Introduction to API7:2023 Server Side Request Forgery
Server Side Request Forgery (SSRF) occurs when an API allows a client to supply a URL or network location, and the server uses it to make a request without properly validating it. Attackers exploit this to make the server send requests to internal systems, cloud metadata endpoints, or other protected resources. This can lead to information disclosure, port scanning, or even remote code execution. APIs that fetch URLs, import data, or integrate with external systems are especially at risk. To prevent SSRF, validate and restrict destination URLs, avoid using user input directly in requests, and use allow-lists.
