Server-Side Request Forgery (SSRF)

SSRF tricks a server into making HTTP requests on the attacker's behalf, reaching internal services and cloud metadata endpoints that aren't exposed to the internet.

SSRFGenerate payloads Cheat SheetCopy-ready payloads Testing GuideStep by step

What it is

SSRF arises when an application fetches a user-supplied URL without restriction. The attacker points it at internal hosts, link-local cloud metadata (169.254.169.254), or alternate schemes — turning the trusted server into a proxy into the internal network.

How to test for it

Supply URLs you control and watch for inbound callbacks, then pivot to internal targets and the cloud metadata service. Defeat naive allow-lists with redirects, DNS rebinding, alternate IP encodings, and non-HTTP schemes.

How to prevent it

Validate and canonicalise URLs against a strict allow-list of hosts and schemes, resolve and re-check the destination IP to block internal ranges, disable unused URL schemes, and require IMDSv2 / drop metadata access where possible.

In-depth articles

SSRF Exploitation: Accessing Cloud Metadata and Internal Services11 min read XXE Injection: Complete Exploitation Guide with OOB Exfiltration14 min read Open Redirect Exploitation: From Phishing to OAuth Token Theft12 min read Advanced SSRF Techniques: Bypassing Filters and Pivoting to Internal Services14 min read Cloud Metadata Exploitation: AWS IMDSv1/v2, GCP, Azure, and Kubernetes12 min read

Frequently asked questions

Why is the cloud metadata endpoint a common SSRF target?+

Cloud metadata services (e.g. 169.254.169.254) can return temporary credentials and instance data to any process on the host, so SSRF that reaches them often yields cloud account access.

What is blind SSRF?+

Blind SSRF is when the response isn't returned to you; you confirm it via out-of-band signals like DNS or HTTP callbacks to a server you control.

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

$loading...