GuardAPI Logo
GuardAPI

Fix SSRF (Server Side Request Forgery) in Slim

Server-Side Request Forgery (SSRF) in Slim occurs when an application accepts a user-supplied URL and fetches it without validation. In a microservices architecture, this allows an attacker to pivot from the public-facing Slim app to internal metadata services (like 169.254.169.254), local databases, or internal management consoles. If you're piping Guzzle or cURL directly to user input, you're compromised.

The Vulnerable Pattern

$app->get('/fetch-external', function ($request, $response) {
    $targetUrl = $request->getQueryParams()['url'];
    $client = new \GuzzleHttp\Client();
    // VULNERABLE: No validation on $targetUrl. Attacker can pass 'http://localhost:8080/admin'
    $res = $client->request('GET', $targetUrl);
    $response->getBody()->write($res->getBody());
    return $response;
});

The Secure Implementation

To kill SSRF, stop performing 'blacklisting' and switch to 'allowlisting'. The secure implementation does three things: First, it parses the URL and checks the host against a hardcoded list of trusted domains. Second, it enforces the HTTPS scheme to prevent protocol smuggling (like file:// or gopher://). Third, it disables redirects in the HTTP client. Without 'allow_redirects => false', an attacker could provide a legitimate-looking URL that returns a 302 redirect to an internal IP, bypassing your initial host check.

$app->get('/fetch-external', function ($request, $response) {
    $url = $request->getQueryParams()['url'] ?? '';
    $allowedHosts = ['api.partner.com', 'cdn.trusted.com'];

$parsedUrl = parse_url($url);
if (!$parsedUrl || !isset($parsedUrl['host'])) {
    return $response->withStatus(400);
}

// 1. Strict Allowlist
if (!in_array($parsedUrl['host'], $allowedHosts)) {
    return $response->withStatus(403);
}

// 2. Force Scheme
if ($parsedUrl['scheme'] !== 'https') {
    return $response->withStatus(403);
}

$client = new \GuzzleHttp\Client([
    'timeout' => 3.0,
    'allow_redirects' => false, // 3. Prevent redirect-based SSRF
    'connect_timeout' => 2.0
]);

try {
    $res = $client->request('GET', $url);
    $response->getBody()->write($res->getBody());
} catch (\Exception $e) {
    return $response->withStatus(500);
}
return $response;


});

System Alert • ID: 3939
Target: Slim API
Potential Vulnerability

Your Slim API might be exposed to SSRF (Server Side Request Forgery)

74% of Slim apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X