Potential Vulnerability

Your Beego API might be exposed to SSRF (Server Side Request Forgery)

74% of Beego apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X