Server-Side Request Forgery (SSRF)
Advanced SSRF techniques to make servers request internal resources and cloud metadata services. Learn to bypass filters using encoding tricks and redirect chains.
Introduction to SSRF
theoryLearn what SSRF attacks are, how they work, and their potential impact.
Introduction to SSRF
What is Server-Side Request Forgery (SSRF)?
SSRF is a vulnerability that allows attackers to trick a server into making unintended HTTP requests. The attacker controls the target URL or request destination and uses the server's privileges to access internal systems or sensitive data.
How SSRF Works
- Web application accepts a URL or resource path as input.
- Server fetches that resource on behalf of the user.
- Attacker provides a crafted URL pointing to an internal or restricted resource.
- Server makes a request to the attacker-controlled or internal endpoint.
Example
GET /fetch?url=http://internal-service/admin
The attacker changes the URL to something like:
GET /fetch?url=http://169.254.169.254/latest/meta-data/
(This accesses AWS instance metadata.)
Impact
- Access internal networks
- Read cloud instance metadata
- Bypass firewalls
- Trigger internal POST requests to sensitive services
Knowledge Check
What is the main purpose of an SSRF attack?
Common SSRF Attack Scenarios
theoryUnderstand the types and sources of SSRF vulnerabilities in web applications.
Common SSRF Attack Scenarios
Common SSRF Scenarios
- Image URL Fetching: Application fetches remote image URLs for preview.
- PDF Generation: Server fetches external content to embed.
- Webhook / Callback URLs: API calls user-specified endpoints.
- URL Shorteners: Follow attacker-controlled redirects.
Advanced Exploits
- Access cloud metadata service:
http://169.254.169.254/ - Port scanning internal network via response timing.
- POST requests to internal admin panels.
Knowledge Check
Which of the following could be an SSRF entry point?
Basic SSRF Attack - Internal Access
simulationExploit a vulnerable endpoint that fetches URLs without validation.
Simulation Objective
Exploit a vulnerable endpoint that fetches URLs without validation.
Target
/fetch?url=
Scenario
Internal metadata access
SSRF with Redirection
simulationUse open redirects or intermediate URLs to reach internal systems.
Simulation Objective
Use open redirects or intermediate URLs to reach internal systems.
Target
/fetch?url=
Scenario
Redirect to internal
SSRF Bypass Filters - Using Encodings
simulationBypass blacklist filters to reach internal hosts.
Simulation Objective
Bypass blacklist filters to reach internal hosts.
Target
/fetch?url=
Scenario
Encoding trick
SSRF to RCE via Webhook
simulationTrigger server-side requests that execute commands on internal systems.
Simulation Objective
Trigger server-side requests that execute commands on internal systems.
Target
/webhook/test
Scenario
Webhook rce
SSRF Prevention Techniques
theoryLearn defenses against SSRF attacks.
SSRF Prevention Techniques
Preventing SSRF
- Validate and whitelist URLs strictly (domain and protocol)
- Disallow internal IP ranges (127.0.0.1, 10.x.x.x, 169.254.x.x)
- Disable redirects or restrict them to trusted hosts
- Avoid fetching arbitrary URLs from user input
- Use SSRF-aware proxy services
Secure Example
allowed_hosts = ["example.com", "api.trusted.com"]
parsed = urlparse(user_url)
if parsed.hostname not in allowed_hosts:
raise ValueError("Untrusted URL")
Knowledge Check
Which of these is an effective defense against SSRF?