Server-Side Request Forgery(SSRF)
An attack where a server is tricked into making an HTTP request to an internal or unexpected destination on behalf of an attacker.
In detail
Server-Side Request Forgery (SSRF) happens when an application takes a user-supplied URL and fetches it server-side without strict validation. The attacker uses the server as a proxy to reach internal services, cloud metadata endpoints (like 169.254.169.254 on AWS), private IPs or services that would otherwise be unreachable. Variants include DNS rebinding and SSRF via redirect, where the initial URL is benign but redirects to an internal target. Mitigations include allowlisting URLs, blocking private IP ranges, resolving hostnames and validating the resolved IP, and disabling redirect-following on user-supplied URLs.
Why it matters for Australian business
SSRF is one of the most common vulnerabilities we find in vibe-coded Australian apps that take a user URL as input (link previews, web scrapers, AI tools that browse). Fix it before launch. We use a hardened SSRF guard module on every URL-fetching endpoint and audit clients' code for the same pattern.