GuardAPI Logo
GuardAPI
Automated Security Protocol

How to fix SSRF (Server Side Request Forgery)
in NancyFX

Executive Summary

SSRF in NancyFX occurs when an endpoint accepts a user-supplied URL to fetch remote resources without strict validation. In a cloud environment, this is a critical vulnerability allowing attackers to exfiltrate IMDS metadata or pivot into internal microservices. If you're blindly passing strings to HttpClient inside a NancyModule, you're compromised.

The Vulnerable Pattern

VULNERABLE CODE
public class ProxyModule : NancyModule {
    public ProxyModule() {
        Get["/fetch"] = _ => {
            string targetUrl = this.Request.Query["url"];
            using (var client = new System.Net.Http.HttpClient()) {
                // VULNERABLE: No validation on the URL. 
                // Attacker can pass http://169.254.169.254/latest/meta-data/
                var content = client.GetStringAsync(targetUrl).Result;
                return content;
            }
        };
    }
}

The Secure Implementation

To mitigate SSRF, implement a 'Deny by Default' strategy. First, parse the input using Uri.TryCreate to ensure it is a valid absolute URI. Second, restrict schemes to HTTP/HTTPS to prevent usage of file://, gopher://, or dict:// protocols. Third, use a strict allowlist of domains rather than a denylist of internal IPs. For advanced protection, implement a custom HttpMessageHandler that resolves the DNS record and aborts the request if the resulting IP address belongs to a private range (e.g., 10.0.0.0/8, 127.0.0.1, or 169.254.169.254), effectively neutralizing DNS rebinding attacks.

SECURE CODE
public class SecureModule : NancyModule {
    private static readonly HashSet AllowedHosts = new HashSet { "api.trusted.com", "cdn.assets.io" };

public SecureModule() {
    Get["/fetch"] = _ => {
        string urlParam = this.Request.Query["url"];
        if (!Uri.TryCreate(urlParam, UriKind.Absolute, out var uri)) return 400;

        // 1. Protocol Enforcement
        if (uri.Scheme != Uri.UriSchemeHttp && uri.Scheme != Uri.UriSchemeHttps) return 400;

        // 2. Strict Host Allowlisting
        if (!AllowedHosts.Contains(uri.Host.ToLower())) return 403;

        // 3. DNS Rebinding Protection (Example: Ensure IP is not internal)
        // In production, use a custom HttpMessageHandler to validate IP after DNS resolution
        using (var client = new System.Net.Http.HttpClient()) {
            return client.GetStringAsync(uri).Result;
        }
    };
}


}

System Alert • ID: 5283
Target: NancyFX API
Potential Vulnerability

Your NancyFX API might be exposed to SSRF (Server Side Request Forgery)

74% of NancyFX apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X