After this lesson, you will be able to: Recognize, find, and fix Server-Side Request Forgery (OWASP A10): tricking the server into making requests to places it should not.
Server-Side Request Forgery (SSRF) is OWASP A10. The app fetches a URL the user supplies, and the attacker points it at internal systems the server can reach but they cannot, like cloud metadata endpoints, internal admin services, or the local network. It powered one of the largest cloud breaches in history.
SSRF happens when an application takes a user-supplied URL and makes a server-side request to it (fetching an image, a webhook, a 'preview' of a link). Because the request comes from the server, it can reach things the attacker cannot reach directly: internal-only services, databases, the loopback interface, the cloud provider's metadata endpoint (169.254.169.254), and other hosts inside the network. The attacker uses the server as a proxy into the trusted internal zone.
Look for any feature that fetches a user-controlled URL.
Find features that take a URL or host from the user: link previews, webhooks, image/file fetchers, PDF generators, import-from-URL.
In Burp Suite, change the URL parameter to an internal target (http://169.254.169.254/, http://localhost/, an internal IP) and watch the response.
Use a collaborator/out-of-band tool to detect blind SSRF (the server makes the request but you do not see the body).
Check whether the cloud metadata endpoint is reachable from the app (a high-impact target).
Test URL-parsing bypasses (redirects, alternate IP encodings, DNS rebinding) against any allow-list.
Restrict where the server may go, and defang the metadata endpoint.
// VULNERABLE: fetches whatever URL the user sendsapp.post('/preview', async (req, res) => {const r = await fetch(req.body.url); // attacker: http://169.254.169.254/...res.send(await r.text());});// FIXED: validate against an allow-list + block internal rangesfunction isAllowed(url) {const u = new URL(url);if (u.protocol !== 'https:') return false;if (!ALLOWED_HOSTS.has(u.hostname)) return false; // explicit allow-listif (isPrivateOrLoopbackOrMetadata(u.hostname)) return false; // block 10/8, 127/8, 169.254/16return true;}// Also: require IMDSv2 (session-token metadata) on AWS, give the instance// least-privilege IAM, and isolate egress at the network layer.
Pick the best answer.
Sign in and purchase access to unlock this lesson.