23 June 2026·9 min read·technology

SSRF: How Attackers Pivot Into Your Cloud Infrastructure

SSRF lets attackers steal live AWS IAM credentials via 169.254.169.254. Learn how it works, the Capital One breach pattern, and how to prevent it.

Bachao.AI Research Team

Cybersecurity Research

Find out if you're exposed to this class of threat

Free scan · No credit card required

Scan Your Attack Surface

Security exposure this creates

Unpatched vulnerabilities in your tech stack are the #1 entry point for breaches targeting Indian businesses. Here's what to watch.

Bachao.AI Research Team

Cybersecurity Research

AI-powered security research and threat intelligence from the Bachao.AI team. Covering the latest vulnerabilities, CVEs, and cybersecurity developments affecting Indian businesses.

Get cybersecurity insights for Indian SMBs

Weekly vulnerability alerts, DPDP compliance tips, and security guides. No spam — unsubscribe anytime.

We respect your privacy. Your email is never shared.

Exposed to CVEs like this? Run a free VAPT scan — risk score in 2 hours, no credit card.

Run a free VAPT scan and get your risk score in minutes — no credit card required.

Book Your Free Scan

Server-Side Request Forgery (SSRF) is a critical web vulnerability where an attacker tricks your server into making HTTP requests to unintended destinations — internal services, admin panels, or cloud metadata endpoints that should never be reachable from the internet. It sits in the OWASP Top 10 because a single unvalidated URL parameter can hand an attacker the keys to your entire AWS or GCP environment. For Indian development teams deploying on cloud infrastructure, SSRF is not theoretical — it is the exact attack class behind some of the largest cloud breaches ever documented.

A10SSRF ranked standalone in OWASP Top 10 2021 for the first time (OWASP 2021)

A growing shareCloud-deployed web apps exposed to metadata endpoint abuse via SSRF (OWASP 2021)

What Is SSRF and Why Does It Happen

When your backend fetches a URL on behalf of a user — a webhook validator, a link preview generator, a PDF renderer, an image import feature, an API proxy — and that URL comes from user input without strict validation, you have a potential SSRF surface.

The server makes the request using its own network identity and IAM role. From the internal network's perspective, the request arrives from a trusted internal IP. Firewalls that block external attackers do nothing here — the attacker is riding inside your own server.

Consider a typical vulnerable pattern:

python

# VULNERABLE — never do this
import requests

def fetch_preview(url):
    response = requests.get(url)  # url comes directly from user input
    return response.text

The attacker submits url=http://169.254.169.254/latest/meta-data/iam/security-credentials/ and your server dutifully fetches the AWS EC2 instance metadata, returning live IAM credentials.

The SSRF Attack Flow

graph TD
    A[Attacker submits crafted URL] --> B[App server makes HTTP request]
    B --> C{Target resolved}
    C --> D[Internal service
192.168.x.x / localhost]
    C --> E[Cloud metadata
169.254.169.254]
    C --> F[Other cloud tenants
10.x.x.x]
    D --> G[Admin panel / DB port / Redis]
    E --> H[IAM credentials / token]
    F --> I[Cross-tenant data access]
    G --> J[Lateral movement]
    H --> J
    I --> J
    J --> K[Full cloud account takeover]

    style A fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style B fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style C fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style D fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style E fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style F fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style G fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style H fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style I fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style J fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style K fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0

Not all SSRF looks the same. Understanding the two variants determines how attackers probe and how you detect them.

Basic (in-band) SSRF returns the response directly to the attacker. The vulnerability in the Python snippet above is basic SSRF — the attacker can read the full response body, including AWS credentials, internal API payloads, or database query results.

Blind (out-of-band) SSRF does not return the response to the attacker's browser. Instead, the attacker infers success through:

DNS lookups — they point the URL at a domain they control (e.g., via Burp Collaborator or interactsh) and detect whether the server resolves it
Timing differences — a request to http://169.254.169.254/ that times out vs. one to a real host that responds in 50ms
Secondary side effects — a request that triggers an internal email, a webhook, or a log entry

Blind SSRF is harder to exploit immediately, but attackers use it to map your internal network and confirm which ports are open before escalating to a more targeted attack.

🚨

DANGER

The 169.254.169.254 address is the AWS/GCP/Azure link-local metadata endpoint. Every EC2, GCE, and Azure VM can reach it. If your app server can fetch arbitrary URLs, an attacker can exfiltrate live IAM tokens, SSH keys, and instance identity documents — no authentication required.

Know your vulnerabilities before attackers do

Run a free VAPT scan — takes 5 minutes, no signup required.

Book Your Free Scan

The Capital One Breach Pattern

In 2019, a misconfigured WAF allowed an attacker to exploit an SSRF vulnerability to query the AWS metadata endpoint (169.254.169.254). The returned IAM credentials had overly broad S3 permissions. The attacker exfiltrated over 100 million customer records from S3 buckets.

