Do Not Allow Loopback

Loopback addresses, often indicated by the typical IP address of 127.0.0.1 or the hostname localhost shouldn’t be allowed in server requests, as they can be used to access other resources such as side-cars, databases, or other services running on the same machine.

However, the IP range 127.0.0.1 isn’t the only loopback address. The entire IP range in 127.0.0.0/8 is reserved for loopback addresses which means that you can’t hardcode any one specific IP address.

Following are bad and weak patterns of blocking SSRF attacks:

A Denylist for 127.0.0.1

// ❌ Bad
if (url.includes('127.0.0.1')) {
    return res.status(400).send('Bad input detected!');
}

Note that this pattern is weak because it only blocks requests to the specific 127.0.0.1 IP address but loopback-bounded requests can be made to other IPs such as 127.0.0.2

A Denylist for localhost

// ❌ Bad
if (url.includes('localhost')) {
    return res.status(400).send('Bad input detected!');
}

This pattern is weak because it only blocks requests to the specific localhost hostname but loopback-bounded requests can be made to other hostnames such as localhost.localdomain or to localhost with a different port such as localhost:8080.