Server-Side Request Forgery (SSRF)

Server-Side Request Forgery occurs when a web application fetches a remote resource based on a user-supplied URL without properly validating the destination. Attackers exploit this to make the server issue requests to internal infrastructure, cloud provider metadata services, or other protected resources that are normally shielded from direct external access.

SSRF has become increasingly critical with the rise of cloud computing. Attackers frequently target cloud metadata endpoints (such as the AWS instance metadata service at 169.254.169.254) to retrieve temporary credentials, access keys, or configuration data. This can lead to full cloud account compromise from a single SSRF vulnerability.

There are two main types: basic SSRF, where the response from the internal request is returned to the attacker, and blind SSRF, where the attacker does not see the response but can still trigger internal requests and infer information through timing or error differences.

Effective mitigation strategies include maintaining a strict allowlist of permitted domains and IP ranges, blocking requests to private IP address ranges and cloud metadata services, disabling unnecessary URL schemes (such as file://, gopher://), using network-level segmentation to limit what the application server can reach, and validating and sanitising all user-supplied URLs before making server-side requests.