Skip to content
Archived content. You are viewing v1 of SME Digital Advisor — the original multi-section site (risks, scenarios, policies, OWASP, flashcards). Go to current site →

OWASP A10: Server-Side Request Forgery (SSRF)

Can someone use your website as a proxy to reach private systems?

Based on the OWASP Top 10 — 2021 edition. Check owasp.org/Top10 for the current edition.

Background

Some websites let users provide a URL. If the website blindly fetches that URL, an attacker can provide an internal URL and pull private data. In cloud environments this often leads to full takeover via metadata-service abuse.

Questions to ask yourself

  • Does our site let users provide URLs (link previews, webhook config, ‘fetch from URL’)?
  • Do we host on a cloud provider?
  • If our site tried to reach http://169.254.169.254/, would anything stop it?

For owners — questions to ask your developer

Questions to ask your developer

SSRF is one of the easiest cloud-breach paths in 2026.

  • 01“Does our site fetch URLs that users provide (link previews, webhook configuration, ‘import from URL’)? If so, do we block requests to internal IP ranges?”
  • 02“On our cloud provider, is IMDSv2 (AWS) or its equivalent enabled to protect the metadata service?”
  • 03“Can we allowlist the external destinations our server is allowed to call?”