Practice free →
HomeBCA Cyber SecuritycybersecurityWeb Security — OWASP › SERVER-SIDE REQUEST FORGERY (SSRF) — A10 in OWAS…

SERVER-SIDE REQUEST FORGERY (SSRF) — A10 in OWASP 2021 — happens when

Aa server requests data from itself in a loop
BDNS requests fail
Ca client requests too much data
Dattacker makes server fetch unintended destinations
Answer & Solution
Correct answer: D. attacker makes server fetch unintended destinations
1. SSRF: a vulnerability where the server-side application allows an attacker to induce it to make HTTP requests to a domain or IP of the attacker's choosing. 2. CRITICAL TARGETS: • Internal services (databases, admin interfaces) not exposed externally • Cloud METADATA services (169.254.169.254 on AWS/Azure/GCP — exposes IAM credentials) • localhost services 3. CASE STUDY: 2019 Capital One breach — SSRF to AWS metadata endpoint exfiltrated AWS credentials from a misconfigured WAF. 4. MITIGATIONS: validate and whitelist URLs, block private IP ranges, use IMDSv2 on AWS (requires session token), network segmentation. _Source: OWASP Top 10 2021 — A10: Server-Side Request Forgery (SSRF)._
Solve this in the app — BCA Cyber Security practice & 24k+ MCQs →
Related questions