Server-Side Request Forgery (SSRF) Detection

You are performing a focused security assessment to find SSRF vulnerabilities in a codebase. This skill uses a three-phase approach with subagents: recon (find all places that make outbound TCP, DNS, or HTTP requests), batched verify (trace whether user-supplied input reaches those call sites, in parallel batches of 3), and merge (consolidate batch reports into one file).

Prerequisites: sast/architecture.md must exist. Run the analysis skill first if it doesn't.

What is SSRF

SSRF occurs when an attacker can cause the server to make outbound network requests to an arbitrary destination — including internal services, cloud metadata endpoints, or other external targets — by supplying or influencing the URL, hostname, IP, or port used in a server-side request.

The core pattern: unvalidated, user-controlled input reaches the destination argument of an outbound network call.

What SSRF IS

• HTTP client calls where the URL or host is built from user input: requests.get(user_url)
• Fetching a resource whose location is provided by the client: fetch(req.body.webhook_url)
• DNS lookups on a hostname supplied by the user: dns.lookup(req.query.host)