GuardAPI Logo
GuardAPI

Fix SSRF (Server Side Request Forgery) in Iris

SSRF (Server-Side Request Forgery) in Iris-based applications occurs when an attacker can control the destination of an outbound request initiated by the server. This allows for internal port scanning, cloud metadata exfiltration (AWS/GCP), and bypassing network firewalls. A 'Senior AppSec' approach requires moving beyond basic URL parsing to implementing strict egress controls and IP-level validation.

The Vulnerable Pattern

package main

import (
“github.com/kataras/iris/v12”
“net/http”
“io”
)


func main() {
app := iris.New()
// VULNERABLE: Directly fetching a user-supplied URL
app.Get(“/proxy”, func(ctx iris.Context) {
targetURL := ctx.URLParam(“url”)
resp, err := http.Get(targetURL)
if err != nil {
ctx.StopWithStatus(iris.StatusInternalServerError)
return
}
defer resp.Body.Close()
io.Copy(ctx.ResponseWriter(), resp.Body)
})
app.Listen(“:8080”)
}

The Secure Implementation

Fixing SSRF requires a multi-layered defense. 1. Scheme Validation: Only allow HTTPS to prevent protocol smuggling (gopher://, file://). 2. Domain Whitelisting: If possible, only allow requests to known-good domains. 3. DNS/IP Resolution: Resolve the hostname and check the IP against private ranges (RFC 1918, Loopback, Link-Local). This prevents attackers from hitting 127.0.0.1 or 169.254.169.254. 4. Custom Dialers: Use a custom net.Dialer with a Control function to prevent TOCTOU (Time-of-Check to Time-of-Use) race conditions during DNS resolution.

package main

import (
“github.com/kataras/iris/v12”
“net/http”
“net”
“time”
“errors”
“strings”
)


func isSafe(host string) error {
addrs, err := net.LookupIP(host)
if err != nil { return err }
for _, addr := range addrs {
if addr.IsLoopback() || addr.IsPrivate() || addr.IsLinkLocalUnicast() {
return errors.New(“forbidden destination”)
}
}
return nil
}


func main() {
app := iris.New()
client := &http.Client{Timeout: 5 * time.Second}


app.Get("/proxy", func(ctx iris.Context) {
	target := ctx.URLParam("url")
	if !strings.HasPrefix(target, "https://") {
		ctx.StopWithStatus(iris.StatusBadRequest)
		return
	}
	// Validate DNS and IP range
	host := strings.Split(target, "/")[2]
	if err := isSafe(host); err != nil {
		ctx.StopWithStatus(iris.StatusForbidden)
		return
	}
	// Implementation should ideally use a custom DialContext for full protection
	resp, err := client.Get(target)
	if err != nil { ctx.StopWithError(500, err); return }
	defer resp.Body.Close()
	ctx.ServeContent(resp.Body, "content", time.Now())
})
app.Listen(":8080")


}

System Alert • ID: 2666
Target: Iris API
Potential Vulnerability

Your Iris API might be exposed to SSRF (Server Side Request Forgery)

74% of Iris apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X