Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security: add ignoreXForwardedHost option to block SSRF attacks #241

Open
wants to merge 4 commits into
base: master
Choose a base branch
from

Conversation

nico014
Copy link

@nico014 nico014 commented Jan 22, 2024

This option is a workaround to block potential SSRF attacks on Prerender servers until Prerender has found a way to address the vulnerability themselves. (It's been over 3 months at the time of writing.)

If you run this request on a Prerender-enabled server:

GET /get HTTP/1.1
User-Agent: TelegramBot
x-forwarded-host: httpbin.org

..you will see the response from httpbin.org, which in this case returns details about the request and its origins.

This means that one can have the Prerender server perform requests to outside hosts, even if they have nothing to do with the website that Prerender is enabled for. There is a name for this: Server Side Request Forgery.

This PR adds an option to ignore the x-forwarded-host header, which contains the "payload", if any.
BEWARE: the x-forwarded-host header might actually be needed in some situations (reverse proxy). I have added notes about this in the README file.

Nico Kempe added 4 commits December 22, 2023 14:54
This option ignores any `x-forwarded-host` headers, which can be used to block SSRF attacks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant