OWASP Top 10 - A10 Server-Side Request Forgery (SSRF)

What is Server-Side Request Forgery (SSRF)?

Server-Side Request Forgery (SSRF) occurs when an attacker can force a server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing. This vulnerability allows attackers to access internal services, cloud metadata, and other restricted resources.

🎯 Common SSRF Attack Scenarios

Internal Service Access: Accessing internal APIs, databases, and administrative interfaces
Cloud Metadata Exploitation: Reading AWS/Azure/GCP instance metadata for credentials
Port Scanning: Discovering internal services and network topology
File System Access: Reading local files using file:// protocol
Bypassing Access Controls: Circumventing firewalls and network segmentation

🌐 Network Architecture

INTERNET → [WAF/Firewall] → [Web Server] → [Internal Network]

Vulnerable App
192.168.1.10:80

Admin Panel
192.168.1.50:8080

Database
192.168.1.100:3306

Metadata API
169.254.169.254:80

⚠️ Real-World Impact

Data Exfiltration: Accessing sensitive internal databases and APIs
Privilege Escalation: Gaining admin access to internal systems
Cloud Compromise: Stealing cloud credentials and escalating to full account takeover
Network Reconnaissance: Mapping internal infrastructure for further attacks
Denial of Service: Overloading internal services or external targets

🛡️ Prevention Strategies

Input Validation: Strict whitelist of allowed URLs and protocols
Network Segmentation: Isolate application servers from sensitive internal resources
Disable Unused Protocols: Block file://, gopher://, dict:// and other dangerous schemes
Response Filtering: Don't return raw response data to users
DNS Validation: Prevent DNS rebinding and private IP access

# Vulnerable SSRF Code
def fetch_url(user_url):
    response = requests.get(user_url)  # No validation!
    return response.text

# Common SSRF Payloads
http://192.168.1.50:8080/admin
http://169.254.169.254/latest/meta-data/
file:///etc/passwd
http://localhost:3306/

# Secure Implementation
import ipaddress
from urllib.parse import urlparse

def fetch_url_secure(user_url):
    # Parse and validate URL
    parsed = urlparse(user_url)
    
    # Only allow HTTP/HTTPS
    if parsed.scheme not in ['http', 'https']:
        raise ValueError("Invalid protocol")
    
    # Resolve hostname to IP
    ip = socket.gethostbyname(parsed.hostname)
    
    # Block private/internal IPs
    if ipaddress.ip_address(ip).is_private:
        raise ValueError("Private IP not allowed")
    
    # Block localhost and metadata IPs
    blocked_ips = ['127.0.0.1', '169.254.169.254']
    if ip in blocked_ips:
        raise ValueError("Blocked IP address")
    
    # Make request with timeout
    response = requests.get(user_url, timeout=5)
    return response.text[:1000]  # Limit response size
                

🎯 Lab 1: Basic SSRF - Internal Service Discovery

Scenario: You've found a "Website Screenshot" service that fetches and displays screenshots of any URL you provide. The application is running on an internal network with several services. Your goal is to discover and access these internal services.

Requests Made: 0 | Services Found: 0/4

🌐 Website Screenshot Service

Enter URL to Screenshot:

Screenshot Options:

💡 Intelligence Hint:
• Web Server: 192.168.1.10
• Internal Network: 192.168.1.0/24
• Common Ports: 80, 8080, 8081, 3000, 5000
• Look for admin panels, APIs, databases

📱 Service Response

Waiting for screenshot request...

Service Discovery Log:

                                    Ready to scan internal network...
                                

Mission: Use the screenshot service to access internal services on 192.168.1.x network.

Target Services: Find the admin panel, API endpoint, database interface, and monitoring dashboard.

🚨 Why This SSRF is Dangerous

Network Bypass: External attackers can access internal services behind firewalls
Privilege Escalation: Web server credentials may provide access to sensitive systems
Data Exposure: Internal APIs often lack authentication assuming network-level protection
Infrastructure Mapping: Attackers can map the entire internal network topology

🔥 Lab 2: Advanced SSRF - Filter Bypass Challenge

Scenario: The development team has implemented "security filters" to prevent SSRF attacks. However, these filters can be bypassed using various techniques. Your goal is to bypass the protections and access the AWS metadata service to steal cloud credentials.

Bypass Attempts: 0 | Filters Bypassed: 0/6

🛡️ "Secured" URL Fetcher

URL to Fetch:

🎯 Current Target: AWS Metadata Service

Goal: http://169.254.169.254/latest/meta-data/iam/security-credentials/

🔒 Security Filter Status

🛡️ FILTERS ACTIVE
• Localhost blocking: ENABLED
• Private IP blocking: ENABLED
• Protocol filtering: ENABLED
• Suspicious domain blocking: ENABLED

Server Response:

No request made yet...

🎯 Bypass Progress Tracker

Filters to Bypass:
❌ localhost/127.0.0.1 detection
❌ Private IP (192.168.x.x) blocking
❌ Metadata IP (169.254.169.254) blocking
❌ HTTP protocol restriction
❌ DNS rebinding protection
❌ URL encoding detection

Challenge: Bypass all 6 security filters to access the AWS metadata service.

Warning: In real scenarios, accessing metadata can lead to full cloud account compromise!

🚨 Advanced SSRF Bypass Techniques

IP Representation: 127.0.0.1 = 0x7F000001 = 2130706433 = 0177.0.0.01
DNS Rebinding: Domain initially resolves to safe IP, then changes to internal IP
HTTP Redirects: Legitimate domain redirects to internal resource
Protocol Smuggling: Using gopher:// to craft custom HTTP requests
Unicode Bypass: Using Unicode characters that normalize to dangerous characters

OWASP Top 10 Security Lab

Server-Side Request Forgery (SSRF)