# What Is Server-Side Request Forgery (SSRF)

> SSRF is a vulnerability where an attacker makes a server issue an HTTP request to a destination of the attacker's choosing. Because the request originates inside the server's network, it can reach internal services, cloud metadata, and loopback addresses that the attacker could never reach directly. The fix is to validate the destination, not the URL string.

Source: https://ronutz.com/en/learn/what-is-ssrf  
Updated: 2026-07-01  
Related tools: https://ronutz.com/en/tools/ssrf-url-classifier

---

Server-Side Request Forgery is a vulnerability in which an application takes a URL (or a hostname, or an address) from user input and fetches it on the server. If the application does not check where that URL points, an attacker can supply an internal destination and make the server request it on their behalf.

## Why the origin of the request matters

The danger is not the fetch itself; it is who is making it. A request from the public internet cannot reach a database on `10.0.0.5`, an admin panel on `localhost`, or a cloud metadata service on `169.254.169.254`. A request from the application server usually can, because that server sits inside the trust boundary. SSRF lets an attacker borrow the server's network position.

## Where it shows up

Any feature that fetches a user-supplied URL is a candidate: webhook senders, link-preview and unfurl services, image and document proxies, PDF or screenshot generators, RSS and import tools, and "check this URL" health probes. All of them accept an address and make a request, which is exactly the primitive SSRF abuses.

## What an attacker gains

Reaching internal-only services can expose admin interfaces, unauthenticated internal APIs, and management ports. The highest-value target is often the cloud instance metadata endpoint, which can hand back temporary credentials for the server's role. SSRF is also used for internal port scanning, since the timing and errors of the fetch reveal which internal hosts and ports are alive.

## The shape of the fix

Because the same address can be written many ways, filtering the URL text is not enough. The reliable approach is to resolve the destination and classify the resulting IP against known-internal ranges, allow only the addresses you intend to reach, and restrict the scheme to http and https. That classification of a destination is exactly what this tool performs, locally and without ever issuing the request.
