Server Side Request Forgery (SSRF)

Introduction

This article covers ways to secure the code from Server Side Request Forgery vulnerability. This includes applying a proper function to check for the user’s input.

Learn more about Server Side Request Forgery

How to secure

If the plugin or theme needs to fetch or perform a request to an external URL, we can use WordPress built-in functions depending on the HTTP methods such as:

• wp_safe_remote_head
• wp_safe_remote_get
• wp_safe_remote_post
• wp_safe_remote_request

The above functions will mostly protect from SSRF vulnerability and deny access to an internal service. However, please note that the above functions currently are not 100% secure and have some rare cases that still allow for internal service access. Please refer to this article:

• Exploring the Unknown: Beneath the Surface of Unpatched WordPress SSRF

With that mentioned, we recommend not trusting the entire URL string to the user’s input and applying some limitations before passing the URL to the above functions:

add_action("wp_ajax_nopriv_fetch_image_url", "fetch_image_url_2");

function fetch_image_url_2(){
    $image_url = parse_url($_GET["image_url"]);

    if(!image_url){
        die()
    }

    $allowed = array("image.com", "storeimage.com", "loadimage.com");
    if(!in_array($image_url["host"], $allowed)){
        die();
    }

    $response = wp_safe_remote_get($_GET["image_url"]);
    $image_data = wp_remote_retrieve_body($response);
    echo $image_data;
    die();
}