Server-Side Request Forgery (SSRF)

Server-Side Request Forgery (SSRF) is a vulnerability that allows attackers to induce the server to make HTTP requests to an arbitrary domain of their choosing. This can expose internal services, cloud metadata, or enable further attacks from the server's trusted network position.

How It Works

Applications that fetch external resources based on user input (URL importers, webhooks, PDF generators) can be exploited if input validation is insufficient. The server's requests come from a trusted IP, bypassing firewalls.

Example

// Vulnerable endpoint that fetches URLs
GET /fetch?url=http://example.com/image.png

// Attack: Access internal services
GET /fetch?url=http://localhost:8080/admin

// Attack: Read cloud metadata (AWS)
GET /fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/

// Attack: Access internal network
GET /fetch?url=http://192.168.1.1/admin

Impact

• Access internal/private services
• Read cloud instance metadata (AWS, GCP, Azure credentials)
• Port scanning internal network
• Bypass authentication (trusted IP)
• Remote code execution via internal services

Prevention

• Allowlist permitted domains/IPs
• Block requests to private IP ranges and localhost
• Disable unnecessary URL schemes (file://, gopher://)
• Use IMDSv2 for cloud metadata protection
• Validate and sanitize URLs server-side

PentesterLab Exercises

• SSRF Exercises

See Also

• Blind SSRF
• XML External Entity (XXE)