What is Server-Side Request Forgery (SSRF)? - apviso [APVISO](/)Product

Resources

Developers

Company

[Pricing](/#pricing)[Partners](/partners)[Enterprise](/enterprise)

[Login](/login)[Get started](/register)

[Login](/login)[Start pentest](/register)

[Home](/)[Glossary](/glossary)Server-Side Request Forgery (SSRF)[Back to Glossary](/glossary)Server-Side Request Forgery (SSRF)
==================================

A vulnerability that allows attackers to induce the server to make HTTP requests to arbitrary destinations, potentially accessing internal services.

vulnerabilityOWASPcloud security

Server-Side Request Forgery (SSRF) occurs when an attacker can cause a server-side application to make HTTP requests to an attacker-chosen domain or internal resource. This is particularly dangerous in cloud environments where internal metadata endpoints (like AWS IMDSv1 at 169.254.169.254) can expose credentials and configuration data.

SSRF was added to the OWASP Top 10 in 2021, reflecting its growing prevalence in modern cloud-native applications. Common attack vectors include URL parameters used for webhooks, file imports, PDF generators, and image processing services. SSRF can bypass firewalls, access internal APIs, and in severe cases lead to remote code execution.

SSRF variants include basic SSRF (direct response), blind SSRF (no response visible to attacker), and partial SSRF (limited control over the request). Mitigations include allowlisting destination hosts, using IMDSv2 on AWS, and network segmentation.

How APVISO tests for this: APVISO's pentester agent probes all URL-accepting parameters with internal IP ranges, cloud metadata endpoints, and DNS rebinding techniques. It detects both direct and blind SSRF by monitoring for out-of-band callbacks and response timing differences.

Related Terms
-------------

[OWASP Top 10](/glossary/owasp-top-10)[Broken Access Control](/glossary/broken-access-control)[Remote Code Execution (RCE)](/glossary/rce)

Test your applications for server-side request forgery (ssrf) vulnerabilities
-----------------------------------------------------------------------------

APVISO's AI agents automatically test for this and many more vulnerability categories.

[Contact sales](/contact)

[APVISO](/)Autonomous AI-powered penetration testing for modern web applications.

Subscribe

[](https://github.com/apviso)[](https://x.com/Apviso_com)[](https://www.linkedin.com/company/apviso/)

[![Featured on Good AI Tools](https://goodaitools.com/assets/images/badge.png)](https://goodaitools.com/ai/apviso)

Product

- [Features](/#features)
- [Sentinel](/sentinel)
- [Pricing](/pricing)
- [Integrations](/integrations)
- [Benchmarks](/#compare)
- [Affiliate Program](/affiliate)
- [Partners](/partners)
- [Enterprise](/enterprise)

Resources

- [Blog](/blog)
- [Use Cases](/use-cases)
- [Glossary](/glossary)
- [Comparisons](/comparisons)
- [Alternatives](/alternatives)
- [Compliance](/compliance)
- [Vulnerabilities](/vulnerabilities)
- [Industries](/industries)
- [OWASP APTS](/trust/apts)

Developers

- [Knowledge Base](/docs)
- [API Reference](/docs/api)
- [MCP Server](/docs/mcp)

Company

- [About](/about)
- [Contact](/contact)
- [Status](https://status.apviso.com)
- [Privacy Policy](/legal/privacy)
- [Terms of Service](/legal/terms)

© 2026 APVISO. All rights reserved.
