OWASP #10 (2021) – Server-Side Request Forgery (SSRF)

SSRF happens when an attacker tricks a server into making a request on their behalf - often to internal systems not meant to be exposed.

Typical attack paths: - Sending a crafted URL to a system that fetches remote resources. - Targeting cloud metadata endpoints (e.g., AWS 169.254.169.254). - Pivoting into private networks using a web app as a proxy.

These attacks are dangerous because they bypass network restrictions. The attacker may not be able to reach internal services directly - but the server can, and it’s doing the attacker’s bidding.

Mitigations include: - Validating and sanitizing all URLs before making server-side requests. - Blocking internal IP ranges and metadata endpoints. - Using allowlists for outbound requests. - Keeping sensitive services isolated and unexposed.

SSRF is more than a weird edge case - in cloud environments, it’s a real threat with serious consequences.