Fix SSRF (Server Side Request Forgery) in Phalcon
SSRF (Server-Side Request Forgery) in Phalcon applications occurs when the backend blindly trusts user-supplied URLs to fetch external resources. In a cloud environment, this is a critical vulnerability that allows attackers to hit the 169.254.169.254 metadata service, scan internal subnets, or bypass firewalls. If your controller is piping input directly into a Guzzle client or file_get_contents without strict validation, you're providing a free proxy into your internal architecture.
The Vulnerable Pattern
use Phalcon\Mvc\Controller;class ProxyController extends Controller { public function fetchAction() { // DANGER: User controls the URL directly $targetUrl = $this->request->getPost(‘url’);
// No validation on scheme, host, or IP range $data = file_get_contents($targetUrl); return $this->response->setContent($data); }
}
The Secure Implementation
The fix implements a 'Defense in Depth' strategy. First, we use parse_url() to decompose the input. We strictly enforce the 'https' scheme to prevent protocol smuggling (like file:// or gopher://). Second, we implement a strict domain allowlist; never trust arbitrary user input for outbound requests. Third, we resolve the hostname to an IP and validate it against FILTER_FLAG_NO_PRIV_RANGE. This prevents DNS Rebinding attacks where a domain points to 127.0.0.1 or internal VPC space. Finally, we use cURL with a strict timeout to prevent resource exhaustion/Denial of Service via slow-loris style responses from the target.
use Phalcon\Mvc\Controller;class ProxyController extends Controller { public function fetchAction() { $url = $this->request->getPost(‘url’); $allowedDomains = [‘api.trusted.com’, ‘cdn.assets.io’];
$parts = parse_url($url); // 1. Enforce HTTPS only if ($parts['scheme'] !== 'https') { return $this->response->setStatusCode(400, 'Invalid Scheme'); } // 2. Domain Allowlisting if (!in_array($parts['host'], $allowedDomains)) { return $this->response->setStatusCode(403, 'Unauthorized Host'); } // 3. DNS Resolution & Private IP check (RFC 1918) $ip = gethostbyname($parts['host']); if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) === false) { return $this->response->setStatusCode(403, 'Internal IP Detected'); } $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_TIMEOUT, 5); $result = curl_exec($ch); curl_close($ch); return $this->response->setContent($result); }
}
Your Phalcon API
might be exposed to SSRF (Server Side Request Forgery)
74% of Phalcon apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.