GuardAPI Logo
GuardAPI

Fix SSRF (Server Side Request Forgery) in FuelPHP

Server-Side Request Forgery (SSRF) in FuelPHP occurs when the application fetches remote resources using user-supplied URLs without strict validation. Attackers leverage this to scan internal networks, access cloud metadata services (like 169.254.169.254), or bypass firewalls. If you are using the Fuel 'Http' class or 'Curl' package, you must implement a zero-trust model for outbound requests.

The Vulnerable Pattern

public function action_fetch_proxy()
{
    $target_url = \Input::post('url');
    // VULNERABLE: Directly passing user input to the Http class
    $response = \Http::get($target_url)->execute();
    return \Response::forge($response->body());
}

The Secure Implementation

The secure implementation enforces three layers of defense. First, it validates the URI scheme to prevent non-HTTP protocols (like file:// or gopher://). Second, it uses an allowlist for hostnames to restrict requests to known-good endpoints. Third, it performs a DNS resolution and uses PHP's FILTER_VALIDATE_IP with private/reserved range flags. This prevents 'DNS Rebinding' or 'IP-in-hostname' tricks that attempt to hit localhost or internal AWS/GCP metadata services that are not reachable from the outside.

public function action_fetch_proxy()
{
    $target_url = \Input::post('url');
    $allowed_domains = ['api.trusted-partner.com', 'cdn.myapp.com'];

$parts = parse_url($target_url);
if (!$parts || !isset($parts['host']) || !in_array($parts['scheme'], ['http', 'https'])) {
    throw new \HttpInvalidInputException('Invalid protocol');
}

if (!in_array($parts['host'], $allowed_domains)) {
    throw new \HttpInvalidInputException('Domain not authorized');
}

$ip = gethostbyname($parts['host']);
if (!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
    throw new \HttpInvalidInputException('Internal network access prohibited');
}

$response = \Http::get($target_url)->execute();
return \Response::forge($response->body());


}

System Alert • ID: 3951
Target: FuelPHP API
Potential Vulnerability

Your FuelPHP API might be exposed to SSRF (Server Side Request Forgery)

74% of FuelPHP apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X