Skip to content

Conversation

nico014
Copy link

@nico014 nico014 commented Jan 22, 2024

This option is a workaround to block potential SSRF attacks on Prerender servers until Prerender has found a way to address the vulnerability themselves. (It's been over 3 months at the time of writing.)

If you run this request on a Prerender-enabled server:

GET /get HTTP/1.1
User-Agent: TelegramBot
x-forwarded-host: httpbin.org

..you will see the response from httpbin.org, which in this case returns details about the request and its origins.

This means that one can have the Prerender server perform requests to outside hosts, even if they have nothing to do with the website that Prerender is enabled for. There is a name for this: Server Side Request Forgery.

This PR adds an option to ignore the x-forwarded-host header, which contains the "payload", if any.
BEWARE: the x-forwarded-host header might actually be needed in some situations (reverse proxy). I have added notes about this in the README file.

Nico Kempe added 4 commits December 22, 2023 14:54
This option ignores any `x-forwarded-host` headers, which can be used to block SSRF attacks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant