Server-side request forgery (SSRF) is a vulnerability that lets a malicious hacker send a request from the back end of the software to another server or to a local service. The server or service that receives that request believes that the request came from the application and is legitimate.
Severity: |
![]() ![]() ![]() ![]() |
severe |
Prevalence: |
![]() ![]() |
discovered regularly |
Scope: |
![]() ![]() ![]() ![]() |
may appear in all networked software |
Technical impact: | access to privileged resources | |
Worst-case consequences: | full system compromise | |
Quick fix: | sanitize user data in calls to other servers |
When you build networked software, you often need to make requests to other servers. Developers typically use them to fetch remote resources, such as software updates, or to import metadata from another application. Such requests are not dangerous in general, but if implemented incorrectly, they can make the software vulnerable to server-side request forgery.
An SSRF vulnerability can be introduced when you use user input data to create a request, for example, when building a URL. To perform an SSRF attack, an attacker can then change a parameter value in the vulnerable software to create or control requests coming from that software and going to other servers or even the same server.
SSRF vulnerabilities may appear in any type of computer software, in almost every programming language, and on any platform, as long as the software works in a networked environment. Most SSRF vulnerabilities happen in web applications and other networked applications, but they may also appear in server software itself.
In addition to regular (non-blind) SSRF vulnerabilities, there are also other types of SSRF. These include blind SSRF vulnerabilities, where the attacker does not directly receive any data from the attacked resource. Attackers can use blind SSRF to trigger actions that they can only trigger from within an internal network.
SSRF is classified as CWE-918. Also note that due to its severity, SSRF is the only type of vulnerability that has its own category in the OWASP Top 10 2021 list.
The most common example of SSRF in web applications is when the attacker can input or influence a third-party service URL to which the web application makes a request.
The following code was written to output a PNG image imported from another URL as if it was part of your own HTML page.
<?php
if (isset($_GET['url'])) {
$url = $_GET['url'];
$image = fopen($url, 'rb');
header("Content-Type: image/png");
fpassthru($image);
}
?>
Note that the attacker has full control of the url parameter. They can make arbitrary GET requests to any external IP, including those on the local network, and to resources on the server that hosts the vulnerable application (localhost).
Using the vulnerable application, the attacker can make the following request to Apache web servers with mod_status enabled (which is the default configuration):
GET /?url=http://localhost/server-status HTTP/1.1
As a result, the attacker receives detailed information on the server version, installed modules, and more. This helps the attacker search for more potential vulnerabilities.
Apart from the http and https URL schemas, attackers might also use legacy URL schemas in their payloads, such as the file schema, to try and access files on the local system or the internal network.
GET /?url=file:///etc/passwd HTTP/1.1
This payload will provide the attacker with the content of the /etc/passwd file from the server hosting the vulnerable application.
Some applications might permit attackers to use exotic URL schemas. For example, if the application uses cURL to make requests, an attacker can use the dict URL schema to make requests to any host on any port and send custom data.
GET /?url=dict://localhost:11211/stat HTTP/1.1
The above request will cause the application to connect to localhost on port 11211 and send the string stat. Port 11211 is the default port used by the Memcached caching service. This port is not normally exposed to the outside network, but it is accessible from localhost, in this case via SSRF.
There are two primary goals that an attacker has in mind when attempting a server-side request forgery attack:
For these reasons, SSRF exploits are usually a preliminary attack step before exploiting another vulnerability. For example:
Therefore, in the worst case, if SSRF is combined with other attack vectors such as RCE, XXE, XSS, CSRF, or SQLi, it may allow attackers to take full control of a vulnerable server or access highly sensitive data.
The best way to detect SSRF vulnerabilities depends on whether they are already known or unknown.
When dealing with custom software, note that server-side request forgery vulnerabilities are not easy to detect using simple tools because finding them requires a combined approach. You may identify some SSRF vulnerabilities that involve access to other servers simply based on being able to access these servers. This is the way that many SSRF vulnerabilities are detected by Acunetix and Netsparker. Both these tools include an external listener service and whenever a scan causes your application to send an HTTP request to that service, you have proof of an SSRF vulnerability.
However, in the case of SSRF attacks that target the web application server itself or internal services only, such a third-party service is not sufficient. In such cases, you must check if it is possible to access typical local resources, such as publicly accessible files that you know exist on the server. This can also be automated with professional tools, but additional penetration testing is always recommended to detect less common cases.
The only way to guarantee that your code will not have an SSRF vulnerability is not to use any data originating from user input when you access other servers. Unfortunately, many applications need such functionality and in these cases, you need to explore less-than-perfect solutions instead. As with most other software vulnerabilities, these solutions mostly rely on input validation and sanitization. However, remember that there is no universal method because the available options highly depend on application functionality and business requirements.
Avoid using blacklists or regular expressions to filter user input. There is always a risk that attackers will find methods to bypass them. In the case of SSRF, an attacker can use an HTTP redirect, a wildcard DNS service such as xip.io, or even alternate IP encoding. If you absolutely must rely on a blacklist, make sure you validate user input properly. For example, do not allow requests to endpoints with private (non-routable) IP addresses (RFC 1918).
The following combined methods will help you avoid most SSRF vulnerabilities, but you must realize that they are not perfect, even when all used together. That is why security testing is needed even with the best secure coding practices.
Methods to mitigate SSRF attacks are different depending on the type of software that has these vulnerabilities.
In the case of zero-day SSRF in third-party software, you can only rely on temporary WAF (web application firewall) rules for mitigation. However, this only makes the SSRF harder to exploit and does not eliminate the root cause.
Mitigating SSRF requires focusing not only on the potentially vulnerable application but also on the possible targets of an SSRF attack. This includes making sure that even if you have an SSRF vulnerability somewhere in your internal network, local services on the network cannot be abused through that SSRF.
For example, services such as Memcached, Redis, Elasticsearch, and MongoDB do not require authentication by default because they usually run on internal networks. If you don’t turn on authentication, attackers may be able to access these services via server-side request forgery vulnerabilities in other applications.
Therefore, to protect your sensitive information and ensure web application security, you should enable authentication wherever possible to minimize the risk of SSRF attacks on local services.
Classification | ID |
---|---|
CAPEC | 347 |
CWE | 918 |
WASC | 15 |
OWASP 2021 | A10 (standalone category) |
Server-side request forgery (SSRF) is a vulnerability that lets a malicious hacker send a request from the back end of an application to another server or to a local service. The server or service receiving that request then believes that it came from the application and is legitimate.
Read about the Capital One 2019 attack, where SSRF was one of the techniques used.
SSRF is often the first step in a multi-stage attack. In the worst case, if SSRF is combined with RCE, XXE, XSS, CSRF, or SQLi, it may allow attackers to take full control of a vulnerable server or access highly sensitive data.
Learn how attackers can use SSRF for internal port scanning.
To avoid SSRF, never trust user input. If your application needs to pass URLs in requests, use a whitelist for IP addresses and domains, and always validate if the response has the expected format and content.
Find out more about web application security best practices.