Introducing dssrf - A Safe‑by‑Construction SSRF Defense Library for Node.js

Server-Side Request Forgery (SSRF) is one of the most dangerous and misunderstood vulnerabilities in modern web applications.

Most Node.js SSRF "solutions" rely on regex, blacklists, or string checks - and attackers bypass them easily.

So I built dssrf, a safe‑by‑construction SSRF defense library for Node.js that focuses on eliminating entire bug classes, not patching individual payloads.

GitHub: https://github.com/HackingRepo/dssrf-js

npm: https://www.npmjs.com/package/dssrf

---

Why SSRF Is Harder Than Developers Think

Most SSRF bypasses come from things developers don't expect:

• DNS rebinding
• Redirect chains
• IPv6 edge cases
• Encoded IPs
• Unicode tricks
• URL normalization inconsistencies
• Alternative IP formats
• Cloud metadata endpoints

A simple blacklist like:

if (url.includes("localhost")) reject();

…is not enough. Attackers can bypass it with:

http://127.1/

http://2130706433/

http://[::ffff:127.0.0.1]/

http://google.com@127.0.0.1/

http://google.com%00@127.0.0.1/

What dssrf Does Differently?

Instead of blacklists, dssrf uses a multi‑step, safe‑by‑construction approach:

• URL normalization (RFC‑correct)

  • Unicode normalization
  • Backslash to slash conversion
  • Credential stripping
  • Scheme validation
  • Canonicalization

• DNS resolution + IP classification

  • Detects internal IPs
  • Detects cloud metadata IPs
  • Detects IPv6 local addresses
  • Detects IPv4/IPv6 rebinding

• Redirect chain validation

  • Every redirect target is validated with the same rules.

• Protocol restrictions

  • Only http and https are allowed.

• TypeScript types included

  • Full .d.ts support for modern Node.js projects.