SSRF (Server-Side Request Forgery)

A flaw where an attacker tricks your server into making requests to internal systems or cloud metadata it should never reach.

SSRF occurs when your backend fetches a URL that a user controls. An image-from-URL feature, a webhook tester, or a PDF renderer can all be abused. Instead of pointing at an external image, the attacker points your server at http://169.254.169.254/ (cloud metadata) or an internal admin service, and your server happily makes the request from inside your network.

This matters because the danger is hidden behind a normal-looking feature. On cloud hosting, a single SSRF can hand over credentials that unlock your whole account. It's one of the OWASP Top 10 for good reason.

Defend it by validating and allowlisting outbound destinations, blocking internal IP ranges, and never trusting a user-supplied URL. Kalit Pentest checks whether your fetch features can be redirected at internal targets.

Related terms

IDOR (Insecure Direct Object Reference)An access-control flaw where changing an ID in a request lets a user read or edit records that belong to someone else.SQL injection (SQLi)A flaw where untrusted input is mixed into a database query, letting an attacker read, change, or destroy your data.XSS (Cross-Site Scripting)A flaw where attacker-controlled script runs in another user's browser, letting it steal sessions or act as that user.CSRF (Cross-Site Request Forgery)An attack that tricks a logged-in user's browser into sending an unwanted state-changing request to your app.