SSRF, or Server-Side Request Forgery, is a vulnerability class where an attacker can cause the server to make HTTP requests to destinations of the attacker's choosing. Because the request originates from the server rather than the attacker's machine, it can reach internal services, cloud metadata endpoints, and resources behind firewalls that are otherwise inaccessible from the internet.
How It Works
SSRF vulnerabilities arise in any application feature that fetches content from a URL provided by the user. This includes URL preview generators, webhook delivery systems, file import features, PDF rendering engines, and image processing pipelines. When an attacker submits an internal URL like http://localhost:8080/admin or the cloud metadata endpoint http://169.254.169.254/latest/meta-data/iam/security-credentials/, the server fetches the resource and may return the response content to the attacker.
Even when the response is not directly returned, blind SSRF can still be impactful. An attacker can probe internal network topology by observing response times and error messages, identifying which internal hosts and ports are accessible. In cloud environments, blind SSRF to the metadata endpoint can leak temporary credentials even if the response body is not displayed, through timing side channels or by directing the server to send the data to an attacker-controlled endpoint.
Effective SSRF prevention requires a combination of controls. Allowlisting permitted destination hosts is more secure than blocklisting known internal addresses, as blocklists are routinely bypassed through DNS rebinding, alternative IP representations, and URL redirect chains. Network-level controls that isolate the application from sensitive internal services provide defense in depth. Disabling unused URL schemes and following redirects cautiously further reduce the attack surface.
Why It Matters
SSRF has grown in severity as cloud adoption has increased. Cloud metadata services were designed with the assumption that only trusted processes would access them, but SSRF breaks that assumption by letting external attackers make requests from within the trusted network. A single SSRF vulnerability in a cloud-hosted application can compromise the entire cloud account. Security assessments prioritize testing for SSRF because of this outsized impact potential.
Need your application tested? Get in touch.