Server-side Request Forgery (SSRF)
This article explains what server‑side request forgery (SSRF) is, describes its impact, common attack vectors such as targeting the server itself or internal services, outlines bypass techniques for blacklist and whitelist filters, and discusses blind SSRF detection using out‑of‑band methods.
Server‑side Request Forgery (SSRF) is a web vulnerability that allows an attacker to induce a server‑side program to make HTTP requests to arbitrary addresses, including the server itself, internal infrastructure, or external third‑party systems.
Successful SSRF attacks can lead to unauthorized operations, internal data exposure, and in some cases arbitrary command execution, potentially causing legal liability and reputational damage.
Common SSRF Attack Scenarios
Targeting the Server Itself
Attackers supply URLs pointing to 127.0.0.1 or localhost , causing the server to request internal resources such as /admin . Example request payloads are shown below.
POST /product/stock HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 118
stockApi=http://stock.weliketoshop.net:8080/product/stock/check%3FproductId%3D6%26storeId%3D1POST /product/stock HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 118
stockApi=http://localhost/adminTargeting Other Backend Systems
Attackers exploit trust relationships between the vulnerable service and internal services that have private IP addresses, such as https://192.168.0.68/admin . A crafted request can force the server to contact these internal endpoints.
POST /product/stock HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 118
stockApi=http://192.168.0.68/adminEvasion of Common SSRF Defenses
Blacklist‑Based Filters
Techniques include using alternative representations of blocked IPs (e.g., 2130706433 , 017700000001 , 127.1 ), registering a domain that resolves to 127.0.0.1 , or employing URL‑encoding and case‑mixing to obfuscate blocked strings.
Whitelist‑Based Filters
By exploiting URL parsing inconsistencies, attackers can bypass whitelist checks using credential injection ( https://expected-host@evil-host ), fragment identifiers ( https://evil-host#expected-host ), DNS sub‑domain tricks ( https://expected-host.evil-host ), or combined encoding tricks.
Open Redirect Bypass
If an application contains an open redirect, an attacker can supply a URL that passes the filter, is redirected to a malicious internal target, and thereby achieve SSRF.
/product/nextProduct?currentProductId=6&path=http://evil-user.netPOST /product/stock HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 118
stockApi=http://weliketoshop.net/product/nextProduct?currentProductId=6&path=http://192.168.0.68/adminBlind (Invisible) SSRF
Blind SSRF occurs when the server makes a backend request but does not return the response to the client, making exploitation harder but still useful for out‑of‑band data exfiltration or internal scanning.
Detection relies on out‑of‑band techniques (OAST), such as using Burp Collaborator to generate a unique domain and monitoring for DNS or HTTP interactions triggered by the vulnerable server.
Even without visible responses, blind SSRF can be leveraged to discover internal services, trigger secondary vulnerabilities, or achieve remote code execution if the backend client processing the response is vulnerable.
System Architect Go
Programming, architecture, application development, message queues, middleware, databases, containerization, big data, image processing, machine learning, AI, personal growth.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.