HIGH adonisjsssrf blind

Ssrf Blind in Adonisjs

Scan your API now

Ssrf Blind in Adonisjs

Server-Side Request Forgery (SSRF) Blind attacks are a subset of SSRF where the attacker cannot directly observe the response from an internal request but can infer behavior through indirect indicators such as timing, error messages, or secondary system states.

In AdonisJS, SSRF Blind often manifests when an application makes HTTP calls to external or internal resources based on user-supplied input without proper validation or restriction. For example, an endpoint that allows a user to provide a URL to fetch a remote image for processing may be vulnerable if it uses a library like HttpNode or axios without network egress controls.

// Vulnerable route in AdonisJS controller
@Http.post('/fetch-image')
async fetchImage({ request }) {
  const { url } = request.body()
  const response = await Http.get(url)
  return response.body()
}

An attacker could submit http://internal.admin/api/health as the URL. If the server responds differently based on the target (e.g., different status codes, response body length, or delay), the attacker can gradually map internal services through blind probing.

Common AdonisJS code patterns that lead to SSRF Blind include:

  • Using Http.get(), Http.post(), or fetch() with untrusted input
  • Parsing URLs from request parameters or headers without validation
  • Allowing file uploads that trigger external processing via APIs
  • Using third-party packages like sharp or puppeteer to fetch remote assets

These patterns are especially risky when deployed behind cloud-native environments where outbound network access is not restricted by default.

AdonisJS-Specific Detection

Detection of SSRF Blind in AdonisJS applications requires understanding both the runtime behavior and the framework's request handling lifecycle.

middleBrick identifies SSRF Blind by analyzing unauthenticated interactions with endpoints that accept URL parameters and perform outbound HTTP requests. The scanner checks for:

  • Endpoints that accept a url parameter without validation
  • Use of HttpNode, axios, or fetch() in route handlers
  • Discrepancies in response timing or status codes when targeting internal IP ranges (e.g., 127.0.0.1, 10.0.0.0/8)
  • Error messages that leak internal topology

When scanning an AdonisJS endpoint like POST /fetch-image, middleBrick sends requests to internal metadata services (e.g., http://169.254.169.254) and observes behavioral changes. Even without direct response visibility, it detects blind indicators such as increased latency, shift in HTTP status from 200 to 500, or changes in response size.

middleBrick's OWASP API Top 10 alignment ensures SSRF Blind findings are mapped to API Top 10 Category A5 (2023), which covers broken object level authorization and excessive data exposure that often accompany SSRF vulnerabilities.

AdonisJS-Specific Remediation

Remediation of SSRF Blind in AdonisJS should focus on input validation, network egress control, and use of framework-native security patterns.

Recommended fixes include:

// Secure approach using URL validation and allowlist
@Validated.route('fetch-image')
async fetchImage({ request }) {
  const schema = schema({
    url: 
      rules.string().url({
        allowOnly: ['http:', 'https:']
      }).ruleset()
  })

  const { url } = await superValidator.validate(schema)

  // Optional: Add domain allowlist
  const allowedHosts = ['images.trusted-cdn.com']
  const parsedUrl = new URL(url)
  if (!allowedHosts.includes(parsedUrl.hostname)) {
    throw new Error('Blocked external URL')
  }

  const response = await Http.get(url, { responseType: 'stream' })
  return response.body
}

Additionally, AdonisJS applications should restrict outbound network access using infrastructure controls (e.g., firewall rules, cloud security groups) to prevent access to internal IP ranges.

Use of AdonisJS's built-in validation and schema tools helps enforce strict input policies. For example, rejecting private IP addresses and limiting protocols to HTTPS unless explicitly required.

Another mitigation is to avoid making outbound requests directly from controllers. Instead, route such logic through a dedicated service with strict access controls:

// Service layer with validation
class ImageService {
  static async fetch(url) {
    const allowedHosts = ['images.example.com']
    const parsedUrl = new URL(url)
    if (!allowedHosts.includes(parsedUrl.hostname)) {
      throw new Error('Unauthorized host')
    }
    return Http.get(url)
  }
}

By combining application-level validation with infrastructure-level egress restrictions, developers can significantly reduce SSRF Blind risk in AdonisJS applications.

Scan your API now Free API security scan

Frequently Asked Questions

How does middleBrick detect SSRF Blind when no response body is returned?
middleBrick detects SSRF Blind by observing indirect behavioral changes such as response timing, status code shifts, or side effects like DNS queries. It sends requests to known internal IP ranges and private endpoints, then analyzes patterns that indicate the server processed the request internally — even without visible response data. This allows it to flag potential SSRF Blind vulnerabilities in AdonisJS and other frameworks.
Can middleBrick scan AdonisJS APIs without authentication?
Yes. middleBrick performs unauthenticated black-box scanning of API endpoints. You can provide a URL to an AdonisJS endpoint that accepts external URLs, and middleBrick will test for SSRF Blind by probing internal services and analyzing response behavior. No credentials, agents, or configuration are required.

Related Pages

Adonisjs API SecurityAdonisjs security guide covering BOLA vulnerabilities, CORS misconfigurations, and input validation pitfalls. Learn to hSsrf Blind AttackLearn how blind SSRF attacks work against APIs, real-world examples, and prevention strategies including input validatioCWE-1104 in AdonisjsLearn how CWE-1104 affects AdonisJS applications with specific attack patterns, detection methods using middleBrick, andCWE-116 in AdonisjsLearn how CWE-116 (Improper Encoding) affects Adonisjs applications, how to detect it with middleBrick's API scanner, anCWE-113 in AdonisjsHow CWE-113 CRLF injection vulnerabilities manifest in Adonisjs applications, with specific detection methods and AdonisCWE-1039 in AdonisjsLearn how CWE-1039 (ReDoS) appears in Adonisjs apps, how to detect it with middleBrick, and fix it using Adonisjs validaHipaa for AdonisjsMiddleBrick scans Adonisjs APIs for HIPAA compliance risks including data exposure, missing encryption, and authenticatiGdpr for AdonisjsGDPR compliance risks and remediation in AdonisJS: specific API exposure patterns, detection methods, and native framewoIso 27001 for AdonisjsmiddleBrick identifies ISO 27001-related vulnerabilities in Adonisjs applications by detecting IDOR flaws, insecure deseCis for AdonisjsAdonisjs-specific API security flaws involving improper authorization, detection, and remediation with middleBrick scannAdonisjs in E CommerceLearn how e commerce vulnerabilities like IDOR and input validation flaws manifest in Adonisjs APIs, how middleBrick detAdonisjs in EducationLearn how education around IDOR, BOLA, and input validation applies to Adonisjs APIs, with detection and remediation ste