Security: add ignoreXForwardedHost option to block SSRF attacks #241

nico014 · 2024-01-22T15:48:59Z

This option is a workaround to block potential SSRF attacks on Prerender servers until Prerender has found a way to address the vulnerability themselves. (It's been over 3 months at the time of writing.)

If you run this request on a Prerender-enabled server:

GET /get HTTP/1.1
User-Agent: TelegramBot
x-forwarded-host: httpbin.org

..you will see the response from httpbin.org, which in this case returns details about the request and its origins.

This means that one can have the Prerender server perform requests to outside hosts, even if they have nothing to do with the website that Prerender is enabled for. There is a name for this: Server Side Request Forgery.

This PR adds an option to ignore the x-forwarded-host header, which contains the "payload", if any.
BEWARE: the x-forwarded-host header might actually be needed in some situations (reverse proxy). I have added notes about this in the README file.

This option ignores any `x-forwarded-host` headers, which can be used to block SSRF attacks

Nico Kempe added 4 commits December 22, 2023 14:54

Added ignoreXForwardedHost option

9dc32aa

This option ignores any `x-forwarded-host` headers, which can be used to block SSRF attacks

bump version to 3.8.0

c06161c

Update README spacing

b40fda9

Reset package url

861f52b

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security: add ignoreXForwardedHost option to block SSRF attacks #241

Security: add ignoreXForwardedHost option to block SSRF attacks #241

nico014 commented Jan 22, 2024

Security: add ignoreXForwardedHost option to block SSRF attacks #241

Are you sure you want to change the base?

Security: add ignoreXForwardedHost option to block SSRF attacks #241

Conversation

nico014 commented Jan 22, 2024