Background
Some websites let users provide a URL. If the website blindly fetches that URL, an attacker can provide an internal URL and pull private data. In cloud environments this often leads to full takeover via metadata-service abuse.
Questions to ask yourself
- Does our site let users provide URLs (link previews, webhook config, ‘fetch from URL’)?
- Do we host on a cloud provider?
- If our site tried to reach
http://169.254.169.254/, would anything stop it?
For owners — questions to ask your developer
Questions to ask your developer
SSRF is one of the easiest cloud-breach paths in 2026.
- 01“Does our site fetch URLs that users provide (link previews, webhook configuration, ‘import from URL’)? If so, do we block requests to internal IP ranges?”
- 02“On our cloud provider, is IMDSv2 (AWS) or its equivalent enabled to protect the metadata service?”
- 03“Can we allowlist the external destinations our server is allowed to call?”