[Application security] How to conduct server-side request forgery (SSRF)

Takahiro Oda
10 min readJan 18, 2022

What we will do in this article

1: set up an initial environment using Docker

2: conduct server-side request forgery (SSRF)

What is server-side request forgery (SSRF)?

SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL).

As modern web applications provide end-users with convenient features, fetching a URL becomes a common scenario. As a result, the incidence of SSRF is increasing. Also, the severity of SSRF is becoming higher due to cloud services and the complexity of architectures.


How to Prevent

From Network layer

  • Segment remote resource access…