SSRF Protection Manual Test Plan #457
Description
SSRF Protection Manual Test Plan
Issue Tracking: Manual QA Verification for SSRF Remediation
Status: Ready for QA
Priority: HIGH
Related: ssrf-protection.md
Prerequisites
- Charon instance running (Docker or local)
- Admin credentials
- Access to API endpoints
- cURL or similar HTTP client
Test Cases
1. Private IP Blocking (RFC 1918)
| Test ID | Input URL | Expected Result |
|---|---|---|
| SSRF-001 | http://10.0.0.1/webhook |
❌ Blocked: "private IP address" |
| SSRF-002 | http://10.255.255.255/webhook |
❌ Blocked |
| SSRF-003 | http://172.16.0.1/webhook |
❌ Blocked |
| SSRF-004 | http://172.31.255.255/webhook |
❌ Blocked |
| SSRF-005 | http://192.168.0.1/webhook |
❌ Blocked |
| SSRF-006 | http://192.168.255.255/webhook |
❌ Blocked |
Command:
curl -X POST http://localhost:8080/api/v1/settings/test-url \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <token>" \
-d '{"url": "http://10.0.0.1/webhook"}'Expected Response: HTTP 400 with error containing "private IP"
2. Localhost Blocking
| Test ID | Input URL | Expected Result |
|---|---|---|
| SSRF-010 | http://127.0.0.1/admin |
❌ Blocked: "localhost" |
| SSRF-011 | http://127.0.0.2/admin |
❌ Blocked |
| SSRF-012 | http://localhost/admin |
❌ Blocked |
| SSRF-013 | http://localhost:8080/api |
❌ Blocked |
| SSRF-014 | http://[::1]/admin |
❌ Blocked |
Expected Response: HTTP 400 with error containing "localhost"
3. Cloud Metadata Blocking
| Test ID | Input URL | Expected Result |
|---|---|---|
| SSRF-020 | http://169.254.169.254/ |
❌ Blocked: "private IP" |
| SSRF-021 | http://169.254.169.254/latest/meta-data/ |
❌ Blocked |
| SSRF-022 | http://169.254.169.254/latest/meta-data/iam/security-credentials/ |
❌ Blocked |
| SSRF-023 | http://169.254.0.1/ |
❌ Blocked (link-local range) |
Command:
curl -X POST http://localhost:8080/api/v1/settings/test-url \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <token>" \
-d '{"url": "http://169.254.169.254/latest/meta-data/"}'4. Legitimate External URLs
| Test ID | Input URL | Expected Result |
|---|---|---|
| SSRF-030 | https://httpbin.org/post |
✅ Allowed |
| SSRF-031 | https://hooks.slack.com/services/test |
✅ Allowed (may 404) |
| SSRF-032 | https://api.github.com/ |
✅ Allowed |
| SSRF-033 | https://example.com/webhook |
✅ Allowed |
Expected Response: HTTP 200 with reachable: true or network error (not SSRF block)
5. Protocol Bypass Attempts
| Test ID | Input URL | Expected Result |
|---|---|---|
| SSRF-040 | file:///etc/passwd |
❌ Blocked: "HTTP or HTTPS" |
| SSRF-041 | ftp://internal.server/file |
❌ Blocked |
| SSRF-042 | gopher://localhost:25/ |
❌ Blocked |
| SSRF-043 | data:text/html,<script> |
❌ Blocked |
6. IPv6-Mapped IPv4 Blocking
| Test ID | Input URL | Expected Result |
|---|---|---|
| SSRF-050 | http://[::ffff:127.0.0.1]/ |
❌ Blocked |
| SSRF-051 | http://[::ffff:10.0.0.1]/ |
❌ Blocked |
| SSRF-052 | http://[::ffff:192.168.1.1]/ |
❌ Blocked |
| SSRF-053 | http://[::ffff:169.254.169.254]/ |
❌ Blocked |
7. Redirect Protection
| Test ID | Scenario | Expected Result |
|---|---|---|
| SSRF-060 | URL redirects to 127.0.0.1 | ❌ Blocked at redirect |
| SSRF-061 | URL redirects > 2 times | ❌ Stopped after 2 redirects |
| SSRF-062 | URL redirects to private IP | ❌ Blocked |
Test Setup: Use httpbin.org redirect:
# This should be blocked if final destination is private
curl -X POST http://localhost:8080/api/v1/settings/test-url \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <token>" \
-d '{"url": "https://httpbin.org/redirect-to?url=http://127.0.0.1/"}'8. Webhook Configuration Endpoints
| Test ID | Endpoint | Payload | Expected |
|---|---|---|---|
| SSRF-070 | POST /api/v1/settings/security/webhook |
{"webhook_url": "http://10.0.0.1/"} |
❌ 400 |
| SSRF-071 | POST /api/v1/notifications/custom-webhook |
{"webhook_url": "http://192.168.1.1/"} |
❌ 400 |
| SSRF-072 | POST /api/v1/settings/security/webhook |
{"webhook_url": "https://hooks.slack.com/test"} |
✅ 200 |
Verification Checklist
- All private IP ranges blocked (10.x, 172.16-31.x, 192.168.x)
- Localhost/loopback blocked (127.x, ::1)
- Cloud metadata blocked (169.254.169.254)
- Link-local blocked (169.254.x.x, fe80::)
- Invalid schemes blocked (file, ftp, gopher, data)
- IPv6-mapped IPv4 blocked
- Redirect to private IP blocked
- Legitimate external URLs allowed
- Error messages don't leak internal details
Pass Criteria
- All SSRF-0xx tests marked "Blocked" return HTTP 400
- All SSRF-0xx tests marked "Allowed" return HTTP 200 or non-security error
- No test reveals internal IP addresses or hostnames in error messages
Last Updated: December 31, 2025
Auto-created from ssrf-manual-test-plan.md