Server-Side Request Forgery (SSRF), a part of the OWASP Top 10, is a web security vulnerability that allows an attacker to trick a server into making unintended requests.
Unlike typical attacks that target users or databases, SSRF exploits how a server communicates with internal systems, often bypassing security measures such as firewalls and access controls.
The Risks of SSRF Attacks
SSRF attacks can lead to major security breaches, including:
- Data Theft: Attackers can steal API keys, database credentials, and access sensitive system information.
- Network Reconnaissance: SSRF can be used to scan internal networks and find exploitable services.
- Privilege Escalation: When combined with misconfigurations, SSRF can enable attackers to execute arbitrary commands on the server.
SSRF Example
Imagine a website that allows users to preview a webpage by submitting a URL, like this:
https://example.com/preview?url=https://news.com/article123
The server behind this feature fetches the URL content on behalf of the user and shows a preview.
Now here’s where SSRF can happen: what if an attacker changes the URL parameter?
https://example.com/preview?url=http://localhost/admin
Instead of fetching an external site, the server requests an internal resource that might only be accessible from inside the network.
If the server has access to localhost, the attacker could see internal admin pages, configuration files, or even internal APIs that were never meant to be exposed to the public.
Other SSRF Techniques
The table below highlights different ways SSRF can be exploited and their impacts:
Attack Scenario |
How It Works |
Impact |
Example Payload |
Request Forgery to APIs |
Manipulates server-side API requests to perform unauthorized actions. |
Allows privilege escalation and unauthorized data access |
https://example.com/fetch?url=http://internal-api.example.com/deleteUser?id=1 |
Internal Service Scanning |
Probes internal services by making requests on behalf of the server. |
Maps internal infrastructure and finds open ports/services |
https://example.com/fetch?url=http://192.168.1.100:22/ |
Bypassing Firewall Rules |
Uses the server as a proxy to reach restricted areas. |
Grants access to restricted admin panels and backend systems |
https://example.com/fetch?url=http://localhost/admin |
Accessing Cloud Metadata |
Requests cloud service metadata to extract credentials. |
Exposes sensitive cloud configuration and credentials |
https://example.com/fetch?url=http://169.254.169.254/latest/meta-data/ |
How Radware Protects Against SSRF
Radware’s SSRF protection is implemented with a dual-layer security approach to provide comprehensive protection against SSRF threats:
Layer 1: Redirection Protection — Positive Security
Most SSRF attacks rely on tricking the server into fetching a malicious or internal resource via a user-controlled URL -sometimes using clever redirects.
Radware enforces strict allowlists of trusted domains and URIs, meaning:
- Any user-supplied URL is validated against a predefined trusted list.
- Redirects to unauthorized destinations are blocked - even if the initial URL appears safe.
Layer 2: WAF Signature-Based Detection — Negative Security
Some SSRF attacks rely on obfuscation techniques such as URL encoding, IP manipulation (e.g., http://2130706433:80/ representing localhost), DNS rebinding, or use of uncommon ports and protocols. These tricks are designed to evade simple filters and bypass basic security checks.
What Radware’s WAF Provides:
- Signature-Based Detection: Leverages a comprehensive library of known SSRF attack patterns to identify and block both common and emerging threats in real time.
- Payload Normalization and Decoding: Automatically decodes and de-obfuscates suspicious requests - including hexadecimal IPs, encoded characters, nested redirects, and malformed URLs - allowing the WAF to analyze the true intent of the payload.
- Evasion Technique Mitigation: Detects and blocks advanced SSRF techniques such as:
- IP literal conversion (e.g., 2130706433 → 127.0.0.1)
- URL-encoded SSRF payloads
- Use of internal hostnames or cloud metadata endpoints
- Alternate HTTP schemes (like gopher://, file://, or ftp://)
- These deep inspection features help catch even well-hidden SSRF attacks — offering much stronger protection than simple pattern matching or basic allowlists.
Enabling SSRF Protection with Radware
Activating SSRF protection with Radware is both simple and powerful — designed to deliver immediate value without complex configurations. In just a few clicks, security teams can enforce domain-level redirection controls and activate advanced WAF signatures for real-time detection of SSRF attempts.
Redirection Protection:
- In the chosen asset go to the Advanced section.
- Change Redirect Validation status to either Report Only or Block and Report.
- Add trusted domain/URI.
- Save configuration.
Signature based Protection:
- In the chosen asset go to the Security section.
- Change Signature based Protection status to Block and Report.
As you can see, in just a few clicks these best practices, organizations can significantly reduce protected application exposure to SSRF attacks and enhance their security posture.
Conclusion
SSRF is an evolving and highly exploitable threat that cannot be fully mitigated through code changes alone.
To effectively reduce the risk, organizations must adopt a multi-layered defense strategy backed by expert application security services like Radware’s:
- Advanced URL Validation and Allowlisting: We help implement strict outbound request controls, ensuring that only trusted and pre-approved destinations can be reached - preventing attackers from abusing your infrastructure.
- Real-Time Web Application and API Protection (WAAP): Our robust WAF technologies detect and block SSRF attempts in real time, even when attackers use obfuscation, encoding, or non-standard techniques to bypass traditional filters
By leveraging our expertise and integrated security solutions, you gain the protection, visibility, and proactive defense needed to stay ahead of SSRF threats - without placing the entire burden on your developers. Let us help you secure your applications the right way.