Server-Side Request Forgery (SSRF)

Server-Side Request Forgery (SSRF) is a dangerous security vulnerability that allows attackers to gain unauthorized access to internal network resources, cloud metadata endpoints, and even critical systems leading to RCE.

HIGH SEVERITYOWASP Top 10 #10CWE-9185 Techniques

🧪 Interactive SSRF Lab

Select an SSRF attack technique and practice exploitation in a safe environment

Select SSRF Attack Type

Choose an SSRF technique to practice exploitation

🌐

Basic SSRF

Access internal network resources via server-side requests

BEGINNER1 attacks

☁️

Cloud Metadata SSRF

Retrieve cloud provider metadata and credentials

INTERMEDIATE3 attacks

🕵️

Blind SSRF

SSRF without visible response - detect via timing or OOB

ADVANCED2 attacks

🔓

SSRF Filter Bypass

Bypass URL filters, allowlists, and WAF protections

EXPERT3 attacks

🔥

SSRF to RCE

Escalate SSRF to remote code execution

EXPERT3 attacks

📖

Quick Reference

Always available while working

⚠️Notable SSRF CVEs (2024-2025)

CVE-2024-245499.8

Apache Tomcat - SSRF via HTTP/2 allows access to internal services

→ Internal network access & data exfiltration

CVE-2024-63879.1

GitLab - SSRF in project imports enables cloud metadata access

→ Cloud credentials exposure (AWS/GCP/Azure)

CVE-2024-370858.6

VMware vCenter - SSRF vulnerability allows network scanning

→ Internal network reconnaissance

CVE-2024-45778.1

WordPress - SSRF in REST API endpoints enables port scanning

→ Service enumeration & exploitation

🔥OWASP Top 10

Position:#10

SSRF attacks are ranked #10 in OWASP Top 10 2021 and pose critical risks in cloud environments.

📊Critical Statistics

Cloud Metadata Attacks:65%

of SSRF attacks target cloud metadata endpoints

Average CVSS Score:8.8

SSRF vulnerabilities typically rated HIGH to CRITICAL

RCE Escalation:42%

of SSRF vulnerabilities can be escalated to RCE

🛡️Quick Prevention

✓Use URL allowlists (IP and domain based)
✓Block internal IP ranges (RFC 1918)
✓Block cloud metadata endpoints
✓Implement response validation
✓Use network segmentation
✓Monitor & log all outbound HTTP requests

📚Resources

VulnSign SSRF Guide

FUNDAMENTALS

🌐

What is SSRF?

Server-Side Request Forgery (SSRF) is a security vulnerability that allows attackers to make the server hosting a web application send requests to internal or external resources accessible by the server. This vulnerability can lead to internal network discovery, cloud metadata access, and even escalation to remote code execution.

MECHANISM

How SSRF Works

SSRF occurs when an application fetches remote resources without validating the user-supplied URL. Attackers can manipulate the URL to make the server access internal services, cloud metadata endpoints (AWS/GCP/Azure), or perform port scanning.

❌ Vulnerable Code Example

php

1// PHP - Unsafe URL fetch
2$url = $_GET['url'];
3$content = file_get_contents($url);
4echo $content;
5
6// Attacker input:
7// url=http://169.254.169.254/latest/meta-data/iam/security-credentials/
8// Server fetches AWS credentials!

✅ Secure Code

php

1// PHP - URL allowlist validation
2$url = $_GET['url'];
3$allowed = ['api.example.com'];
4$host = parse_url($url, PHP_URL_HOST);
5if (in_array($host, $allowed)) {
6  $content = file_get_contents($url);
7  echo $content;
8} else {
9  die("Invalid URL");
10}

TYPES

Types of SSRF

🌐Basic SSRF

Access internal network resources and services via server-side requests

☁️Cloud Metadata SSRF

Retrieve credentials from AWS, GCP, or Azure metadata endpoints

🕵️Blind SSRF

No visible response; detect via timing analysis or out-of-band callbacks

🔓Filter Bypass

Bypass URL filters using encoding, DNS rebinding, or open redirects

🔥SSRF to RCE

Escalate to RCE via Redis, Memcached, or internal service exploitation

IMPACT

What Can Happen?

🔍
Internal Network Access:
Scan and access internal services, databases, admin panels behind firewalls
☁️
Cloud Credentials Theft:
Steal AWS IAM credentials, GCP tokens, Azure access tokens from metadata endpoints
🔓
Firewall Bypass:
Bypass network restrictions, access services that should be unreachable
🔥
Remote Code Execution:
Exploit internal services (Redis, Memcached) via gopher:// protocol for RCE

BEST PRACTICES

🛡️

How to Prevent SSRF

✓URL Allowlisting: Only allow requests to specific, trusted domains and IPs
✓Block Private IPs: Reject requests to localhost, 127.0.0.1, 169.254.x.x, and RFC1918 ranges
✓Disable Dangerous Protocols: Block file://, gopher://, dict://, and other non-HTTP protocols
✓Network Segmentation: Isolate application servers from internal networks
✓Cloud Metadata Protection: Use IMDSv2 (AWS), require headers (GCP), implement network controls
✓Response Validation: Don't return raw responses to users, validate content types

1// PHP - Unsafe URL fetch 2$url = $_GET['url']; 3$content = file_get_contents($url); 4echo $content; 5 6// Attacker input: 7// url=http://169.254.169.254/latest/meta-data/iam/security-credentials/ 8// Server fetches AWS credentials!

1// PHP - URL allowlist validation 2$url = $_GET['url']; 3$allowed = ['api.example.com']; 4$host = parse_url($url, PHP_URL_HOST); 5if (in_array($host, $allowed)) { 6 $content = file_get_contents($url); 7 echo $content; 8} else { 9 die("Invalid URL"); 10}