sast-ssrf
Detects Server-Side Request Forgery (SSRF) vulnerabilities in codebases using a structured three-phase approach.
Install this skill
Security score
The sast-ssrf skill was audited on Jun 6, 2026 and we found 24 security issues across 3 threat categories, including 1 critical. Review the findings below before installing.
Categories Tested
Security Issues
Direct command execution function call
| 336 | > - `os.system("curl " + url)`, `exec("wget " + url)` |
System command execution
| 336 | > - `os.system("curl " + url)`, `exec("wget " + url)` |
Python os.system command execution
| 336 | > - `os.system("curl " + url)`, `exec("wget " + url)` |
Python subprocess execution
| 335 | > - `subprocess.run(["curl", url, ...])`, `subprocess.Popen(["wget", url, ...])` |
Curl to non-GitHub URL
| 467 | > Example: curl "https://app.example.com/fetch?url=http://169.254.169.254/latest/meta-data/" |
Curl to non-GitHub URL
| 468 | > or for internal pivot: curl "https://app.example.com/fetch?url=http://internal-db:5432/"] |
Webhook reference - potential data exfiltration
| 29 | - Fetching a resource whose location is provided by the client: `fetch(req.body.webhook_url)` |
Webhook reference - potential data exfiltration
| 34 | - Webhooks, import-from-URL, screenshot services, PDF renderers, image proxies — any feature that fetches a remote resource on behalf of the user |
Webhook reference - potential data exfiltration
| 121 | // VULNERABLE: webhook URL comes directly from request body |
Webhook reference - potential data exfiltration
| 122 | app.post('/webhook/test', async (req, res) => { |
Webhook reference - potential data exfiltration
| 130 | app.post('/webhook/test', async (req, res) => { |
Webhook reference - potential data exfiltration
| 270 | > **Context**: You will be given the project's architecture summary. Use it to understand the tech stack, HTTP client libraries in use, and any networking or webhook-related components. |
Webhook reference - potential data exfiltration
| 353 | > ### 1. [Descriptive name — e.g., "HTTP GET in webhook dispatcher"] |
Webhook reference - potential data exfiltration
| 416 | > - Request body / JSON fields: `request.json['webhook_url']`, `req.body.target`, `params[:source]` |
Webhook reference - potential data exfiltration
| 426 | > 3. **User input stored and later fetched** — the destination was previously saved from user input (e.g., a stored webhook URL) and is now retrieved from the database to make a request: |
Webhook reference - potential data exfiltration
| 474 | > - **Issue**: [e.g., "User controls the path portion of a partially hardcoded URL" or "Stored webhook URL accepted without allowlist at write time"] |
External URL reference
| 60 | ALLOWED_PREFIXES = ["https://api.example.com/", "https://cdn.example.com/"] |
External URL reference
| 69 | response = requests.get("https://api.thirdparty.com/data") |
External URL reference
| 185 | $allowed = ['https://cdn.example.com/']; |
External URL reference
| 340 | > - Calls where the entire URL and hostname are fully hardcoded string literals with no dynamic parts: `requests.get("https://api.example.com/data")` |
External URL reference
| 422 | > - `"https://example.com/" + user_path` — may still be exploitable via path traversal or scheme injection depending on the HTTP client |
External URL reference
| 434 | > - **Scheme-only restriction** (e.g., only allow `https://`): Partial mitigation — reduces impact but does not prevent SSRF to arbitrary HTTPS hosts. Still flag as Likely Vulnerable. |
External URL reference
| 467 | > Example: curl "https://app.example.com/fetch?url=http://169.254.169.254/latest/meta-data/" |
External URL reference
| 468 | > or for internal pivot: curl "https://app.example.com/fetch?url=http://internal-db:5432/"] |