Server-Side Request Forgery (SSRF)

Verified by Precogs Threat Research
Security GuideA01:2025API7:2023

What is Server-Side Request Forgery (SSRF)?

Server-Side Request Forgery (SSRF) is a vulnerability where an attacker can induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing. The attacker leverages the server as a proxy to access internal resources.

How Does SSRF Work?

When an application fetches a URL provided by the user (e.g., webhook URLs, image imports, URL previews), attackers can supply URLs targeting internal services (http://localhost, http://169.254.169.254 for cloud metadata) that are not directly accessible from the internet.

# VULNERABLE: Fetching a user-supplied URL without validation
import requests
url = request.args.get('url')
response = requests.get(url)  # Attacker sends url=http://169.254.169.254/latest/meta-data/iam/security-credentials/

# SECURE: URL allowlist validation
from urllib.parse import urlparse
ALLOWED_HOSTS = {'api.example.com', 'cdn.example.com'}
parsed = urlparse(url)
if parsed.hostname not in ALLOWED_HOSTS:
    return "Forbidden", 403
response = requests.get(url)

Real-World Examples

The 2019 Capital One breach used SSRF to access AWS metadata service, obtaining IAM credentials that exposed 100+ million customer records. ProxyLogon (CVE-2021-26855) exploited SSRF in Microsoft Exchange to compromise 250,000+ servers.

Security Impact

SSRF enables access to internal services, cloud metadata credential theft (AWS/GCP/Azure), internal network scanning, firewall bypass, and data exfiltration from internal databases and APIs.

Prevention & Mitigation

Validate and sanitize all user-provided URLs. Use URL allowlists. Block requests to private IP ranges (RFC 1918). Use IMDSv2 on AWS (requires token). Implement network segmentation and egress filtering.

How Precogs AI Stops Server-Side Request Forgery (SSRF)

Precogs AI detects SSRF vulnerabilities in AI-generated code through pre-LLM filters and identifies SSRF vectors in compiled web applications during Binary DAST runtime testing, including cloud metadata endpoint access.

Related CWE Entries

Related Resources

🔍 Related CWE Entries

🛡️ Notable Vulnerabilities

🔗 External References

Quick Facts

TypeSecurity Guide
CWEs1
OWASPA01:2025, API7:2023

Quick Links

Protect Against Server-Side Request Forgery (SSRF)

Precogs AI continuously detects server-side request forgery (ssrf) across your codebase, binaries, and firmware.

Start Free Scan