HIGH ssrf server sidechimutual tls

Ssrf Server Side in Chi with Mutual Tls

Scan for ssrf server side in chi

Ssrf Server Side in Chi with Mutual Tls — how this specific combination creates or exposes the vulnerability

Server-side SSRF occurs when an API endpoint accepts a URL from an attacker and uses it to make outbound HTTP requests. In Chi, this typically happens when a handler forwards user-supplied input to another service without strict validation. Mutual TLS (mTLS) is commonly used to authenticate and encrypt traffic between services. While mTLS strengthens service-to-service trust by requiring client certificates, it does not prevent an internal service from making unintended outbound calls. If a Chi application uses mTLS for its outbound client but does not validate or restrict the target hostname, an attacker can supply a malicious hostname that the internal service reaches via the mTLS connection. The presence of client certificates may even make the request succeed where plain HTTP would fail due to strict mTLS policies, increasing the risk of internal SSRF.

Chi routes are built using middleware and handlers. If a route accepts a URL parameter and passes it to an HTTP client configured with mTLS (client certificates and CA verification), the client may establish a TLS connection to the supplied host. Attackers can leverage this to probe internal endpoints, reach metadata services (e.g., cloud instance metadata), or bypass network segmentation that assumes mTLS confines traffic to trusted peers. Since mTLS ensures the client presents a valid certificate, the compromised service may be able to call internal APIs that reject untrusted clients, effectively extending the attack surface inward. This combination therefore exposes a class of SSRF where network-level protections are bypassed by leveraging trusted mTLS credentials.

Real-world examples include services that accept a webhook or target URL and perform an HTTP request using a pre-configured mTLS client. If the target hostname is not validated against an allowlist, an attacker can supply hostnames that resolve to internal services, cloud metadata endpoints (e.g., http://169.254.169.254), or other sensitive internal APIs. middleBrick can detect such unauthenticated SSRF patterns through its unauthenticated attack surface scans and its OWASP API Top 10 mappings, highlighting risky parameter handling and insufficient hostname validation even when mTLS is in use.

Mutual Tls-Specific Remediation in Chi — concrete code fixes

Remediation focuses on validating and restricting outbound targets, independent of the transport security. Never forward user input directly into an HTTP request. Instead, use an allowlist of permitted hostnames or domains, and enforce strict URL parsing to prevent hostname confusion (e.g., IPv4, IPv6, Unicode encodings). When using mTLS, ensure that hostname verification remains active and is not disabled through insecure TLS configurations.

Example: a Chi route that accepts a target host and path should resolve and validate the host against an allowlist before constructing the request. Use Go’s standard net/url and net/http packages alongside tls.Config that includes a proper root CAs and client certificates, while preserving default hostname verification.

import (
    "crypto/tls"
    "crypto/x509"
    "fmt"
    "io"
    "net"
    "net/http"
    "net/url"
    "strings"
)

// allowlist of permitted hosts
var allowedHosts = map[string]bool{
    "api.example.com": true,
    "service.internal": true,
}

func isValidHost(target string) bool {
    u, err := url.Parse(target)
    if err != nil {
        return false
    }
    if u.Scheme != "https" {
        return false
    }
    host := u.Hostname()
    return allowedHosts[host]
}

func proxyHandler(w http.ResponseWriter, r *http.Request) {
    target := r.URL.Query().Get("url")
    if !isValidHost(target) {
        http.Error(w, "invalid target host", http.StatusBadRequest)
        return
    }

    parsed, _ := url.Parse(target)
    // Load client cert and key
    cert, err := tls.LoadX509KeyPair("client.crt", "client.key")
    if err != nil {
        http.Error(w, "server error", http.StatusInternalServerError)
        return
    }
    // Load CA pool
    caCert, err := io.ReadFile("ca.crt")
    if err != nil {
        http.Error(w, "server error", http.StatusInternalServerError)
        return
    }
    caPool := x509.NewCertPool()
    caPool.AppendCertsFromPEM(caCert)

    tlsConfig := &tls.Config{
        Certificates:       []tls.Certificate{cert},
        RootCAs:            caPool,
        InsecureSkipVerify: false, // ensure verification is enabled
        ServerName:         parsed.Hostname(),
    }
    transport := &http.Transport{
        TLSClientConfig: tlsConfig,
        DialTLS: func(network, addr string) (net.Conn, error) {
            return tls.Dial(network, addr, tlsConfig)
        },
    }
    client := &http.Client{Transport: transport}
    resp, err := client.Get(target)
    if err != nil {
        http.Error(w, "upstream error", http.StatusBadGateway)
        return
    }
    defer resp.Body.Close()
    io.Copy(w, resp.Body)
}

Key points: keep InsecureSkipVerify false, set ServerName explicitly, and validate the hostname against an allowlist before using it in the request URL. Avoid disabling certificate validation or allowing wildcard hosts. middleBrick’s scans can highlight endpoints where user-controlled URLs are used without such validation, even when mTLS is configured.

Scan for ssrf server side in chi Free API security scan

Frequently Asked Questions

Does mTLS prevent SSRF in Chi applications?
No. mTLS secures the client’s identity and channel encryption, but it does not stop an application from making unintended outbound requests. Hostname validation and allowlisting are still required to prevent SSRF.
Can middleBrick detect SSRF in mTLS-protected endpoints?
Yes. middleBrick scans the unauthenticated attack surface and can identify SSRF patterns and insufficient hostname validation, even when mTLS is used. Findings map to OWASP API Top 10 and include prioritized remediation guidance.

Related Pages

Ssrf Server Side in ChiServer-Side Request Forgery in Chi applications: detection, prevention, and remediation with middleBrick's specialized sSsrf Server Side with Mutual TlsSsrf Server Side with Mutual TlsSsrf Server Side in Chi on GcpSSRF server-side in Chi on GCP: causes, GCP-specific risks, and concrete validation and network controls in Clojure.Ssrf Server Side in Chi on KubernetesSSRF server-side in Chi on Kubernetes: causes, remediation, and Kubernetes network policies with concrete code examples.Ssrf Server Side in Chi on AwsUnderstand and mitigate SSRF in Chi services on AWS, with safe handler examples and validation strategies.Ssrf Server Side in Chi on FirebaseLearn how SSRF in Chi with Firebase exposes risks and how to remediate with concrete code examples and validation patterHipaa: Ssrf Server Side in ChiHIPAA-aware SSRF guidance for Chi-based HTTP clients: secure configurations, host allowlists, and redirect controls to pGdpr: Ssrf Server Side in ChiUnderstand how SSRF in Chi-based APIs can expose GDPR-sensitive data, and apply concrete Go code fixes to block private Iso 27001: Ssrf Server Side in ChiExplore SSRF in Chi services through ISO 27001 controls, with concrete validation patterns and secure coding examples.Cis: Ssrf Server Side in Chi60 words: Understand SSRF in Chi-based services, how untrusted input leads to internal network exposure, and apply stricSsrf Server Side in Chi with DynamodbUnderstand SSRF server-side in Chi with DynamoDB, see concrete validation fixes, and learn how middleBrick reports SSRF Ssrf Server Side in Chi with CockroachdbSSRF server-side in Chi with Cockroachdb: risks, secure connection patterns, validation examples, and least-privilege gu