Server-Side Request Forgery (SSRF) tricks servers into making requests to unintended locations, often targeting internal services or cloud metadata endpoints.
SSRF Targets
- Cloud metadata (169.254.169.254)
- Internal services (localhost, 10.x.x.x)
- Internal APIs and databases
- Other cloud services via service account
Attack Example
# Vulnerable endpoint
GET /fetch?url=http://example.com/image.jpg
# SSRF attack - AWS metadata
GET /fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/
# SSRF attack - Internal service
GET /fetch?url=http://localhost:8080/adminPrevention
# Python - URL validation
from urllib.parse import urlparse
import ipaddress
def is_safe_url(url):
parsed = urlparse(url)
# Only allow HTTPS
if parsed.scheme != 'https':
return False
# Block internal IPs
try:
ip = ipaddress.ip_address(parsed.hostname)
if ip.is_private or ip.is_loopback:
return False
except ValueError:
pass # Hostname, not IP
# Allowlist domains
allowed_domains = ['trusted.com', 'api.example.com']
if parsed.hostname not in allowed_domains:
return False
return TrueCloud Risk
SSRF to cloud metadata endpoints (AWS, GCP, Azure) can expose IAM credentials that lead to full cloud account takeover.
Defense Checklist
- Allowlist permitted domains/IPs
- Block private IP ranges (RFC 1918)
- Use IMDSv2 on AWS (requires token)
- Disable unnecessary outbound access
December 2024