HIGH ssrfaxumdynamodb

Ssrf in Axum with Dynamodb

Scan for ssrf in axum

Ssrf in Axum with Dynamodb — how this specific combination creates or exposes the vulnerability

Server-Side Request Forgery (SSRF) in an Axum application that interacts with DynamoDB can occur when user-supplied data influences both HTTP requests made by the service and the parameters used to access DynamoDB. An attacker may provide a malicious URL or metadata service endpoint that causes the backend to perform unintended network requests, and poorly constructed DynamoDB operations may reflect or log those inputs in ways that amplify exposure.

Consider an Axum handler that accepts a table_name and an item_id to fetch a DynamoDB item. If the handler builds the request using unchecked user input, an attacker can supply a DynamoDB table name that references an internal AWS metadata service address (e.g., 169.254.169.254) if the SDK or runtime allows such values. While DynamoDB itself does not resolve internal endpoints, the surrounding infrastructure might, especially if the application also performs HTTP calls based on the same input. For example, the app might retrieve an item from DynamoDB and then use a field from that item (such as a URL or S3 path) to make an outbound HTTP request. If that field is controlled by an attacker and the request is not validated, SSRF occurs.

Real-world patterns include:

  • An attacker provides a DynamoDB KeyConditionExpression that includes a fabricated URL-like string, which later gets used in an HTTP client call embedded in application logic.
  • Misconfigured IAM permissions combined with user-controlled request parameters allow probing of the metadata service from within the host, revealing instance credentials or sensitive configuration.
  • Logging or error messages that include raw user input can expose internal network layout when those messages are exfiltrated through SSRF channels.

Because middleBrick tests unauthenticated attack surfaces, it can detect SSRF risks that arise from insufficient input validation and improper handling of outbound requests, even when DynamoDB interactions appear isolated. The scanner’s checks for SSRF, Input Validation, and Unsafe Consumption are particularly relevant for this combination, ensuring that user-controlled data does not lead to unauthorized network interactions.

Dynamodb-Specific Remediation in Axum — concrete code fixes

Remediation focuses on strict validation, whitelisting, and separation of concerns so that DynamoDB operations cannot be tricked into making unintended network calls. In Axum, this means validating all inputs before constructing requests and avoiding the use of user data in ways that affect routing, endpoints, or SDK parameters.

Use strong type definitions and validation libraries such as validator or serde_with to ensure inputs conform to expected patterns. For DynamoDB operations, prefer static table names or an allowlist, and never directly interpolate user input into key expressions.

use aws_sdk_dynamodb::types::AttributeValue;
use aws_sdk_dynamodb::Client;
use axum::extract::Query;
use serde::Deserialize;

#[derive(Deserialize)]
pub struct ItemQuery {
    pub user_id: String,
    // Only allow alphanumeric user IDs to prevent injection
    #[serde(deserialize_with = "validate_user_id")]
    pub item_id: String,
}

fn validate_user_id<'de, D>(deserializer: D) -> Result<String, D::Error>
where
    D: serde::Deserializer<'de>,
{
    let s = String::deserialize(deserializer)?;
    if s.chars().all(|c| c.is_ascii_alphanumeric()) {
        Ok(s)
    } else {
        Err(serde::de::Error::custom("invalid item_id"))
    }
}

pub async fn get_item(
    Query(params): Query<ItemQuery>,
    client: &Client,
) -> Result<impl IntoResponse, (axum::http::StatusCode, String)> {
    // Use a static table name; never derive it from user input
    let table_name = "UserProfile";

    let key = aws_sdk_dynamodb::types::AttributeValue::S(params.item_id);
    let output = client
        .get_item()
        .table_name(table_name)
        .key("user_id", key)
        .send()
        .await
        .map_err(|e| (axum::http::StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;

    if let Some(item) = output.item() {
        Ok(axum::Json(item.clone()))
    } else {
        Err((axum::http::StatusCode::NOT_FOUND, "Item not found".into()))
    }
}

Additional measures include:

  • Never use fields from DynamoDB items to construct URLs or HTTP requests without strict validation and allowlisting.
  • Enforce least-privilege IAM roles so that the application cannot access sensitive AWS metadata endpoints.
  • Enable DynamoDB Streams and audit logs to detect anomalous access patterns that might indicate exploitation attempts.

middleBrick’s scans for Input Validation, BOLA/IDOR, and SSRF help identify whether your Axum endpoints and DynamoDB integrations expose unsafe behaviors. The CLI (middlebrick scan <url>) and GitHub Action can automate detection of these classes of issues during development and deployment.

Related CWEs: ssrf

CWE IDNameSeverity
CWE-918Server-Side Request Forgery (SSRF) CRITICAL
CWE-441Unintended Proxy or Intermediary (Confused Deputy) HIGH
Scan for ssrf in axum Free API security scan

Frequently Asked Questions

Can SSRF be triggered through DynamoDB table names in Axum?
Direct SSRF via DynamoDB table names is unlikely because DynamoDB does not resolve internal network endpoints. However, if your Axum code uses a table name to construct subsequent HTTP calls or references internal metadata, SSRF may occur indirectly through those outbound requests.
How does middleBrick detect SSRF risks in APIs using DynamoDB?
middleBrick tests unauthenticated attack surfaces by analyzing OpenAPI specs and runtime behavior. It checks Input Validation, SSRF, and Unsafe Consumption to identify whether user-controlled data can lead to unauthorized network interactions, regardless of the backend datastore.

Related Pages

Ssrf in AxumLearn how Server-Side Request Forgery (SSRF) affects Axum applications, with specific attack patterns, detection methodsSsrf in DynamodbLearn how Server-Side Request Forgery (SSRF) affects DynamoDB applications, including specific attack patterns, detectioSsrf in Axum on AzureSSRF in Axum on Azure: causes, Azure metadata risks, and concrete Rust code fixes with allowlists and IP blocking.Ssrf in Axum on CloudflareUnderstand SSRF in Axum behind Cloudflare and apply concrete code fixes to validate inputs and restrict outbound requestHipaa: Ssrf in AxumExplore HIPAA-relevant SSRF risks in Axum services, with concrete remediation code and guidance for secure external requGdpr: Ssrf in AxumGDPR implications of SSRF in Axum services, with Axum-specific secure request handling and remediation examples.Ssrf in Axum with Jwt TokensSSRF in Axum with JWT tokens: risks and remediation with concrete Axum code examples.Ssrf in Axum with Basic AuthmiddleBrick scans API endpoints for SSRF and security risks. Learn how SSRF can occur in Axum with Basic Auth and implemSsrf in Axum with Api KeysSSRF in Axum with API keys: how user-influenced URLs and keyed headers create risk, and concrete Rust code to validate hIso 27001: Ssrf in AxumExplore SSRF in Axum through ISO 27001 controls, understand risk scenarios, and apply concrete Rust code fixes to restriSsrf in Axum with Mutual TlsSSRF in Axum with Mutual TLS: how mTLS affects SSRF and concrete Axum code fixes with allowlisting and private IP blockiCis: Ssrf in AxumCis in Ssrf with Axum — how SSRF arises when forwarding user URLs to internal services, and Axum-specific fixes with all