GuardAPI Logo
GuardAPI
Automated Security Protocol

How to fix SSRF (Server Side Request Forgery)
in ServiceStack

Executive Summary

SSRF in ServiceStack occurs when an endpoint accepts user-supplied URLs to fetch external resources via ServiceStack's built-in HTTP utilities (like JsonServiceClient or extension methods). Without strict validation, an attacker can pivot through the server to hit internal metadata services (AWS/GCP/Azure IMDS), internal APIs, or perform port scanning on the local network. Stop trusting the 'TargetUrl' parameter; it's a weapon in the wrong hands.

The Vulnerable Pattern

VULNERABLE CODE
[Route("/proxy")]
public class ProxyRequest : IReturn {
    public string TargetUrl { get; set; }
}

public class ProxyService : Service {
public object Any(ProxyRequest request) {
// CRITICAL VULNERABILITY: Direct use of user-controlled URL
// Attacker can pass ‘http://169.254.169.254/latest/meta-data/’
return request.TargetUrl.GetJsonFromUrl();
}
}

The Secure Implementation

The fix implements a 'Default Deny' stance. First, we parse the input into a System.Uri object to prevent basic obfuscation bypasses. We enforce 'HTTPS' to prevent protocol smuggling (like gopher:// or file://). The core defense is the Host Allow-list; only pre-approved domains are permitted. For high-security environments, you should also perform a DNS lookup on the host and verify the resulting IP address is not a loopback (127.0.0.1) or private range (10.0.0.0/8, etc.) to prevent DNS Rebinding attacks and internal network pivoting.

SECURE CODE
[Route("/proxy")]
public class ProxyRequest : IReturn {
    public string TargetUrl { get; set; }
}

public class ProxyService : Service {
private static readonly HashSet AllowedHosts = new HashSet(StringComparer.OrdinalIgnoreCase) {
“api.trusted-partner.com”,
“images.our-cdn.io”
};


public object Any(ProxyRequest request) {
    if (!Uri.TryCreate(request.TargetUrl, UriKind.Absolute, out var uri)) {
        throw HttpError.BadRequest("Invalid URL format.");
    }

    // 1. Enforce HTTPS
    if (uri.Scheme != Uri.UriSchemeHttps) {
        throw HttpError.BadRequest("Only HTTPS is permitted.");
    }

    // 2. Strict Host Allow-listing
    if (!AllowedHosts.Contains(uri.Host)) {
        throw HttpError.Forbidden($"Host {uri.Host} is not authorized.");
    }

    // 3. DNS Rebinding and Internal IP Protection
    // In production, resolve the IP and verify it is not in RFC1918/Private ranges
    
    return uri.ToString().GetJsonFromUrl();
}


}

System Alert • ID: 4589
Target: ServiceStack API
Potential Vulnerability

Your ServiceStack API might be exposed to SSRF (Server Side Request Forgery)

74% of ServiceStack apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X