Server-Side Request Forgery (SSRF)

Server-Side Request Forgery (SSRF) occurs when an attacker can cause a server-side application to make HTTP requests to an attacker-chosen domain or internal resource. This is particularly dangerous in cloud environments where internal metadata endpoints (like AWS IMDSv1 at 169.254.169.254) can expose credentials and configuration data.

SSRF was added to the OWASP Top 10 in 2021, reflecting its growing prevalence in modern cloud-native applications. Common attack vectors include URL parameters used for webhooks, file imports, PDF generators, and image processing services. SSRF can bypass firewalls, access internal APIs, and in severe cases lead to remote code execution.

SSRF variants include basic SSRF (direct response), blind SSRF (no response visible to attacker), and partial SSRF (limited control over the request). Mitigations include allowlisting destination hosts, using IMDSv2 on AWS, and network segmentation.

How APVISO tests for this: APVISO's scanner agent probes all URL-accepting parameters with internal IP ranges, cloud metadata endpoints, and DNS rebinding techniques. It detects both direct and blind SSRF by monitoring for out-of-band callbacks and response timing differences.