保護DataHogo
Security Encyclopedia/OWASP Web Top 10
highCWE-918A10:2021

Server-Side Request Forgery (SSRF)

Attacker tricks the server into making requests to internal resources — accessing cloud metadata, internal APIs, or services that should not be publicly reachable.

How It Works

SSRF occurs when a server-side application fetches a URL provided by the user without proper validation. The attacker can make the server request internal resources like cloud metadata endpoints (169.254.169.254), internal APIs, or databases that are only accessible from within the network. In cloud environments, the metadata endpoint can expose IAM credentials, leading to full account takeover.

Vulnerable Code
app.post('/api/fetch-url', async (req, res) => {
  const response = await fetch(req.body.url);
  const data = await response.text();
  res.json({ data });
});
Secure Code
import { isAllowedUrl } from './url-validator';
app.post('/api/fetch-url', async (req, res) => {
  if (!isAllowedUrl(req.body.url)) {
    return res.status(400).json({ error: 'URL not allowed' });
  }
  const response = await fetch(req.body.url);
  const data = await response.text();
  res.json({ data });
});

Real-World Example

The Capital One breach (2019) was caused by SSRF. An attacker exploited a misconfigured WAF to make requests to the AWS metadata endpoint, obtaining IAM credentials that gave access to S3 buckets containing 106 million customer records.

How to Prevent It

  • Validate and whitelist allowed URLs and domains
  • Block requests to internal IP ranges (10.x, 172.16.x, 192.168.x, 169.254.x)
  • Use a URL parsing library to prevent bypass techniques
  • Implement network-level controls to restrict outbound traffic

Affected Technologies

Node.jsReactNext.jsPythonGoJavaPHPC#

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Broken Access Control

high

Users can act outside their intended permissions, accessing other users' data or admin functionality without proper authorization checks.

CWE-284A01:2021

Cryptographic Failures

high

Sensitive data is exposed due to weak or missing encryption — using outdated algorithms like MD5/SHA1, storing passwords in plaintext, or transmitting data without TLS.

CWE-327A02:2021

Supply Chain Failures

medium

Your application inherits vulnerabilities from third-party dependencies — outdated packages with known CVEs that attackers actively exploit.

CWE-1395A06:2021

Security Misconfiguration

medium

Default configurations, open CORS policies, debug mode in production, or verbose error messages expose your application to attackers.

CWE-16A05:2021