Home › BCA Cyber Security › cybersecurity › Web Security — OWASP › SERVER-SIDE REQUEST FORGERY (SSRF) — A10 in OWAS…
SERVER-SIDE REQUEST FORGERY (SSRF) — A10 in OWASP 2021 — happens when
Aa server requests data from itself in a loop
BDNS requests fail
Ca client requests too much data
Dattacker makes server fetch unintended destinations
Answer & Solution
Correct answer: D. attacker makes server fetch unintended destinations
1. SSRF: a vulnerability where the server-side application allows an attacker to induce it to make HTTP requests to a domain or IP of the attacker's choosing.
2. CRITICAL TARGETS:
• Internal services (databases, admin interfaces) not exposed externally
• Cloud METADATA services (169.254.169.254 on AWS/Azure/GCP — exposes IAM credentials)
• localhost services
3. CASE STUDY: 2019 Capital One breach — SSRF to AWS metadata endpoint exfiltrated AWS credentials from a misconfigured WAF.
4. MITIGATIONS: validate and whitelist URLs, block private IP ranges, use IMDSv2 on AWS (requires session token), network segmentation.
_Source: OWASP Top 10 2021 — A10: Server-Side Request Forgery (SSRF)._
Related questions
What does HTTPS provide over plain HTTP?Which OWASP category covers using libraries with KNOWN CVEs?OWASP recommends LOGGING and MONITORING for the SECURITY LIFECYCLE becauseAn IDOR (Insecure Direct Object Reference) attack happens whenCROSS-SITE REQUEST FORGERY (CSRF) is best mitigated byWhich mitigation is the SINGLE most effective defense against SQL Injection?What does the SECURITY MISCONFIGURATION category (A05 in 2021) typically include?The OWASP 2021 category A04 'INSECURE DESIGN' is a NEW category that addresses