Security

SSRF: The Overlooked Vulnerability in Modern Web Apps

By HackTool Team


Server-side request forgery happens when an attacker can make your server send HTTP requests to destinations they choose. It sounds niche, but SSRF was the root cause of the 2019 Capital One breach that exposed 100 million records.


How SSRF Works


Any feature where your application fetches a URL on behalf of the user is a potential SSRF vector:


  • URL preview / link unfurling
  • Webhook delivery
  • PDF generation from URLs
  • Image/file import from URL
  • RSS feed parsing

    • The attacker provides a URL pointing to an internal service — like the cloud metadata endpoint at 169.254.169.254 — and your server dutifully fetches it.


    Why It Matters


    In cloud environments, the metadata endpoint returns IAM credentials, instance configuration, and sometimes database connection strings. An SSRF vulnerability can turn a simple URL parameter into full cloud account compromise.


    Even without cloud metadata, SSRF gives attackers access to internal services behind the firewall: admin panels, databases, message queues, and monitoring tools that are assumed to be unreachable from the internet.


    Common Bypass Techniques


    Simple URL validation is easy to bypass:


  • **DNS rebinding** — a domain that resolves to a public IP first, then an internal IP on the second lookup
  • **URL encoding** — hex-encoded dots, octal IP notation, IPv6 representations
  • **Redirect chains** — point to a server you control that 302 redirects to an internal IP
  • **Parser inconsistencies** — different URL parsers handle ambiguous URLs differently

    • Detection


    SSRF detection involves sending payloads that attempt to reach a canary service. The scanner provides a callback URL and checks whether the target server makes a request to it. If the target fetches the canary, the SSRF is confirmed.


    For blind SSRF where there is no visible response difference, out-of-band detection using DNS callbacks is more reliable than response-based analysis.


    Mitigation


  • Maintain an allowlist of permitted domains and IP ranges for outbound requests
  • Block requests to private IP ranges (10.x, 172.16-31.x, 192.168.x, 169.254.x)
  • Disable HTTP redirects in server-side HTTP clients, or re-validate after following redirects
  • Use a dedicated egress proxy that enforces the allowlist at the network level

    • ← Back to Blog
    SSRF: The Overlooked Vulnerability in Modern Web Apps | HackTool Blog | HackTool