Topic Hub
Server-Side Request Forgery
SSRF tricks the server into making HTTP requests on your behalf — targeting internal services, cloud metadata endpoints, and infrastructure that firewalls would otherwise block. In the cloud era, one SSRF can mean full account takeover.
Cloud Metadata
AWS IAM
Internal Services
Blind SSRF
Bypass
OWASP A10
How SSRF Works
🌐
1. User input
Attacker controls a URL parameter the server will fetch
🔄
2. Server fetches
Server makes HTTP request to attacker-supplied URL
💀
3. Internal access
Request hits internal services or cloud metadata — bypassing all firewalls
Attack Targets
- ▸
169.254.169.254— AWS metadata - ▸
metadata.google.internal— GCP - ▸
localhost:6379— Redis - ▸
internal-api:8080— Microservices - ▸
kubernetes:443— K8s API - ▸
file:///etc/passwd— File read
Notable Incidents
- Capital One (2019) — SSRF → AWS metadata → IAM role → 100M records stolen
- ProxyLogon (2021) — Exchange SSRF → Auth bypass → Full RCE chain
- GitLab SSRF (2021) — CVE-2021-22214 → Internal services → SSRF to RCE
- Shopify (2020) — SSRF in partner API → $25,000 bounty
▌ Deep Dives
Research
AWS
SSRF to Cloud Credentials: Stealing AWS IAM Tokens
How a single SSRF escalates to full AWS account compromise via metadata service.
Research
Apache
Confusion Attacks: Apache SSRF + ACL Bypass Chain
Orange Tsai's research on chaining Apache confusion attacks through SSRF to RCE.
▌ Reference
▌ Quick Payload Reference
Cloud Metadata
http://169.254.169.254/latest/meta-data/iam/security-credentials/ http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE_NAME http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token http://169.254.169.254/metadata/instance?api-version=2021-02-01 (Azure) http://100.100.100.200/latest/meta-data/ (Alibaba Cloud)
Bypass Techniques
http://2852039166/ (decimal IP of 169.254.169.254) http://0xa9fea9fe/ (hex IP) http://169.254.169.254.nip.io/ (DNS rebind) http://[::ffff:169.254.169.254]/ (IPv6 mapped) http://[email protected]/