Server-Side Request Forgery (SSRF)

SSRF vulnerabilities allow attackers to make the server perform requests to unintended locations. By abusing the server network position and trust relationships, attackers can access internal services, cloud metadata, and other protected resources.

Understanding SSRF

Many applications fetch resources from URLs for displaying images, checking links, or integrating with APIs. When attackers control these URLs, they redirect requests to internal resources.

Basic SSRF Exploitation

Testing for SSRF involves submitting internal addresses like 127.0.0.1 or cloud metadata endpoints. Successful access reveals internal services unavailable from outside.

Cloud Metadata Endpoints

SSRF in cloud environments often targets metadata services. AWS, GCP, and Azure all expose instance metadata at special IP addresses that can reveal credentials and configuration.

SSRF Bypass Techniques

Applications often implement URL filtering. Common bypasses include alternate IP representations (decimal, hex, octal), URL encoding, DNS rebinding, and redirect chains.

SSRF Impact

Successful SSRF can lead to reading sensitive internal data, accessing cloud credentials and secrets, port scanning internal networks, exploiting internal services, and bypassing firewalls and access controls.

Prevention

Defend against SSRF with URL validation against allowlists, blocking internal IP ranges, disabling HTTP redirects, using separate network segments, and implementing egress filtering.