LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What is A10 Server-Side Request Forgery (SSRF)?

The attacker tricks the server into making requests on their behalf, reaching internal systems the attacker can't touch directly — e.g. forcing it to fetch the cloud metadata URL 169.254.169.254 to steal credentials.

An attacker sends a crafted URL; the vulnerable server makes the request to an internal trusted service on the attacker's behalf.

* The common SSRF flow — the server is tricked into fetching an attacker-chosen destination from inside the trusted network. — OWASP, CC BY-SA 4.0, via Wikimedia Commons. *

SSRF occurs when an attacker can make the server send requests to unintended destinations. The server is trusted inside the network perimeter, so its requests bypass the firewall the attacker is stuck behind.

Attack scenario:

  1. Attacker sends URL to vulnerable web application
  2. Server fetches the URL on attacker's behalf
  3. Server can access internal systems behind firewall:
    • Internal APIs
    • Databases
    • Cloud metadata services (169.254.169.254)
    • 3rd party systems

Impact:

  • Access to internal network resources
  • Cloud credential theft (AWS/GCP metadata)
  • Port scanning of internal network

See: OWASP SSRF Prevention Cheat Sheet

Go deeper:

From Quiz: SPRG / OWASP Top 10 | Updated: Jul 05, 2026