SSRF (Server-Side Request Forgery) Complete Guide
As the founder of OWASP Indianapolis and someone who’s been tracking SSRF attacks for over 15 years, I’ve watched this vulnerability evolve from a niche attack to one of the most dangerous threats in modern web applications.
SSRF attacks let attackers make your server send requests to internal systems, cloud metadata services, or external targets - essentially turning your trusted server into their attack proxy.
What Makes SSRF So Dangerous
SSRF consistently ranks as a critical vulnerability because it:
- Bypasses network firewalls by originating requests from trusted internal servers
- Accesses internal services that should never be reachable from the internet
- Extracts cloud credentials from metadata services (AWS, Azure, GCP)
- Chains with other vulnerabilities to achieve complete system compromise
SSRF Content Library
๐ฏ Core SSRF Guides
No posts found for tag "SSRF".
๐ Python SSRF Prevention
No posts found for tag "Python Security".
๐ก๏ธ Defense Strategies
Web Security Hub 2026
Complete Web Vulnerability Prevention Hub Enhanced May 2026 with 2,000+ sources and real-time CVE intelligence - the โฆ
OWASP Top 10 2025 Developer Guide
I’ve been working with the OWASP Top 10 for years, and the 2025 update just dropped some major changes that every โฆ
SSRF Attack Flow Visualization
SSRF Attack Chain:
1. Attacker Input 2. Server Request 3. Internal Access
โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโ
โ Malicious URL โ --> โ Your Server โ --> โ Internal System โ
โ โ โ โ โ โ
โ http://169.254. โ โ requests.get() โ โ AWS Metadata โ
โ 169.254/latest/ โ โ (no validation) โ โ Database โ
โ meta-data/ โ โ โ โ File System โ
โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโ
^ ^ ^
User Input Trusted Server Critical Data
Cloud Metadata Exploitation:
Attacker โ Web App โ Cloud Metadata Service โ Credentials
| | | |
| | | v
| | | AWS Keys, Tokens,
| | | Service Accounts
| | |
| | 169.254.169.254/latest/
| | metadata/iam/security-
| | credentials/role-name
| |
| Vulnerable Parameter:
| ?url=http://169.254.169.254/...
|
Crafted Request
SSRF Attack Scenarios I’ve Documented
Based on my research and real-world penetration testing:
1. Cloud Metadata Exploitation
- AWS EC2 metadata service attacks
- Azure Instance Metadata Service (IMDS) bypass
- GCP metadata server credential extraction
2. Internal Network Reconnaissance
- Port scanning internal networks
- Service discovery and enumeration
- Database and file server access
3. Authentication Bypass
- OAuth redirect manipulation
- JWT token theft via callback manipulation
- Session token extraction from internal services
Tools & Resources
My SSRF Testing Tools:
- Custom Python scripts for payload generation
- Burp Suite extensions for automated SSRF testing
- Cloud-specific metadata extraction tools
Industry Resources:
Need SSRF Help?
I provide application security consulting focused on SSRF prevention and testing. Contact me for:
- SSRF vulnerability assessments
- Secure code review for SSRF prevention
- Developer training on SSRF defense
- Custom tool development for SSRF testing
Carl Sampson - OWASP Indianapolis Chapter Founder | 15+ Years Application Security