Our website uses cookies to enhance your browsing experience.
Accept
to the top
Home
>
Documentation
>
Warnings
>
V5334. OWASP. Possible server-side...
menu mobile close menu
Introduction
How to enter the PVS-Studio license and what's the next move
PVS-Studio's trial mode
System requirements
Technologies used in PVS-Studio
Release history
Release history for previous versions (before 7.00)
Analyzing projects
On Windows
Getting acquainted with the PVS-Studio static code analyzer on Windows
Build-system independent analysis (C and C++)
Direct integration of the analyzer into build automation systems (C and C++)
On Linux and macOS
PVS-Studio C# installation on Linux and macOS
How to run PVS-Studio C# on Linux and macOS
Installing and updating PVS-Studio C++ on Linux
Installing and updating PVS-Studio C++ on macOS
How to run PVS-Studio C++ on Linux and macOS
Cross-platform
Direct use of Java analyzer from command line
Cross-platform analysis of C and C++ projects in PVS-Studio
PVS-Studio for embedded development
Analysis of C and C++ projects based on JSON Compilation Database
IDE
Get started with PVS-Studio in Visual Studio
Using PVS-Studio with JetBrains Rider and CLion
How to use the PVS-Studio extension for Qt Creator
How to integrate PVS-Studio in Qt Creator without the PVS-Studio plugin
Using the PVS-Studio extension for Visual Studio Code
Using PVS-Studio with IntelliJ IDEA and Android Studio
Build systems
Analyzing Visual Studio / MSBuild / .NET projects from the command line using PVS-Studio
Using PVS-Studio with the CMake module
Integrating PVS-Studio Java into the Gradle build system
Integrating PVS-Studio Java into the Maven build system
Game Engines
How to analyze Unity projects with PVS-Studio
Analysis of Unreal Engine projects
Continuous use of the analyzer in software development
Running PVS-Studio in Docker
Running PVS-Studio in Jenkins
Running PVS-Studio in TeamCity
How to upload analysis results to Jira
PVS-Studio and continuous integration
PVS-Studio's incremental analysis mode
Analyzing commits and pull requests
Unattended deployment of PVS-Studio
Speeding up the analysis of C and C++ code through distributed build systems (Incredibuild)
Integrating of PVS-Studio analysis results in code quality services (web dashboard)
Integration of PVS-Studio analysis results into DefectDojo
Integration of PVS-Studio analysis results into SonarQube
Integration of PVS-Studio analysis results into CodeChecker
Deploying the analyzer in cloud Continuous Integration services
Using with Travis CI
Using with CircleCI
Using with GitLab CI/CD
Using with GitHub Actions
Using with Azure DevOps
Using with AppVeyor
Using with Buddy
Managing analysis results
How to display the analyzer's most interesting warnings
How to use the OWASP diagnostic group in PVS-Studio
MISRA Coding Standards and Compliance
Baselining analysis results (suppressing warnings for existing code)
Handling the diagnostic messages list in Visual Studio
Suppression of false-positive warnings
How to view and convert analyzer's results
Relative paths in PVS-Studio log files
Viewing analysis results with C and C++ Compiler Monitoring UI
Notifying the developer teams (blame-notifier utility)
Filtering and handling the analyzer output through diagnostic configuration files (.pvsconfig)
Excluding files and directories from analysis
Additional configuration and resolving issues
Tips on speeding up PVS-Studio
PVS-Studio: troubleshooting
Additional diagnostics configuration
User annotation mechanism in JSON format
Annotating C and C++ entities in JSON format
Annotating C# entities in JSON format
Annotating Java entities in JSON format
Predefined PVS_STUDIO macro
Analysis configuration file (Settings.xml)
Settings: general
Settings: Common Analyzer Settings
Settings: Detectable Errors
Settings: Don't Check Files
Settings: Keyword Message Filtering
Settings: Registration
Settings: Specific Analyzer Settings
Analyzer diagnostics
PVS-Studio Messages
General Analysis (C++)
General Analysis (C#)
General Analysis (Java)
Micro-Optimizations (C++)
Micro-Optimizations (C#)
Diagnosis of 64-bit errors (Viva64, C++)
Customer specific requests (C++)
MISRA errors
AUTOSAR errors
OWASP errors (C++)
OWASP errors (C#)
OWASP errors (Java)
Problems related to code analyzer
Additional information
Credits and acknowledgements
toggle menu Contents
Jul 31 2025

V5334. OWASP. Possible server-side request forgery. Potentially tainted data in the URL is used to access a remote resource.

Jul 31 2025

The analyzer has detected that a remote resource is accessed using a user-provided and unverified URL. Relying on untrusted external data to generate an address can cause Server-Side Request Forgery (SSRF).

This vulnerability can be categorized under the OWASP Top 10 Application Security Risks classification as follows:

The example:

public static class UrlController {
  private final String BASE_URL = "http://localhost/"; 
  
  protected void connect(HttpServletRequest req) throws IOException {
    String filter = req.getParameter("filter"); 
    URL url = new URL(BASE_URL + filter);
    url.openConnection();                      // <=
    //....
  }
}

In this example, the filter variable may contain tainted data, since it originates from an external source and is used to form a server request to the resource whose address is stored in the BASE_URL variable.

This approach enables attackers to perform malicious actions by sending requests to resources to which they do not have direct access to.

Attackers can write the following to the filter variable: 

admin/delete?username=testSSRF

The final request looks like this: 

http://localhost/admin/delete?username=testSSRF

When a request is executed with such an address, attackers could delete a user.

Note. When mitigating SSRF, do not use deny lists or regular expressions because attackers can bypass them using the following techniques:

  • Redirection: Attackers can host an external resource that redirects to another URL.
  • Alternative IP representations, for example:
http://2130706433/ = http://127.0.0.1 
http://0x7f000001/ = http://127.0.0.1 

The example of protecting against SSRF using data validation:

public static class UrlController {
  private final String BASE_URL; 
  private final List<URL> whitelist;
  
  protected void connect(HttpServletRequest req) throws IOException {
    URL url = new URL(BASE_URL + req.getParameter("filter"));
    if (whiteList.contains(url)) {                    // <=
      url.openConnection(); 
      //....
    }
  }
}

You can also use special URL encoders that escape the request. For example, a user can pass the following string as a parameter:

../admin/secure-info

The code that generates a request to a third-party resource looks like this:

private final static String INTERNAL_URL = "http://localhost/service/"; 
protected void connect(HttpServletRequest req) throws IOException {
  String filter = req.getParameter("filter");
  URL url = new URL(INTERNAL_URL + filter);
  url.openConnection();                       // <=
  //....
}

If ../ is not escaped, the final request to the external resource will look like this:

http://localhost/admin/secure-info

By using this address, attackers can manipulate third-party resources and gain access to server specifications, the user count, and other confidential data.

To prevent such attacks, escape the user request.

The example of a secure implementation: 

private final static String INTERNAL_URL = "http://localhost/service/";
protected void connect(HttpServletRequest req) throws IOException {
  String filter = req.getParameter("filter");
  String encodedFilter = URLEncoder.encode(filter, "UTF_8");            // <=
  URL url = new URL(INTERNAL_URL + encodedFilter);
  url.openConnection();
  //....
}

This diagnostic is classified as:

Was this page helpful?

< Previous
Next >