GLOSSARY / Server-Side Request Forgery (SSRF)

What is Server-Side Request Forgery (SSRF)?

A flaw where an attacker makes the server send requests to destinations the attacker chooses.

SSRF (CWE-918) lets an attacker pivot through a server to reach internal services, cloud metadata endpoints (e.g., 169.254.169.254 to steal cloud credentials), or otherwise unreachable systems.

It became infamous in the 2019 Capital One breach.

How to defend

Allowlist outbound destinations, block link-local and private IP ranges, disable unused URL schemes, and require IMDSv2 on AWS.

Related free tools

IP Reputation → DNS Lookup →

Part of the Ciphers Security glossary. Free reference for analysts, defenders & learners.

What is Server-Side Request Forgery (SSRF)?

Related free tools

Related terms