HIGH ssrf server sideactixcockroachdb

Ssrf Server Side in Actix with Cockroachdb

Scan for ssrf server side in actix

Ssrf Server Side in Actix with Cockroachdb — how this specific combination creates or exposes the vulnerability

Server-side request forgery (SSRF) in an Actix web service that uses CockroachDB can occur when user-supplied URLs are used to build database requests or when internal service metadata endpoints are reachable from API handlers. In this combination, an attacker may supply a CockroachDB connection string or an internal SQL proxy address as a URL parameter, causing the Actix application to open unintended network connections. Because CockroachDB often runs in clustered or multi-tenant environments, SSRF can expose internal node endpoints, gossip ports, or administrative UIs that are not intended for external access.

During an unauthenticated scan, middleBrick tests API endpoints that accept URLs or redirect targets. If an Actix endpoint accepts a url or host parameter and uses it to open a CockroachDB SQL connection without strict validation, SSRF becomes reachable. For example, a handler that dynamically builds a CockroachDB connection URI from user input can allow an attacker to point the database client at internal services such as http://localhost:8080/_status/vars or other cluster-internal endpoints. This may lead to data exposure, reconnaissance, or further pivoting within the cluster, depending on network policies and authentication settings.

middleBrick’s 12 checks run in parallel for this surface. The Input Validation check tests whether the endpoint rejects malformed or internal URLs, while the Data Exposure check looks for sensitive data in responses that may be returned when the backend follows a malicious redirect. The SSRF check specifically tests whether the service follows user-supplied redirects to internal addresses. Even in unauthenticated scans, if the Actix API exposes endpoints that interact with CockroachDB, middleBrick can detect whether crafted probes reach internal listeners, indicating a potential SSRF path.

Cockroachdb-Specific Remediation in Actix — concrete code fixes

To mitigate SSRR in Actix applications that use CockroachDB, validate and restrict all user-controlled inputs that influence database connections or HTTP requests. Do not construct CockroachDB connection strings from raw query parameters. Instead, use fixed connection configurations and, if dynamic routing is required, enforce an allowlist of permitted hostnames or CIDRs. The following examples show secure patterns for Actix with CockroachDB.

Secure handler with static CockroachDB connection

use actix_web::{web, HttpResponse, Result};
use sqlx::postgres::PgPoolOptions;
use sqlx::PgPool;

// Use a fixed connection string from configuration, never from user input.
async fn build_pool() -> Result {
    let database_url = std::env::var("COCKROACH_URL")
        .unwrap_or_else(|_| "postgresql://root@localhost:26257/defaultdb?sslmode=disable".into());
    let pool = PgPoolOptions::new()
        .max_connections(5)
        .connect(&database_url)
        .await?;
    Ok(pool)
}

async fn safe_query(pool: web::Data) -> Result {
    let row: (i64,) = sqlx::query_as("SELECT count(*) FROM accounts")
        .fetch_one(pool.as_ref())
        .await?;
    Ok(HttpResponse::Ok().body(format!("count: {}", row.0)))
}

Validated redirect or fetch (if user-supplied target is required)

use actix_web::{get, web, HttpResponse, Result};
use url::Url;

/// Only allow user-supplied targets to known-safe prefixes.
#[get("fetch")]
async fn fetch_resource(query: web::Query>) -> Result {
    if let Some(target) = query.get("url") {
        let parsed = Url::parse(target).map_err(|_| actix_web::error::ErrorBadRequest("invalid url"))?;
        // Enforce strict allowlist of schemes and host patterns.
        if parsed.scheme() != "https" {
            return Err(actix_web::error::ErrorBadRequest("only https allowed"));
        }
        if !parsed.host_str().map(|h| h.ends_with(".example.com")).unwrap_or(false) {
            return Err(actix_web::error::ErrorBadRequest("host not allowed"));
        }
        // Perform the request using a server-side client with restricted timeouts.
        let resp = reqwest::get(target.to_string()).await.map_err(|_| actix_web::error::ErrorBadRequest("request failed"))?;
        let body = resp.text().await.map_err(|_| actix_web::error::ErrorBadRequest("read failed"))?;
        return Ok(HttpResponse::Ok().body(body));
    }
    Err(actix_web::error::ErrorBadRequest("missing url"))
}

CockroachDB-specific notes

  • Do not expose CockroachDB node HTTP endpoints (e.g., :8080) to public networks. Use VPC peering or private connectivity from Actix services.
  • If using connection pools, configure strict timeouts and avoid passing user input into driver-level parameters such as host or port.
  • Audit logs: ensure CockroachDB audit logs capture connection origins to help detect SSRF-induced internal scanning.
Scan for ssrf server side in actix Free API security scan

Frequently Asked Questions

Can SSRF in Actix lead to CockroachDB credential exposure?
Yes. If an Actix endpoint reflects user input into a CockroachDB connection string or SQL query, SSRF can allow an attacker to redirect connections to an internal proxy that reveals credentials or metadata. Use fixed connection strings and input validation to prevent this.
Does middleBrick test for SSRF with CockroachDB-specific probes?
middleBrick runs parallel checks including SSRF, testing whether endpoints follow user-supplied URLs that point to internal addresses. While checks are protocol-agnostic, you can validate your Actix+CockroachDB surface by reviewing the scan’s SSRF findings and remediation guidance in the dashboard or CLI JSON output.

Related Pages

Ssrf Server Side in ActixLearn how SSRF vulnerabilities manifest in Actix applications and discover Actix-specific detection and remediation techSsrf Server Side in CockroachdbLearn how SSRF vulnerabilities manifest in CockroachDB through IMPORT statements, external connections, and CDC configurSsrf Server Side in Actix on SupabaseExplore SSRF risks when Actix integrates with Supabase, understand how the combination exposes vulnerabilities, and applSsrf Server Side in Actix on RailwayUnderstand and remediate SSRF in Actix apps on Railway, with concrete code examples and Railway-aware security guidance.Hipaa: Ssrf Server Side in ActixExplore HIPAA implications of SSRF in Actix services and implement Actix-specific secure coding patterns and validation.Gdpr: Ssrf Server Side in ActixUnderstand SSRF in Actix services and how it intersects with GDPR. Learn concrete Actix code fixes and hardening steps tIso 27001: Ssrf Server Side in ActixExplore SSRF in Actix services under ISO 27001, including risk mapping and concrete Rust code fixes to prevent internal Cis: Ssrf Server Side in ActixCIS SSRF in Actix: understand the risk and apply host allowlists, redirect policy, timeouts, and strict URL validation wSsrf Server Side in Actix with Bearer TokensUnderstand SSRF with Bearer Tokens in Actix: risks, real examples, and secure coding patterns with host allowlists and tSsrf Server Side in Actix with Hmac SignaturesSSRF in Actix with HMAC signatures: how trusted signatures can still enable SSRF and concrete fixes using server-side alSsrf Server Side in Actix with Basic AuthUnderstand SSRF in Actix with Basic Auth, review concrete remediation code, and learn how middleBrick detects these issuSsrf Server Side in Actix with Api KeysSSRF in Actix using API keys: how trusted outbound credentials can be abused, and remediation patterns with allowlists a