Basic SSRF

What is Basic SSRF#

Basic (in-band) SSRF is the simplest and most immediately impactful form of CWE-918. An application accepts a URL from user input, makes a server-side HTTP request to that URL, and returns the response — or a portion of it — directly in the HTTP reply. The attacker sees the response from the internal target as if the server is a transparent proxy.

The distinguishing characteristic is visibility: unlike blind SSRF, where the response is suppressed, basic SSRF returns the retrieved content. This makes it trivially exploitable for cloud credential theft and internal reconnaissance without needing out-of-band infrastructure. OWASP A10:2021 identifies this pattern as one of the highest-impact web vulnerabilities precisely because the cloud metadata endpoint (169.254.169.254) is reachable by default from any AWS, GCP, or Azure instance.

Mechanism#

The server accepts user input containing a URL, constructs an HTTP request, and reflects the response. The attack leverages the server's trusted network position: internal services that would return 403 Forbidden or be unreachable from the internet respond normally to requests from the server's IP.

The attack chain:

1. Attacker identifies a URL-accepting parameter (url, src, image, callback, webhook, redirect, import, etc.)
2. Attacker submits an internal target URL (http://127.0.0.1/, http://169.254.169.254/, http://192.168.1.1:8080/admin/)
3. Application makes the server-side request from its own IP (bypasses all external firewall rules)
4. Internal service responds normally (no auth required for metadata, no network restriction)
5. Application returns the response — attacker reads internal content directly

The vulnerable code pattern in Python:

# VULNERABLE — direct user-controlled URL fetch
import requests
 
def fetch_preview(url: str) -> dict:
    # url = "http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE"
    resp = requests.get(url, timeout=10, allow_redirects=True)
    return {"content": resp.text, "status": resp.status_code}
    # Attacker receives IAM credentials in JSON response

Attack Variants#

Link unfurling is a high-value hidden attack surface: applications that generate URL previews (Slack, Discord, CMS preview cards) all make server-side requests to attacker-supplied URLs.

Real-World Examples#

Capital One 2019 — The canonical SSRF breach. A WAF product deployed on an EC2 instance had a misconfiguration that allowed SSRF. The attacker submitted HTTP requests containing the AWS IMDSv1 metadata URL. The WAF made the request from its internal EC2 IP, returned the IAM role name, then the attacker fetched the credential JSON: {"AccessKeyId":"ASIAJWNJSXFH...","SecretAccessKey":"...","Token":"...","Expiration":"2019-03-18T12:54:10Z"}. The overprivileged ISRM-WAF-Role had S3 GetObject access on 700+ buckets. Approximately 30 GB of data was exfiltrated — 100 million US records and 6 million Canadian records. The resulting $80M OCC fine was the largest ever for a data breach at the time. At disclosure (2024), only 32% of EC2 instances had IMDSv2 enforced.

CVE-2024-8977 — GitLab EE (CVSS 8.2, CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N) — GitLab's Product Analytics Dashboard made server-side HTTP requests to configurable Cube API endpoints. Any authenticated user could replace the Cube endpoint URL with http://169.254.169.254/latest/meta-data/ and the dashboard would display the raw internal response. Fixed in GitLab 17.4.2, 17.3.5, 17.2.9 (October 2024). Reported via HackerOne by joaxcar.

CVE-2025-68437 — Craft CMS — The saveAssets GraphQL mutation accepted arbitrary URLs in _file { url } and fetched them server-side. The fetched content was saved as an asset and downloadable via the CMS API — turning a standard upload feature into a full-read in-band SSRF. CMS platforms that allow asset import from URL are a consistently underestimated attack surface.