The core pattern repeats across cloud breaches:

SSRF reaches the metadata endpoint
Metadata returns temporary IAM credentials (AccessKeyId, SecretAccessKey, Token)
Attacker calls AWS APIs directly from their machine using those credentials
Broad IAM permissions allow S3 ListBuckets → GetObject → mass data exfiltration

Indian SaaS companies on AWS, GCP, or Azure face identical risk if their applications accept user-controlled URLs. The DPDP Act 2023 makes this doubly critical — a breach of this scale triggers mandatory notification obligations and potential regulatory action.

SSRF Targets Beyond Cloud Metadata

Metadata endpoints get the headlines, but SSRF gives attackers access to anything reachable from your server's network:

Target	Example endpoint	What attackers gain
Cloud metadata (AWS)	`http://169.254.169.254/latest/meta-data/`	IAM credentials, instance role, SSH keys
Cloud metadata (GCP)	`http://metadata.google.internal/computeMetadata/v1/`	Service account tokens
Internal admin panels	`http://localhost:8080/admin`	App admin access without auth
Internal databases	`http://localhost:6379` (Redis)	Cache data, session tokens
Internal microservices	`http://10.0.1.45:8001/internal-api`	Service-to-service APIs bypassing auth
IMDSv2 token endpoint	`http://169.254.169.254/latest/api/token`	Session token required for IMDSv2 credential fetch
CI/CD agents	`http://localhost:8090/`	Build secrets, deploy keys

⚠️

WARNING

Link-local addresses (169.254.0.0/16), loopback (127.0.0.1, ::1), and RFC-1918 private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) must all be blocked at the egress validation layer. Attackers use decimal encoding, IPv6 notation, and DNS aliases to bypass naive blocklists — an allowlist is safer than a denylist.

Prevention Layers for Indian Dev Teams

The SSRF prevention stack is not a single control. It is defence in depth across multiple layers. Here is the full control set ranked by effectiveness:

pie title SSRF Defence Layer Distribution
    "Egress Allowlist" : 30
    "IMDSv2 Enforcement" : 20
    "Network Segmentation" : 20
    "URL Validation and Re-resolve" : 15
    "WAF SSRF Rules" : 10
    "Logging and Alerting" : 5

1. Enforce IMDSv2 on Every EC2 Instance

AWS Instance Metadata Service v2 (IMDSv2) requires a PUT request with a TTL header before issuing a session token. A simple GET to 169.254.169.254 returns nothing. Enable it at launch or via instance modification:

bash

# Enforce IMDSv2 on a running instance
aws ec2 modify-instance-metadata-options \
  --instance-id i-0abc123 \
  --http-tokens required \
  --http-put-response-hop-limit 1

Set --http-put-response-hop-limit 1 so the token cannot be relayed through a container boundary. This single control eliminates the Capital One attack class on AWS.

2. Validate and Re-resolve URLs After DNS Resolution

A blocklist on the URL string is not sufficient. Attackers use DNS rebinding (the domain resolves to a public IP for the first lookup, then rebinds to 169.254.169.254 for the server's actual fetch). The correct pattern: resolve the hostname to an IP, validate the IP against your blocklist, then make the HTTP request to that resolved IP — not the original hostname.

python

# SECURE pattern — resolve first, validate IP, then fetch
import socket
import ipaddress
import requests

BLOCKED_NETWORKS = [
    ipaddress.ip_network("169.254.0.0/16"),   # link-local / metadata
    ipaddress.ip_network("127.0.0.0/8"),       # loopback
    ipaddress.ip_network("10.0.0.0/8"),        # RFC-1918
    ipaddress.ip_network("172.16.0.0/12"),     # RFC-1918
    ipaddress.ip_network("192.168.0.0/16"),    # RFC-1918
    ipaddress.ip_network("::1/128"),           # IPv6 loopback
    ipaddress.ip_network("fe80::/10"),         # IPv6 link-local
]

def is_safe_url(url: str) -> bool:
    from urllib.parse import urlparse
    hostname = urlparse(url).hostname
    try:
        resolved_ip = socket.gethostbyname(hostname)
        ip_obj = ipaddress.ip_address(resolved_ip)
        for net in BLOCKED_NETWORKS:
            if ip_obj in net:
                return False
        return True
    except Exception:
        return False

def safe_fetch(url: str):
    if not is_safe_url(url):
        raise ValueError("URL resolves to a blocked network")
    # Make the actual request to the resolved IP to prevent rebinding
    response = requests.get(url, timeout=5, allow_redirects=False)
    return response.text

3. Use an Egress Allowlist, Not a Denylist

If your webhook or integration feature only needs to reach a known set of external endpoints, restrict outbound connections to those endpoints only. Block all other egress at the security group or firewall level. This is the strongest control — an attacker cannot reach 169.254.169.254 if your server's egress rules prohibit all traffic except to your allowlisted destinations.

🛡️

SECURITY

On AWS, remove the default 0.0.0.0/0 outbound security group rule from application servers that fetch user-supplied URLs. Replace it with explicit allow rules for your dependencies (payment gateways, email providers, storage endpoints). Treat outbound traffic with the same zero-trust posture as inbound.

