What is SSRF (Server-Side Request Forgery)?

Server-Side Request Forgery (SSRF) is a web vulnerability where attackers trick a server into making unauthorized requests to internal or external systems.

How Does It Work?

An attacker sends a malicious URL in a request that the server processes as legitimate. The server then makes the request on the attacker’s behalf.

Example:

A shopping app checks stock by making a backend API request:

POST /product/stock  
stockApi=http://stock.server.com/check?productId=6&storeId=1  

An attacker modifies the URL to point to the server's admin page:

POST /product/stock  
stockApi=http://localhost/admin  

The server fetches and returns restricted admin data, bypassing access controls.

Why Does This Happen?

1. Access Control Gaps: Checks are skipped for local requests.
2. Recovery Features: Admin access is granted to local users without authentication.
3. Hidden Interfaces: Admin tools on separate ports trust local machine requests.

Protect Against SSRF

• Validate and sanitize input URLs.
• Use URL whitelists.
• Restrict internal service access.

SSRF can be critical, but good design and input validation can prevent it.

Acknowledgment: This document references information from PortSwigger Web Security and ChatGPT.