Fix SSRF (Server Side Request Forgery) in CakePHP
SSRF in CakePHP environments occurs when the 'Cake\Http\Client' or native PHP streams are invoked using unvalidated user input. This vulnerability allows an attacker to coerce the server into making unauthorized requests to internal resources, such as the AWS/GCP metadata services (169.254.169.254), internal databases, or local services bound to 127.0.0.1. A successful exploit can lead to full cloud credential exfiltration or internal network pivoting.
The Vulnerable Pattern
use Cake\Http\Client;
public function fetchExternalResource() { // DANGER: User controls the entire URL $url = $this->request->getQuery(‘url’); $http = new Client(); $response = $http->get($url); $this->response = $this->response->withStringBody($response->getStringBody()); return $this->response; }
The Secure Implementation
To effectively kill SSRF, you must implement a multi-layered defense. First, use a strict whitelist of allowed domains rather than a blacklist. Second, enforce the protocol to HTTPS to prevent protocol smuggling via gopher, file, or dict schemes. Finally, perform manual DNS resolution and validate the resulting IP against RFC1918 (private) and RFC6598 (reserved) ranges. This prevents 'DNS Rebinding' attacks and stops the server from hitting its own loopback interface or cloud metadata endpoints. In CakePHP, always instantiate the Client with a short timeout to prevent resource exhaustion from 'Slowloris-style' SSRF targets.
use Cake\Http\Client; use Cake\Http\Exception\BadRequestException;public function fetchExternalResource() { $url = $this->request->getQuery(‘url’); $allowedHosts = [‘api.trusted-partner.com’, ‘cdn.example.com’];
$parts = parse_url($url); if (!$parts || !isset($parts['host']) || !isset($parts['scheme'])) { throw new BadRequestException('Invalid URL format'); } // 1. Enforce Protocol (HTTPS only) if ($parts['scheme'] !== 'https') { throw new BadRequestException('Only HTTPS is permitted'); } // 2. Strict Whitelist Check if (!in_array($parts['host'], $allowedHosts)) { throw new BadRequestException('Unauthorized target host'); } // 3. DNS Resolution & Private IP Validation (Anti-Bypass) $ip = gethostbyname($parts['host']); if (!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) { throw new BadRequestException('Target resolves to a private or reserved IP'); } $http = new Client(['timeout' => 5]); $response = $http->get($url); return $this->response->withStringBody($response->getStringBody());
}
Your CakePHP API
might be exposed to SSRF (Server Side Request Forgery)
74% of CakePHP apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.