Microsoft AntiSSRF open-source library helps block server-side request forgery

Source: Help Net Security

Author: Anamarija Pogorelec

ONE SENTENCE SUMMARY:

Microsoft’s open-source AntiSSRF library validates untrusted URLs and outbound connections in .NET/Node.js to prevent SSRF attacks.

AntiSSRF is an open-source Microsoft library designed to reduce SSRF risk.
It validates URLs and network connections before outbound requests are made.
Supports both .NET and Node.js applications as a drop-in component.
Distributed under the permissive MIT license and hosted on GitHub.
SSRF lets attackers coerce servers into requesting arbitrary internal or external endpoints.
Impacts include internal service exposure, sensitive data leakage, disruption, and remote code execution.
Vulnerabilities often start from unvalidated customer-supplied strings used to build URLs.
Treats all incoming HTTP request data as untrusted, including backend-originated inputs.
Uses an agent to block requests to internal or sensitive IP address ranges.
Policy configuration controls allow/deny lists, HTTP plaintext rules, and required/denied headers.

Validate every URL-like input, even when formed from seemingly harmless identifiers.
Enforce centralized outbound-request policy via AntiSSRFPolicy rather than ad-hoc checks.
Blocking internal IP ranges is a practical default defense against SSRF pivoting.
Built-in domain validators help safely target Azure Key Vault and Azure Storage endpoints.
Adoption is straightforward for HttpClient and Node HTTP/HTTPS agents with common client examples.