Server-Side Request Forgery (SSRF) Complete Guide

Key Takeaways

SSRF tricks servers into making requests to unintended locations.
Cloud metadata endpoints (169.254.169.254) are the #1 target.
SSRF can bypass firewalls and access internal services.
The 2019 Capital One breach exploited SSRF to steal 100M records.

SSRF entered the OWASP Top 10 in 2021 because it's devastatingly effective against cloud infrastructure. If your app fetches URLs provided by users, you might be giving attackers a backdoor into your entire network.

What Is SSRF?

Server-Side Request Forgery occurs when an attacker can make a server perform HTTP requests to arbitrary destinations. Common vulnerable patterns:

URL preview/unfurling: "Paste a link to see a preview"
PDF/Image generation: "Enter URL to convert to PDF"
Webhooks: "Enter your callback URL"
File imports: "Import from URL"

Attack #1: Cloud Metadata Exploitation

Every major cloud provider has a metadata service accessible from instances. AWS credentials can be stolen in seconds.

Cloud Metadata Endpoints

AWS: http://169.254.169.254/latest/meta-data/
GCP: http://metadata.google.internal/computeMetadata/v1/
Azure: http://169.254.169.254/metadata/instance

Prevention Strategies

Allowlist permitted domains and IPs
Block private IP ranges (10.x, 172.16-31.x, 192.168.x)
Use IMDSv2 on AWS (requires session tokens)
Network segmentation for internal services
Validate and sanitize all URL inputs

AWS IMDSv2 Migration

IMDSv2 requires a session token, making SSRF exploitation much harder. Always enable it on EC2 instances.

Frequently Asked Questions

How is SSRF different from CSRF?

CSRF makes victims' browsers send requests. SSRF makes the server send requests. SSRF is more dangerous because servers have access to internal resources.

Is blocking 169.254.169.254 enough?

No! Attackers can use DNS rebinding, IPv6, and URL encoding to bypass IP blocks. Use defense in depth.

Complete your OWASP knowledge.
Read IDOR Attack Guide