Detection#

Manual Testing#

1. Enumerate all URL-accepting parameters: query strings, JSON body fields (url, src, href, callback, webhook, endpoint, redirect, image, avatar, import_url, feed, resource), and HTTP headers (Host, X-Forwarded-Host, Referer).
2. For each candidate, submit http://127.0.0.1/ and compare the response to a control request with a legitimate URL. A difference in content, length, or status code confirms the server made an outbound request.
3. Submit http://169.254.169.254/latest/meta-data/ — if the response contains ami-id, instance-id, or IAM role data, the application is in a cloud environment and credentials are directly accessible.
4. Test the localhost admin panel: http://127.0.0.1:8080/admin/, http://localhost:3000/, http://127.0.0.1:9200/ (Elasticsearch).
5. If an error response mentions "connection refused" or "timeout" differently for port 80 vs port 22, this confirms internal port scanning via SSRF (useful even without response reflection).

# Burp Repeater — basic SSRF test
GET /api/image-preview?url=http://169.254.169.254/latest/meta-data/ HTTP/1.1
Host: target.example.com
 
# Expected vulnerable response:
# ami-id
# ami-launch-index
# hostname
# iam/
# ... (metadata listing)

Automated Detection#

Nuclei includes SSRF templates that test common parameter names against cloud metadata endpoints. SSRFmap automates multi-parameter fuzzing with cloud-specific payloads. Burp Scanner Pro identifies URL-accepting parameters and tests OOB callbacks via Collaborator.

BreachVex scans 80+ canonical SSRF parameter names plus value-based detection (any parameter value matching https?:// or bare IPv4), fires cloud metadata probes for AWS/GCP/Azure, and measures differential response against RFC 5737 control IPs (192.0.2.1) to confirm request execution without requiring response reflection.

Prevention#

Strict Allowlist Validation#

import ipaddress
import socket
import urllib.parse
from typing import Optional
 
ALLOWED_HOSTS = frozenset({"api.stripe.com", "hooks.slack.com", "cdn.example.com"})
 
class SSRFError(ValueError):
    pass
 
def validate_and_fetch(url: str) -> str:
    parsed = urllib.parse.urlparse(url)
 
    # Scheme allowlist — rejects gopher://, file://, dict://, ftp://
    if parsed.scheme not in ("http", "https"):
        raise SSRFError(f"Disallowed scheme: {parsed.scheme}")
 
    host = (parsed.hostname or "").rstrip(".")  # strips trailing FQDN dot bypass
    if not host:
        raise SSRFError("Missing hostname")
 
    # Exact host allowlist — not contains/startsWith
    if host not in ALLOWED_HOSTS:
        raise SSRFError(f"Host not in allowlist: {host}")
 
    # Resolve DNS and validate ALL returned addresses (defeat DNS aliases + nip.io)
    try:
        results = socket.getaddrinfo(host, None, proto=socket.IPPROTO_TCP)
        for (_, _, _, _, sockaddr) in results:
            ip = ipaddress.ip_address(sockaddr[0])
            if isinstance(ip, ipaddress.IPv6Address) and ip.ipv4_mapped:
                ip = ip.ipv4_mapped  # normalize ::ffff:169.254.169.254
            if ip.is_private or ip.is_loopback or ip.is_link_local or ip.is_reserved:
                raise SSRFError(f"Resolved to blocked address: {ip}")
    except (socket.gaierror, ValueError) as e:
        raise SSRFError(f"DNS validation failed: {e}")
 
    import requests
    # Disable redirect following — validate Location header separately
    resp = requests.get(url, timeout=5, allow_redirects=False)
    if resp.is_redirect:
        raise SSRFError(f"Redirect to unvalidated URL: {resp.headers.get('location')}")
    return resp.text

Response Content Filtering#

Do not return raw internal responses. If the feature only needs a title or image, extract the specific field and discard the rest:

# VULNERABLE — returns raw internal response
return {"preview": requests.get(url).text}
 
# SAFE — extracts only the needed field
from bs4 import BeautifulSoup
soup = BeautifulSoup(requests.get(validated_url, allow_redirects=False).text, "html.parser")
title = soup.find("title")
return {"preview_title": title.text[:200] if title else ""}

Resources#

• SSRF — Pillar Overview
• OWASP SSRF Prevention Cheat Sheet
• PortSwigger — SSRF Labs
• NVD — CVE-2024-8977