Server Side Request Forgery

Server-Side Request Forgery (SSRF) occurs when a web application fetches a remote resource using a user-supplied URL without proper validation. An attacker can manipulate the destination of the request, causing the server to send crafted requests to unintended locations such as internal services, cloud metadata endpoints, or other back-end systems. This vulnerability effectively turns the server into a proxy for the attacker, bypassing firewalls, VPNs, and network access control lists that would normally prevent direct external access.

A successful SSRF attack can allow unauthorized access to internal services and sensitive data that are not directly reachable from the internet, including administrative interfaces, databases, and cloud instance metadata. Attackers can leverage SSRF to map internal network topology, perform port scanning of internal hosts, and extract credentials or secrets from cloud metadata endpoints such as http://169.254.169.254/. In severe cases, SSRF can lead to remote code execution on internal systems or full compromise of cloud environments, making it one of the most impactful web application vulnerabilities.

Validate and sanitize all user-supplied URLs on the server side. Use an allow-list approach to restrict permitted URL schemes, hostnames, ports, and IP ranges. Only allow the schemes strictly needed by the application, typically just https.

Implement network-level controls to limit outbound requests from the application server. Deploy the application in a segmented network with deny-by-default firewall rules that block access to internal services and metadata endpoints unless explicitly required.

Avoid exposing raw responses from back-end requests to the client. If the application must fetch external resources, use a dedicated service with minimal network privileges and ensure that error messages do not leak information about internal infrastructure.

For cloud deployments, enforce the use of IMDSv2 or equivalent protections on instance metadata services to prevent SSRF-based credential theft.