[Application security] How to conduct server-side request forgery (SSRF)

Takahiro Oda
10 min readJan 18, 2022

What we will do in this article

1: set up an initial environment using Docker

2: conduct server-side request forgery (SSRF)

What is server-side request forgery (SSRF)?

SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL).

As modern web applications provide end-users with convenient features, fetching a URL becomes a common scenario. As a result, the incidence of SSRF is increasing. Also, the severity of SSRF is becoming higher due to cloud services and the complexity of architectures.

https://portswigger.net/web-security/ssrf

How to Prevent

From Network layer

  • Segment remote resource access functionality in separate networks to reduce the impact of SSRF
  • Enforce “deny by default” firewall policies or network access control rules to block all but essential intranet traffic.

From Application layer

  • Sanitize and validate all client-supplied input data
  • Enforce the URL schema, port, and destination with a positive allow list
  • Do not send raw responses to clients
  • Disable HTTP redirections
  • Be aware of the URL consistency to avoid attacks such as DNS rebinding and “time of check, time of use” (TOCTOU) race conditions

Example Attack Scenarios

Scenario #1: Port scan internal servers — If the network architecture is unsegmented, attackers can map out internal networks and determine if ports are open or closed on internal servers from…