GuardAPI Logo
GuardAPI

Fix SSRF (Server Side Request Forgery) in CodeIgniter

SSRF (Server-Side Request Forgery) is a critical vulnerability that allows an attacker to force the server to execute unintended requests. In CodeIgniter environments, this typically occurs when user-supplied URLs are passed to cURL or file wrappers without validation. A successful exploit can lead to internal port scanning, access to cloud metadata services (like 169.254.169.254), or interaction with internal-only services like Redis and Memcached.

The Vulnerable Pattern

public function proxy() {
    $target_url = $this->input->get('url');
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $target_url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
    $result = curl_exec($ch);
    curl_close($ch);
    echo $result;
}

The Secure Implementation

To fix SSRF, you must implement a multi-layered defense. 1. Host Allowlisting: Only permit requests to a predefined list of trusted domains. 2. Protocol Enforcement: Explicitly allow only 'https' to prevent protocol smuggling via gopher, file, or ftp. 3. DNS Resolution Check: Resolve the hostname to an IP and use FILTER_FLAG_NO_PRIV_RANGE to ensure the target is not a local or private network address (RFC1918). 4. Disable Redirects: Set CURLOPT_FOLLOWLOCATION to false to prevent attackers from bypassing host checks via HTTP 301/302 redirects to internal resources.

public function proxy_secure() {
    $url = $this->input->get('url');
    $allowed_domains = ['api.trusted.com', 'cdn.trusted.com'];
    $parts = parse_url($url);

if (!$parts || !isset($parts['host']) || !in_array($parts['host'], $allowed_domains)) {
    show_error('Invalid Host', 403);
}

if ($parts['scheme'] !== 'https') {
    show_error('HTTPS Required', 403);
}

$ip = gethostbyname($parts['host']);
if (!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
    show_error('Internal IP Access Prohibited', 403);
}

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://' . $parts['host'] . ($parts['path'] ?? ''));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
$result = curl_exec($ch);
curl_close($ch);
echo $result;


}

System Alert • ID: 1571
Target: CodeIgniter API
Potential Vulnerability

Your CodeIgniter API might be exposed to SSRF (Server Side Request Forgery)

74% of CodeIgniter apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X