SSRF Exposed: How a Simple Bug Can Lead to a Major Breach


Server-Side Request Forgery (SSRF), a part of the OWASP Top 10, is a web security vulnerability that allows an attacker to trick a server into making unintended requests.

Unlike typical attacks that target users or databases, SSRF exploits how a server communicates with internal systems, often bypassing security measures such as firewalls and access controls.

The Risks of SSRF Attacks

SSRF attacks can lead to major security breaches, including:

  • Data Theft: Attackers can steal API keys, database credentials, and access sensitive system information.
  • Network Reconnaissance: SSRF can be used to scan internal networks and find exploitable services.
  • Privilege Escalation: When combined with misconfigurations, SSRF can enable attackers to execute arbitrary commands on the server.

SSRF Example

Imagine a website that allows users to preview a webpage by submitting a URL, like this:

https://example.com/preview?url=https://news.com/article123

The server behind this feature fetches the URL content on behalf of the user and shows a preview.

Now here’s where SSRF can happen: what if an attacker changes the URL parameter?

https://example.com/preview?url=http://localhost/admin

Instead of fetching an external site, the server requests an internal resource that might only be accessible from inside the network.

If the server has access to localhost, the attacker could see internal admin pages, configuration files, or even internal APIs that were never meant to be exposed to the public.

Other SSRF Techniques

The table below highlights different ways SSRF can be exploited and their impacts:

Attack Scenario How It Works Impact Example Payload
Request Forgery to APIs Manipulates server-side API requests to perform unauthorized actions. Allows privilege escalation and unauthorized data access https://example.com/fetch?url=http://internal-api.example.com/deleteUser?id=1
Internal Service Scanning Probes internal services by making requests on behalf of the server. Maps internal infrastructure and finds open ports/services https://example.com/fetch?url=http://192.168.1.100:22/
Bypassing Firewall Rules Uses the server as a proxy to reach restricted areas. Grants access to restricted admin panels and backend systems https://example.com/fetch?url=http://localhost/admin
Accessing Cloud Metadata Requests cloud service metadata to extract credentials. Exposes sensitive cloud configuration and credentials https://example.com/fetch?url=http://169.254.169.254/latest/meta-data/

How Radware Protects Against SSRF

Radware’s SSRF protection is implemented with a dual-layer security approach to provide comprehensive protection against SSRF threats:

Layer 1: Redirection Protection — Positive Security

Most SSRF attacks rely on tricking the server into fetching a malicious or internal resource via a user-controlled URL -sometimes using clever redirects.

Radware enforces strict allowlists of trusted domains and URIs, meaning:

  • Any user-supplied URL is validated against a predefined trusted list.
  • Redirects to unauthorized destinations are blocked - even if the initial URL appears safe.

Layer 2: WAF Signature-Based Detection — Negative Security

Some SSRF attacks rely on obfuscation techniques such as URL encoding, IP manipulation (e.g., http://2130706433:80/ representing localhost), DNS rebinding, or use of uncommon ports and protocols. These tricks are designed to evade simple filters and bypass basic security checks.

What Radware’s WAF Provides:

  • Signature-Based Detection: Leverages a comprehensive library of known SSRF attack patterns to identify and block both common and emerging threats in real time.
  • Payload Normalization and Decoding: Automatically decodes and de-obfuscates suspicious requests - including hexadecimal IPs, encoded characters, nested redirects, and malformed URLs - allowing the WAF to analyze the true intent of the payload.
  • Evasion Technique Mitigation: Detects and blocks advanced SSRF techniques such as:
    • IP literal conversion (e.g., 2130706433 → 127.0.0.1)
    • URL-encoded SSRF payloads
    • Use of internal hostnames or cloud metadata endpoints
    • Alternate HTTP schemes (like gopher://, file://, or ftp://)
    • These deep inspection features help catch even well-hidden SSRF attacks — offering much stronger protection than simple pattern matching or basic allowlists.

Enabling SSRF Protection with Radware

Activating SSRF protection with Radware is both simple and powerful — designed to deliver immediate value without complex configurations. In just a few clicks, security teams can enforce domain-level redirection controls and activate advanced WAF signatures for real-time detection of SSRF attempts.

Redirection Protection:

  1. In the chosen asset go to the Advanced section.
  2. Change Redirect Validation status to either Report Only or Block and Report.
  3. Add trusted domain/URI.
  4. Save configuration.

Signature based Protection:

  1. In the chosen asset go to the Security section.
  2. Change Signature based Protection status to Block and Report.

As you can see, in just a few clicks these best practices, organizations can significantly reduce protected application exposure to SSRF attacks and enhance their security posture.

Conclusion

SSRF is an evolving and highly exploitable threat that cannot be fully mitigated through code changes alone.

To effectively reduce the risk, organizations must adopt a multi-layered defense strategy backed by expert application security services like Radware’s:

  • Advanced URL Validation and Allowlisting: We help implement strict outbound request controls, ensuring that only trusted and pre-approved destinations can be reached - preventing attackers from abusing your infrastructure.
  • Real-Time Web Application and API Protection (WAAP): Our robust WAF technologies detect and block SSRF attempts in real time, even when attackers use obfuscation, encoding, or non-standard techniques to bypass traditional filters

By leveraging our expertise and integrated security solutions, you gain the protection, visibility, and proactive defense needed to stay ahead of SSRF threats - without placing the entire burden on your developers. Let us help you secure your applications the right way.

David Netanel Mashiah

David Netanel Mashiah

Technical Product Manager at Radware Cloud with a rich background as a CISO, CTO, Security Researcher and WAAP Trusted technical Advisor. Since 2015, David has led web application security projects and maintenance cycles for banks, government offices, and telecommunications. He has collaborated closely with CISOs, SecOps and R&D to shape innovative defense strategies, benchmark WAAP capabilities, and analyze the organization's security status. David brings hands-on expertise with a CISO high-level vision for a holistic approach that integrates into a persona that sees a solution end-to-end.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

Get Social

Connect with experts and join the conversation about Radware technologies.

Blog
Security Research Center
CyberPedia