# Server-Side Request Forgery (A10:2021)

SSRF flaws occur whenever a web application fetches a remote resource without validating the user-supplied URL.

## Overview

New for 2021. This category represents the scenario where the security community is telling us this is important, even though it's not illustrated in the data at this time.

## How Attackers Exploit This

### Internal service access

Attackers use the server to make requests to internal services that are not directly accessible from the internet.

**Detection signal:** Requests to internal IP ranges, localhost, or cloud metadata endpoints

### Cloud metadata exploitation

In cloud environments, SSRF can access instance metadata services to obtain credentials or sensitive configuration.

**Detection signal:** Requests to 169.254.169.254 or similar metadata endpoints

## How to Prevent

- Segment remote resource access functionality in separate networks
- Enforce URL schema, port, and destination with a positive allowlist
- Do not send raw responses to clients
- Disable HTTP redirections
- Be aware of URL consistency to avoid DNS rebinding attacks

## CWEs with Detection Rules (1)

- **CWE-918**: Server-Side Request Forgery (SSRF) (4 rules) [go, javascript, typescript, python]

## Quick Reference

- Total CWEs: 1
- With Shoulder rules: 1
- Detection rules: 4