OWASP A10: Server-Side Request Forgery (SSRF)

Can someone use your website as a proxy to reach private systems?

Some websites let users provide a URL. If the website blindly fetches that URL, an attacker can provide an internal URL and pull private data.

Questions to ask yourself

Does our site let users provide URLs (link previews, webhook config, ‘fetch from URL’)?
Do we host on a cloud provider?
If our site tried to reach http://169.254.169.254/, would anything stop it?

What you can do today

Three controls

SSRF is one of the easiest cloud-breach paths in 2026.

01Block server-side requests to internal IP ranges (10.x, 172.16–31.x, 192.168.x, 169.254.x).
02On AWS, ensure IMDSv2 is required. Equivalents on Azure and GCP.
03Where possible, allowlist external destinations.

« Previous OWASP Top 10Last »