GuardAPI Logo
GuardAPI

Fix SSRF (Server Side Request Forgery) in LoopBack

SSRF in LoopBack 4 occurs when user-supplied URLs are passed to internal HTTP clients without strict validation. This allows attackers to pivot into the internal network, hit cloud metadata services (169.254.169.254), or bypass firewalls. If your controller fetches remote content, you must treat the URL as hostile and validate both the destination and the resolved IP.

The Vulnerable Pattern

import {get, param} from '@loopback/rest';
import axios from 'axios';

export class ProxyController {
@get(‘/fetch-external’)
async proxy(@param.query.string(‘url’) url: string): Promise {
// VULNERABLE: Direct use of user input in HTTP request
const response = await axios.get(url);
return response.data;
}
}

The Secure Implementation

The secure implementation applies a defense-in-depth strategy. First, it uses the 'URL' constructor to parse the input, preventing basic obfuscation attacks. Second, it enforces 'https:' to stop protocol smuggling (e.g., file://, gopher://). Third, it uses a strict allowlist for hostnames. Finally, it disables redirects and sets a tight timeout; this prevents 'Time-of-Check to Time-of-Use' (TOCTOU) DNS rebinding attacks where an attacker switches a legitimate domain to an internal IP during a redirect. For high-security environments, always resolve the hostname to an IP and verify it is not in a private/reserved CIDR block before the request.

import {get, param, HttpErrors} from '@loopback/rest';
import axios from 'axios';
import {URL} from 'url';

export class ProxyController {
private allowedHosts = [‘trusted-api.com’, ‘images.partner.io’];


@get(‘/fetch-external’)
async proxy(@param.query.string(‘url’) url: string): Promise {
try {
const parsedUrl = new URL(url);


  // 1. Protocol Enforcement
  if (parsedUrl.protocol !== 'https:') {
    throw new HttpErrors.BadRequest('Only HTTPS allowed');
  }

  // 2. Domain Allowlisting
  if (!this.allowedHosts.includes(parsedUrl.hostname)) {
    throw new HttpErrors.Forbidden('Target domain not permitted');
  }

  // 3. Request with timeout and no redirects to prevent bypasses
  const response = await axios.get(url, {
    timeout: 3000,
    maxRedirects: 0,
    validateStatus: (status) => status === 200
  });
  return response.data;
} catch (err) {
  throw new HttpErrors.InternalServerError('Request failed');
}


}
}

System Alert • ID: 6242
Target: LoopBack API
Potential Vulnerability

Your LoopBack API might be exposed to SSRF (Server Side Request Forgery)

74% of LoopBack apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X