loading
Loading content
loading
Also known as SSRF
Server-side request forgery (SSRF) abuses a feature that fetches a URL on the server's behalf. Webhook validators, PDF generators, image proxies, and link previews all take a URL and request it server-side. When the application trusts that URL without restriction, an attacker supplies one that points inward, and the vulnerable server makes the request from its own privileged network position.
SSRF matters because the server often reaches places the attacker cannot. Internal admin panels, databases, and metadata services sit behind a firewall but answer requests from the application host. The most damaging variant is the cloud metadata attack, where SSRF queries an endpoint like 169.254.169.254 to steal temporary cloud credentials. SSRF appears in the OWASP Top Ten as its own category, which reflects how common and severe it has become. Chained with other flaws, it can lead toward command injection and deeper compromise.
In an automated web application security workflow, a scanner submits attacker-controlled URLs and watches for outbound callbacks to a listener you control. A confirmed callback proves the server made the request, which separates real SSRF from filtered input.
Related terms