ShieldReport
HomeWhat We CheckToolsWikiCompareRoadmapPricingBlogSign InRun Free Scan
Run Scan
HomeWhat We CheckToolsWikiCompareRoadmapPricingBlogSign In
← Back to Wiki

Server-Side Request Forgery (SSRF)

high
A10:2021CWE-918Server Security

What is SSRF?

SSRF allows an attacker to make the server-side application send HTTP requests to an arbitrary domain of the attacker's choosing, often targeting internal services.

How it works

The application accepts a URL from user input and fetches it server-side. An attacker provides URLs pointing to internal services (169.254.169.254, localhost, internal APIs) to access metadata, internal APIs, or cloud credentials.

Impact

Cloud metadata credential theft (AWS/GCP/Azure keys), internal service enumeration, port scanning of internal networks, and reading local files via file:// protocol.

How ShieldReport detects this

ShieldReport tests URL-accepting endpoints with internal IP addresses, cloud metadata URLs, and DNS rebinding payloads.

How to fix it

Validate and sanitize all user-supplied URLs. Use allowlists for permitted domains. Block requests to private IP ranges and cloud metadata endpoints. Use a proxy with egress filtering.

Tags

servercloudinternal-networkowasp-top-10

Is your site vulnerable to SSRF?

Run a free scan to find out in under 2 minutes.

Scan Now
ShieldReport

Website security scanning and reporting for developers, teams, and agencies.

ShieldReport - Security reports done in minutes which developers understand | Product Hunt

Product

  • Free Security Scan
  • What We Check
  • Pricing
  • Sample Report

Resources

  • Security Blog
  • FAQ
  • Website Security Checklist
  • CSP Guide

Topics

  • Security Headers
  • TLS Configuration
  • OWASP Top 10
  • Vulnerability Scanning

© 2026 ShieldReport. All rights reserved.

Run Free ScanPricingBlogSitemapRSS Feed