← Lessons

quiz vs the machine

Gold1460

Security

Server Side Request Forgery

When you trick a server into fetching a URL it should never reach, including internal metadata.

5 min read · core · beat Gold to climb

The Core Idea

Server side request forgery, or SSRF, happens when an application fetches a URL supplied by a user. If a feature accepts a link to import or a webhook to call, an attacker can point it at addresses the server can reach but they cannot.

The classic target is a cloud metadata endpoint at an internal address that hands out credentials, or internal admin services hidden behind the firewall.

Why It Is Dangerous

The server makes the request from inside the trusted network, so internal firewalls do not help. A single fetch can leak cloud keys or reach databases that were never meant to face the internet.

Defenses

  • Allowlist the exact hosts and schemes the feature is permitted to reach.
  • Resolve the hostname and block private and link local ranges before connecting.
  • Disable redirects, or revalidate the target after each redirect.
  • Require the modern metadata service mode that demands a signed token.

Key idea

SSRF turns a server into a confused proxy that fetches attacker chosen URLs from inside the trusted network, so defenses allowlist destinations and block private and metadata addresses before any request goes out.

Check yourself

Answer to earn rating on the learn ladder.

1. What makes SSRF especially dangerous?

2. What is a classic SSRF target in the cloud?

3. Which control most directly limits SSRF?