Quiz Entry - updated: 2026.07.05
What is A10 Server-Side Request Forgery (SSRF)?
The attacker tricks the server into making requests on their behalf, reaching internal systems the attacker can't touch directly — e.g. forcing it to fetch the cloud metadata URL 169.254.169.254 to steal credentials.

* The common SSRF flow — the server is tricked into fetching an attacker-chosen destination from inside the trusted network. — OWASP, CC BY-SA 4.0, via Wikimedia Commons. *
SSRF occurs when an attacker can make the server send requests to unintended destinations. The server is trusted inside the network perimeter, so its requests bypass the firewall the attacker is stuck behind.
Attack scenario:
- Attacker sends URL to vulnerable web application
- Server fetches the URL on attacker's behalf
- Server can access internal systems behind firewall:
- Internal APIs
- Databases
- Cloud metadata services (169.254.169.254)
- 3rd party systems
Impact:
- Access to internal network resources
- Cloud credential theft (AWS/GCP metadata)
- Port scanning of internal network
See: OWASP SSRF Prevention Cheat Sheet
Go deeper:
OWASP Top 10 — A10: SSRF — canonical category page.
PortSwigger — SSRF — exploitation, blind SSRF, filter-bypass, with labs.
Server-side request forgery (Wikipedia) — the common-flow diagram plus the Capital One (2019) and Exchange (2021) real-world breaches.