Server-Side Request Forgery (SSRF)

Make the server make requests for you — into the cloud metadata service and internal network.

10 min read

SSRF tricks a server into making an HTTP request to a destination *you* choose. Because the request comes from inside the perimeter, it can reach things the internet can’t.

Why it’s so dangerous

Hit the cloud metadata service (169.254.169.254) to steal IAM credentials — often full account takeover.
Reach internal services (admin panels, databases, Redis) with no auth on the internal network.
Port-scan the internal network and bypass firewalls.

POST /api/fetch-preview
{ "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/" }

Often the response isn’t shown (blind SSRF). Point the server at an out-of-band host you control (Burp Collaborator / interactsh) and watch for the DNS/HTTP callback to confirm.

Where it hides

Any feature that fetches a URL: webhooks, “import from URL”, image/avatar fetchers, PDF generators, link previews, SSO metadata, and document converters.

The fix

Allowlist the destinations the feature legitimately needs. Block link-local, loopback, and private ranges *and the cloud metadata IP*. Re-validate the resolved IP at connect time to defeat DNS-rebinding, and disable unneeded URL schemes.