A vulnerability where an attacker tricks the server into making HTTP requests on their behalf — typically to internal services, cloud metadata endpoints, or restricted networks.
SSRF reached the OWASP Top 10 in 2021 thanks to cloud metadata abuse. The pattern: an image-upload feature accepts a URL, the server fetches it, an attacker swaps the URL for http://169.254.169.254/latest/meta-data/iam/security-credentials/ and harvests AWS IAM credentials.
Defence: outbound allowlists, blocking IMDSv1 (enforce IMDSv2), and validating fetched URLs at the application layer.
See our web application penetration testing, API security testing, network penetration testing, and cloud security audit services for how we test for and defend against this class of issue.
30-minute call with an OSCP-certified engineer. Tailored proposal in 24 hours.