problem scenario
for example, http://axxx.com/?url=http://b.com/
wants to get the web page content under http://b.com/ , Then you need to initiate a request to the domain name
, but you need to avoid accessing the private network
the ip resolution of the b.com domain name is in the public network, and then when the real request for b.com is made, the parsed ip becomes the private network
, thus taking advantage of this time difference to construct a ssrf attack scenario
involving dns rebinding
one of the most violent ways I can think of so far is to add a whitelist
I would like to have a boss to share the solution. I would appreciate it
currently, nodejs is used as a defense against this ssrf. Is it possible to get the ip of the domain name corresponding to the request when the request is actually sent?