Server-Side Request Forgery (SSRF)

SSRF Attack Examples

1. Access Cloud Metadata (AWS)

On AWS EC2 instances, try accessing instance metadata:

http://169.254.169.254/latest/meta-data/

This can reveal IAM credentials, instance info, and security groups.

2. Scan Internal Network

Try accessing internal services:

• http://localhost:8080 – Internal web service
• http://192.168.1.1 – Router/gateway
• http://127.0.0.1:6379 – Redis database

3. Read Local Files (if file:// is allowed)

file:///etc/passwd

May not work depending on PHP configuration (allow_url_include).

4. Port Scanning

Vary the port number to scan internal services:

http://localhost:PORT

Response times and error messages reveal open/closed ports.

Defence Strategies

• Allowlist allowed domains: Only allow requests to specific, trusted domains
• Block private IP ranges: Reject 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 private address ranges from RFC 1918
• Block dangerous protocols: Only allow http:// and https://, and block file://, gopher://, etc.
• Use a dedicated service: Proxy requests through a sandboxed service with strict rules
• Disable redirects: Prevent attackers from using redirects to bypass filters
• Network segmentation: Isolate web servers from internal services
• Validate fetched resources before use: Ensure that files are actually the types they say they are, and block or ignore any file types you don't explicitly need to support.