4. Network Segmentation

Servers that handle user-supplied URL fetching should sit in a dedicated subnet with no direct access to your internal microservice network. A compromised server in an isolated subnet limits lateral movement even if SSRF is exploited. Use VPC security groups, network ACLs, and service mesh policies to enforce this boundary.

5. Disable Redirects and Enforce Protocol Allowlists

HTTP redirects can chain a valid-looking URL to an internal target. Set allow_redirects=False (or equivalent) on your HTTP client and handle redirects manually with re-validation at each hop. Also restrict accepted schemes to https:// only — file://, gopher://, dict://, and ftp:// are classic SSRF bypass vectors.

SSRF in Indian Regulatory Context

CERT-In's Cyber Security Guidelines require organisations to report significant breaches within six hours. An SSRF-enabled cloud credential theft that results in data exfiltration qualifies. India's DPDP Act 2023 mandates notification to the Data Protection Board when personal data is compromised — the breach affects regulatory standing regardless of whether the SSRF was "just a misconfiguration."

Bachao.AI's automated VAPT scanner, built by Dhisattva AI Pvt Ltd, includes SSRF detection as part of its active scan suite — testing for open redirect chains, metadata endpoint reachability, and DNS rebinding vectors on every scan.

💡

TIP

Run a free VAPT scan before your next cloud deployment. SSRF vulnerabilities that look invisible during development become critical liabilities the moment your application goes live with a user-accessible URL fetch feature.

SSRF Detection Checklist

Before shipping any feature that fetches external URLs, walk through this checklist:

Control	Implemented	Notes
IMDSv2 enforced on all EC2 instances		AWS Console → EC2 → Actions → Modify IMDS options
Outbound security group restricts egress		No `0.0.0.0/0` outbound on app tier
URL validation resolves DNS before fetch		Must re-validate IP post-resolve
Blocked networks include link-local + RFC-1918		`169.254.0.0/16`, `10/8`, `172.16/12`, `192.168/16`, loopback
HTTP client has `allow_redirects=False`		Validate each redirect hop
Only `https://` scheme accepted		Block `file://`, `gopher://`, `dict://`, `ftp://`
Timeout set on all outbound requests		Prevents slow-loris style probing
Unexpected internal requests trigger alert		SIEM rule on internal IP in outbound request log

Key Takeaway

🎯Key Takeaway

SSRF turns your own server into an attacker's proxy. One unvalidated URL parameter can expose cloud IAM credentials, internal microservices, and every database reachable from your server's network. The fix is not a denylist — it is an allowlist-first egress policy, IMDSv2 enforcement, and DNS-resolve-then-validate URL handling. For Indian teams on AWS or GCP, treat SSRF as a P0 pre-launch gate — the regulatory and business consequences of a cloud credential theft are severe and immediate. See the Bachao.AI blog for related deep-dives on injection vulnerabilities and cloud misconfigurations.

Frequently Asked Questions

What is SSRF in simple terms?

SSRF (Server-Side Request Forgery) is when an attacker tricks your backend server into making HTTP requests to targets it should not reach — internal services, admin endpoints, or the cloud metadata server at 169.254.169.254. The server uses its own trusted network identity to make the request, bypassing external firewalls entirely.

Why is SSRF in the OWASP Top 10?

OWASP added SSRF as a standalone category in the 2021 Top 10 because of its high exploitability in cloud environments and the severity of what attackers can access — live IAM credentials, internal APIs, container orchestration endpoints, and database ports that carry no separate authentication for internal traffic.

How do attackers steal AWS credentials using SSRF?

The attacker submits the AWS metadata URL (http://169.254.169.254/latest/meta-data/iam/security-credentials/) as input to any feature that makes server-side HTTP requests. The server fetches the URL from its EC2 instance, which returns the temporary IAM credentials attached to that instance. The attacker then uses those credentials via the AWS CLI from their own machine. Enforcing IMDSv2 blocks this specific vector.

What is the difference between basic SSRF and blind SSRF?

Basic SSRF returns the response body to the attacker — they can directly read the credentials or internal data. Blind SSRF does not return a response, but attackers infer success through DNS callbacks, timing differences, or side effects. Both are dangerous; blind SSRF is used for internal network reconnaissance before escalating to a higher-impact technique.

Can a WAF alone protect against SSRF?

No. WAFs catch known patterns (metadata IP strings in request parameters) but are bypassed by decimal encoding (2130706433 for 127.0.0.1), IPv6 notation, DNS rebinding, and open-redirect chaining. WAF rules are a supplementary detection layer, not a substitute for server-side egress validation, IMDSv2 enforcement, and network segmentation.

Is SSRF relevant for Indian SaaS companies?

Yes. Indian SaaS applications on AWS, GCP, and Azure have the same metadata endpoint exposure as any global cloud deployment. CERT-In's six-hour breach notification rule and the DPDP Act 2023's personal data protection mandate make the regulatory cost of an SSRF-enabled breach significant. Any feature that fetches user-supplied URLs — webhook validation, link previews, PDF generation, image import — is a potential SSRF surface that should be assessed before launch.