Home.
Web ApplicationCritical

Server-Side Request Forgery (SSRF)

SSRF turns your server into an internal proxy for attackers. In cloud environments, weak controls can expose metadata, credentials, and private services.

Back to TechniquesTest Your Skills

How Attackers Use It

Attack Summary

Attacker supplies a crafted URL that tricks the server into making requests to internal resources — cloud metadata APIs (169.254.169.254), internal admin panels, or other backend services.

  • User-controlled URL input is accepted by image fetchers, webhooks, or import features.
  • Attacker probes internal ranges and cloud metadata endpoints.
  • Redirect abuse and DNS rebinding bypass weak allow/deny filters.
  • Stolen credentials are reused for lateral movement and persistence.

Defensive Strategy

Defense Summary

Allowlist-based URL validation. Block requests to RFC-1918 and link-local ranges. Use IMDSv2 with token on AWS. Strip or block Location redirect headers from internal fetches.

  • Implement strict allowlists for domains, schemes, and ports.
  • Resolve and re-check DNS/IP before every outbound request.
  • Block link-local and RFC-1918 destinations at egress controls.
  • Harden cloud metadata access with IMDSv2 and scoped roles.

Detection Signals

  • Application servers making unusual requests to private IP ranges.
  • Outbound traffic to metadata endpoints from unexpected services.
  • Webhook or URL-fetch features receiving malformed target URLs.

Keywords

Server-Side Request Forgery (SSRF)Server-Side Request Forgery (SSRF) DetectionServer-Side Request Forgery (SSRF) PreventionCritical SeverityWeb Application SecurityAttack and DefenseThreat DetectionSecurity Hardening

External References

Authoritative references for deeper learning and validation.

Related Techniques

Explore additional techniques with similar risk level.

SQL InjectionBroken Access ControlBuffer Overflow