If your code accepts URIs as input, filter out “fi...

[Eridrus]

This is a special case of a Server-Side Request Forget vulnerability. Validating schemes is part of the answer but not the whole answer because attackers can still forge requests to internal resources you have firewalled off from the internet.

These were recently released to help people deal with these issues since the details can be finicky: http://blog.includesecurity.com/2016/08/safeurl-server-side-...

[RegW]

Really. Surely if I tried to enter http://localhost:8983/solr/admin/cores?action=UNLOAD&core=co... the back service would be password protected.

Oh, wait a minute.

[Eridrus]

Should say "Server-Side Request Forgery", damn mobile.