Input Validation / Server-Side Request Forgery

Web and APICWE Top 25 (2022)


Server-Side Request Forgery (SSRF) is a type of input validation vulnerability that occurs when an attacker is able to manipulate a request from a vulnerable server-side application to access resources that are not intended to be accessed by the attacker, such as internal services and files. This vulnerability is classified as CWE-918 in the CWE Top 25 (2022) and is listed as an A1 Injection in the OWASP Testing Guide. SSRF is a serious security risk because it allows attackers to gain access to internal services and networks, potentially leading to data theft or other malicious activities.


SSRF is a critical vulnerability that can have a significant impact on the security of an application or system. It can be used to gain access to sensitive data or even control of the system. Additionally, attackers can use SSRF to perform denial of service attacks or launch malicious attacks against other systems.


SSRF can be mitigated by implementing input validation that is designed to prevent unauthorized requests from being accepted by the server-side application. This can be done by limiting the types of requests that are accepted, such as only allowing certain IP addresses or domains, or by implementing a whitelisting mechanism that only allows requests from known and trusted sources. Additionally, the application should be designed to reject requests with invalid parameters or which attempt to access protected resources.


The following is an example of a vulnerable code in Java that does not properly validate user input and is vulnerable to SSRF attacks:

String urlString = request.getParameter("url");
URL url = new URL(urlString);
InputStream input = url.openStream();
// Process the response from the URL.

In this example, the code does not properly validate the user input, which allows an attacker to supply a malicious URL that will be used to access resources that are not intended to be accessed by the attacker.

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.