SSRF (Server-Side Request Forgery)
// Definition
An attack where an attacker tricks a server into making HTTP requests on their behalf — often to internal services that aren't exposed to the internet. A vulnerable endpoint accepts a URL as input and fetches it server-side. Attackers use SSRF to reach cloud metadata endpoints (`http://169.254.169.254/latest/meta-data/`), internal admin interfaces, and databases. Test by supplying internal IPs, `localhost`, or cloud metadata URLs as inputs. The fix is a strict allowlist of permitted destination hosts.
// Why it matters
SSRF turns your own server into the attacker's proxy — it makes outbound requests to internal addresses a client should never reach (cloud metadata endpoints, internal admin services). For QA, any feature that fetches a user-supplied URL (webhooks, image-from-URL, link previews) is an SSRF test surface.
// How to test
// Feed an internal/loopback target into a URL-accepting endpoint
const payloads = [
'http://169.254.169.254/latest/meta-data/', // cloud metadata
'http://localhost:8080/admin',
'http://127.0.0.1:6379', // internal redis
]
payloads.forEach((url) =>
cy.request({ method: 'POST', url: '/api/fetch-preview', body: { url }, failOnStatusCode: false })
.its('status').should('be.oneOf', [400, 403]) // must be rejected, not fetched
)// Common mistakes
- Blocklisting
localhostbut missing127.0.0.1,0.0.0.0, IPv6, or DNS-rebind tricks - Validating the URL once, then following redirects to an internal target
- Returning the fetched body verbatim (turns blind SSRF into a data leak)
// Related terms
BOLA (Broken Object Level Authorization)
Ranked #1 in the OWASP API Security Top 10. A BOLA (also called IDOR — Insecure Direct Object Reference) vulnerability exists when an API trusts the object ID in the request rather than checking whether the authenticated user is authorised to access that specific resource. Test by replacing `/users/1/orders/100` with `/users/1/orders/101` (an order belonging to a different user) — a vulnerable API returns a 200; a secure one returns a 403 or 404. The fix is server-side authorisation checks on every object access.
OWASP
Open Worldwide Application Security Project — a non-profit publishing free security guidance, including the OWASP Top 10 list of the most critical web application risks. The default reference for application security testing.