OWASP TOP 10 / A10:2021

Server-Side Request Forgery (SSRF)

Flaws that let an attacker make the server send requests to unintended destinations — including internal services and cloud metadata.

SSRF (its own category as of 2021) lets attackers abuse a server to reach internal systems or cloud metadata endpoints to steal credentials, as in the 2019 Capital One breach.

It is increasingly dangerous in cloud-native architectures where the server can reach sensitive internal endpoints.

How to prevent it

Allowlist outbound destinations, block private/link-local IP ranges, disable unused URL schemes, and enforce IMDSv2 on AWS.

Mapped weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF)

Free tools to test for it

IP Reputation → DNS Lookup →

Part of the OWASP Top 10 reference. See also the CWE weaknesses and Web Security hub.

Server-Side Request Forgery (SSRF)

Mapped weaknesses (CWE)

Free tools to test for it

Related terms