How SSRF Attacks Work

SSRF vulnerabilities typically arise in features that fetch external resources: URL previews, file imports from URLs, webhook implementations, or PDF generators that load external images. Attackers provide malicious URLs that, instead of pointing to intended external resources, target internal systems or cloud metadata endpoints. The server, trusting the request comes from a legitimate source, happily fetches sensitive internal data and returns it to the attacker.

Consider a web application that generates PDFs from HTML, allowing users to include images via URLs. An attacker might submit http://169.254.169.254/latest/meta-data/iam/security-credentials/ instead of an image URL. This special IP address in AWS contains IAM role credentials. The PDF generator fetches these credentials and includes them in the output, giving the attacker keys to your cloud kingdom. Similar attacks target internal databases, administrative interfaces, or other services not meant for external access.