GuardAPI Logo
GuardAPI
Automated Security Protocol

How to fix SSRF (Server Side Request Forgery)
in .NET 8 Web API

Executive Summary

SSRF in .NET 8 occurs when an endpoint accepts a user-supplied URL and processes it via HttpClient without strict validation. This allows attackers to pivot into internal networks (169.254.169.254, localhost) or bypass firewalls. To kill SSRF, you must enforce a strict allowlist of domains, validate schemes, and ideally resolve the IP to ensure it doesn't point to a private range.

The Vulnerable Pattern

VULNERABLE CODE
[HttpGet("proxy")]
public async Task Proxy(string targetUrl)
{
    using var client = new HttpClient();
    // VULNERABLE: Direct trust of user input. 
    // Attacker can pass 'http://localhost:5001/admin' or 'http://169.254.169.254/latest/meta-data/'.
    var response = await client.GetAsync(targetUrl);
    var content = await response.Content.ReadAsStringAsync();
    return Ok(content);
}

The Secure Implementation

The fix implements defense-in-depth: First, it parses the input into a System.Uri object to prevent basic obfuscation. Second, it enforces the HTTPS scheme to prevent protocol smuggling (gopher, file, ftp). Third, it uses a hardcoded allowlist of trusted hosts. Finally, it resolves the hostname to an IP address and checks against private/loopback ranges to prevent DNS Rebinding attacks that attempt to bypass host-header checks.

SECURE CODE
private static readonly string[] AllowedDomains = { "api.trusted.com", "images.cdn.io" };

[HttpGet(“proxy-secure”)]
public async Task ProxySecure(string targetUrl)
{
if (!Uri.TryCreate(targetUrl, UriKind.Absolute, out var uri))
return BadRequest(“Invalid URL”);


// 1. Enforce HTTPS only
if (uri.Scheme != Uri.UriSchemeHttps)
    return BadRequest("Insecure scheme");

// 2. Strict Host Allowlist
if (!AllowedDomains.Contains(uri.Host.ToLower()))
    return Forbid("Domain not authorized");

// 3. DNS Resolution check (Prevent DNS Rebinding/Private IPs)
var ips = await Dns.GetHostAddressesAsync(uri.Host);
foreach (var ip in ips)
{
    if (IPAddress.IsLoopback(ip) || ip.ToString().StartsWith("10.") || ip.ToString().StartsWith("192.168."))
        return BadRequest("Internal IP detected");
}

var client = _httpClientFactory.CreateClient();
var response = await client.GetAsync(uri);
return Ok(await response.Content.ReadAsStringAsync());


}

System Alert • ID: 8149
Target: .NET 8 Web API API
Potential Vulnerability

Your .NET 8 Web API API might be exposed to SSRF (Server Side Request Forgery)

74% of .NET 8 Web API apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X