https://www.secdev.uk/blog/tags/server-side-request-forgery/ Recent content in Server-Side Request Forgery on guy@secdev.uk Hugo en-gb Guy Dixon | guy@secdev.uk Sat, 07 Jun 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-06-07-ssrf/ Sat, 07 Jun 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-06-07-ssrf/ <p>Server-Side Request Forgery is one of those vulnerability classes that I&rsquo;ve grown to respect more and more the deeper I dig into it. The idea is simple, you trick a server into making HTTP requests to destinations you choose, turning it into your personal proxy. It can reach internal services, cloud metadata endpoints, and private networks that you&rsquo;d never touch directly from the outside. OWASP gave SSRF its own category (A10) in 2021, and reading through the rationale, it was overdue. The case studies are striking, a single SSRF against <code>http://169.254.169.254/</code> on AWS can leak IAM credentials and compromise an entire account. In this post, I&rsquo;ll walk through Python, Java, Go, and JavaScript examples, from the textbook URL-in-a-parameter to the subtle redirect-chain and DNS rebinding variants that make SSRF so hard to defend against.</p>