Server-Side Request Forgery (SSRF)
SSRF lets an attacker trick a server into making HTTP requests on their behalf - to internal services, cloud metadata APIs, or other servers behind a firewall that the attacker cannot reach directly.
Attack State
Attacker
PROBING
Web Server
NORMAL
Request URL (attacker-controlled)
-
Server Response (returned to attacker)
-
Prevention
How to fix
Allowlist permitted URL schemes and destinations
Block 169.254.0.0/16, 10.0.0.0/8, 127.0.0.1
Disable unnecessary URL-fetching features
Use cloud IAM with IMDSv2 (token-based)
Strip credentials from proxied responses
Block 169.254.0.0/16, 10.0.0.0/8, 127.0.0.1
Disable unnecessary URL-fetching features
Use cloud IAM with IMDSv2 (token-based)
Strip credentials from proxied responses
Event Log