What is SSRF in the context of PHP applications?

SSRF (Server-Side Request Forgery) is a vulnerability where an attacker tricks a PHP server into making unauthorized requests to internal resources, cloud metadata services, or external sites.

Does this skill support popular PHP libraries like Guzzle?

Yes, it specifically detects vulnerable patterns in Guzzle, cURL, and native PHP functions like file_get_contents, fopen, and readfile.

Does it provide code fixes for the detected vulnerabilities?

It provides secure implementation patterns, such as strict URL allowlisting, private IP blocking using FILTER_VALIDATE_IP, and secure Guzzle configurations.

Can it detect complex bypasses like DNS rebinding?

Yes, the skill is designed to identify patterns prone to DNS rebinding, protocol confusion, and URL encoding bypasses often used to circumvent simple filters.

PHP SSRF Security Checker

Name: PHP SSRF Security Checker
Author: dykyi-roman

bydykyi-roman

•

セキュリティとテスト

Detects and prevents Server-Side Request Forgery (SSRF) vulnerabilities in PHP applications by analyzing URL handling and network request patterns.

This skill enables Claude to perform comprehensive security audits on PHP codebases to identify SSRF risks, categorized under OWASP A10:2021. It scans for critical vulnerabilities including unvalidated user-controlled URLs, unauthorized access to cloud metadata endpoints (AWS, GCP, Azure), and attempts to bypass internal network protections via localhost or private IP ranges. By identifying dangerous patterns in HTTP clients like Guzzle or native functions like file_get_contents, it provides developers with actionable remediation steps and secure validation patterns to protect their infrastructure.

主な機能

01Detects unvalidated user-controlled URLs in HTTP requests and cURL operations

02Identifies unauthorized access attempts to Cloud Metadata endpoints (AWS, GCP, Azure)

03Scans for protocol-based attacks including file://, gopher://, and dict://

04Analyzes SSRF risks in PDF/Image generation and webhook implementations

0545 GitHub stars

06Flags URL parsing bypasses such as Unicode dots, DNS rebinding, and protocol confusion

ユースケース

01Automated security auditing of PHP codebases for OWASP Top 10 vulnerabilities

02Secure implementation of webhooks and external data fetching services

03Code review for preventing internal network exposure and cloud metadata leaks

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add dykyi-roman/awesome-claude-code check-ssrf

For use in Claude.ai and ChatGPT

Download Skill