• Contrast Security
  • Book a Demo

What is a Server-Side Request Forgery?

In JavaScript



Server-Side Request Forgery (SSRF) vulnerabilities enable an attacker to trick the targeted application or application programming interface (API) into sending a crafted request to an unexpected destination—turning a vulnerable application into a sort of attack relay that gives an attacker access to internal systems.

SSRF requires two conditions:

1. The application performs requests to the server or localhost

2. The attacker controls the server or localhost through the external app/user input


Since the attacker controls the URL, they can trick the application into invoking internal URLs. This may lead to internal resource enumeration, abuse of internal-only APIs, or the exfiltration of local system resources using the file:// protocol.

Attackers can control a portion of the URL which the server makes a HTTP request to. If this portion is part of the hostname, attackers may be able to control where a HTTP request is sent as well.

Depending on network configurations, this could be an HTTP request to external, internal, localhost, or local files using the file:// method (if the attacker can control that portion of the URL).

Attackers could also use this vulnerability to enumerate and interact with internal servers or localhost, both of which would typically be unreachable to an attacker.

Additionally, attackers could use this vulnerability to make a server reach out to an attacker-controlled server to reveal any data or secrets contained within the HTTP request that is not intended to be seen by a non-user.


How to fix

Where possible, do not accept user input to have full control of a URL that is requested by a server. Applications could provide users a list of options to select from, rather than a free-form text field.

If user control of the URL is required, verify the URL to-be-requested is acceptable. For example, use an allow-list to limit what domains, IPs, methods, or paths can be requested. Additionally, a deny-list could be used to exclude localhost, private network ranges, or etc.



You’ve learned what SSRF is and how to protect your systems from it. We hope you will apply your new knowledge wisely as you code! Feel free to share this with your network. Also, make sure to check out our lessons on other common vulnerabilities.

Want to make a revision on this learning module?  Click here to create a pull request!


Featured in:

BLOG: SSRF Detection With IAST

BLOG: CodeSec: Find this vulnerability straight from your CLI

Up Next!

Cross Site Scripting (XSS)

New Icon

Cross Site Scripting (XSS)

Learn about Cross Site Scripting (XSS) and how it affects your Java source code


New Icon


Learn what Log4Shell is and how you can protect your code from this zero-day vulnerability


Client Side Injection

New Icon

Client Side Injection

Learn about Client Side Injection and how it can affect your source code


SQL Injection - Java

New Icon

SQL injection

Learn about SQL injection and how it affects your Java source code