What Is SSRF (Server-Side Request Forgery)?
Server-Side Request Forgery (SSRF) is a vulnerability where an attacker tricks your server into making HTTP requests to unintended destinations — typically internal services, cloud metadata endpoints, or other systems behind the firewall. The server acts as a proxy, giving the attacker access to resources they cannot reach directly.
Types of SSRF (Server-Side Request Forgery)?
Basic SSRF
The attacker provides a URL that the server fetches, targeting internal resources.
POST /api/fetch-url { "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/" }Blind SSRF
The server makes the request but does not return the response. The attacker infers information from timing or out-of-band channels.
SSRF via redirects
The attacker provides a URL that redirects to an internal resource, bypassing URL validation.
How to Prevent It
# 1. Allowlist approach — only permit known-safe destinations
ALLOWED_HOSTS = ['api.example.com', 'cdn.example.com']
def fetch_url(url):
parsed = urlparse(url)
if parsed.hostname not in ALLOWED_HOSTS:
raise ValueError("Host not allowed")
# 2. Block internal IP ranges
import ipaddress
def is_internal(hostname):
ip = ipaddress.ip_address(socket.gethostbyname(hostname))
return ip.is_private or ip.is_loopback or ip.is_link_local
# 3. Disable redirects
requests.get(url, allow_redirects=False)
# 4. Use a metadata firewall for cloud environments
# AWS: IMDSv2 requires a PUT request with hop limit
# GCP: Requires Metadata-Flavor: Google headerReal-World Impact
In the 2019 Capital One breach, SSRF was used to access AWS metadata endpoints, stealing credentials that led to 106 million customer records being exposed. SSRF can read cloud credentials, access internal databases, scan internal networks, and pivot to other services.
Related Questions
Scan your system prompt with LochBot — free, client-side, no data sent anywhere.