This module help's you to prevent ssrf attacks
npm install ssrf
js
ssrf.options({
blacklist:"/ssrf/list.txt", //Linux if windows pass 'C:\\Users\\host.txt'
path:false
})
let DNS_rebinding = "https://c0okie.xyz/attacker.html" //my domain running on 127.0.0.1
let url = "http://evil.com" //Blacklist host
let ip = "http://13.54.97.2" //Blacklist IP
//Normal request
const fetch = async() =>{
try {
const gotssrf = await ssrf.url(ip) //return host or ip
axios.get(gotssrf)
.then((data) => console.log(data.data))
.catch(err => console.log(err))
} catch (error) {
console.log("Handle Error for Front End User")
}
}
fetch()
`
ssrf.url()
ssrf.url return Promise so use await ssrf.url("http://example.com") in try-catch block
`js
try{
const result = await ssrf.url(url)
//do stuff if success
}catch{
//do stuff if fail
}
`
$3
options takes two argument
+ blacklist
+ path
#### blacklist
Blacklist parameter takes input of absolute path to a text file
Ex:- /usr/list/blacklist.txt (Linux)
C:\\Users\\host.txt (windows)
By default it don't have any blacklist but if an user passes absolute path then it reads file and run a for loop everytime it hits middleware
##### File format
`
evil.com
example.com
87.26.7.9
98.72.6.2
`
#### path
Path parameter taker A Boolean value as (true or false)
Where by default its True which means it will return /path and ?parameters attached to Host
Ex:- if a user send's http://example.com/path1?param=1 return http://example.com/path1?param=1
##### True
return absolute Url http://example.com/path1?param=1
##### False
return Hostname http://example.com or http://www.example.com
This module Prevents From reserverd character @` attack and DNS rebinding attack. to Learn more about DNS rebinding more