SSRF

Server-Side Request Forgery (SSRF) is a vulnerability where an attacker can make the server initiate requests to arbitrary URLs, including internal services not accessible from the internet. This can expose cloud metadata services (like AWS IMDSv1), internal admin panels, or other backend systems. SSRF was used in the Capital One breach to extract AWS credentials via the EC2 metadata endpoint. Mitigation includes allowlisting permitted URLs and blocking access to private IP ranges.

Why it matters for your website

• 1Listed in the OWASP Top 10 — one of the most critical web risks
• 2Can lead to data exfiltration, account takeover, or full system compromise
• 3Required to fix before passing security reviews for enterprise customers