By Bamdad Shahabi | CAISD Cyber Security
CWE-918 · OWASP Top 10 A10
---
SSRF requires no credentials. No malware. No special access.
Just a URL input and a server with the wrong trust model.
This is how Capital One lost 100 million records.
This is CWE-918. This is OWASP Top 10 A10.
---
## What is SSRF?
Server-Side Request Forgery (SSRF) forces a web 
application to make HTTP requests to arbitrary 
destinations — internal cloud metadata, databases, 
secrets manager, internal APIs.
The attacker never touches internal systems directly.
They instruct the server — trusted by the network —
to do it for them.
---
## How the attack works
Consider a document import feature:

Normal request

POST /api/document-import url = "https://files.example.com/report.pdf"

SSRF payload — pivots to AWS metadata

POST /api/document-import url = "http://169.254.169.254/latest/meta-data/ iam/security-credentials/ec2-role"

The attack unfolds in four steps:
**Step 1 — Discovery**
Attacker finds a feature where the server 
fetches a URL on the user's behalf.
Document import, webhook testing, 
URL preview, PDF rendering.
**Step 2 — Injection**
A private IP or internal hostname is supplied.
169.254.169.254 — the AWS EC2 Instance 
Metadata Service (IMDS).
Accessible from any instance inside the VPC.
**Step 3 — Credential harvest**
Server queries the metadata endpoint.
Receives IAM role credentials — valid AWS 
access keys — returned in plain JSON.
**Step 4 — Lateral movement**
Attacker uses stolen keys to enumerate S3 buckets,
access Secrets Manager, query RDS databases,
escalate privileges further into the cloud account.
---
## Real-world impact: Capital One (2019)
SSRF is not theoretical.
A misconfigured WAF accepted a malicious request.
The WAF queried the EC2 metadata endpoint.
IAM credentials returned. Overly permissive role.
100 million customer records exfiltrated from S3.
Estimated cost: $190 million in settlements.
---
## Why cloud environments are especially vulnerable

AWS EC2 — IAM credentials

http://169.254.169.254/latest/meta-data/iam/ security-credentials/ROLE

GCP — service account token

http://metadata.google.internal/computeMetadata/v1/ instance/service-accounts/default/token

Azure — managed identity token

http://169.254.169.254/metadata/identity/oauth2/ token?api-version=2018–02–01

The link-local address 169.254.169.254 is blocked 
at the Internet boundary.
The attacker cannot reach it directly.
The application server can.
That asymmetry is the entire attack surface.
---
## Bug bounty severity
| Scenario | Severity |
|----------|----------|
| SSRF to AWS metadata endpoint | P1 Critical |
| IAM credential harvest via IMDS | P1 Critical |
| Internal service discovery | P2 High |
| Blind SSRF via timing or DNS | P2 High |
---
## Defense in depth
**Layer 1 — URL allowlist**
Resolve the supplied URL to an IP before fetching.
Reject any address in RFC1918 ranges:
10.x, 172.16–31.x, 192.168.x, 169.254.x.x
**Layer 2 — IMDSv2 enforcement**
AWS IMDSv2 requires a session-oriented PUT request
before any GET. Simple GET-based SSRF receives 
HTTP 401. Configure HttpTokens: required on all 
EC2 instances.
**Layer 3 — Egress firewall**
Security group rules and network ACLs prevent 
the application server from making outbound 
connections to internal CIDR ranges.
**Layer 4 — Least-privilege IAM**
Scope the EC2 instance role to only the 
permissions the application legitimately needs.
If credentials are stolen — the attacker 
gains nothing useful.
> Defense-in-depth means assuming each layer 
> will eventually fail. SSRF is fully mitigated 
> only when credential theft grants no 
> meaningful access.
---
## Vulnerable feature patterns to look for
- Document or image import by URL
- Webhook URL configuration
- URL preview or screenshot service
- PDF generation from URL
- Server-side proxy endpoints
- XML external entity (related)
---
## What is CAISD?
CAISD (Cyber Intelligence & Digital Forensics)
by Bamdad Shahabi — cinematic visualizations of 
XSS, SSRF, CSRF, session hijack, OWASP Top 10.
"Making cybersecurity impossible to misunderstand."
---

Watch the full cinematic breakdown:
📺 youtube.com/@CAISD_Official
📄 medium.com/@mahone0094
💼 linkedin.com/in/bamdad-95a40b312
🎵 tiktok.com/@caisd_0
🐙 github.com/tiztac093/CAISD-XSS-Visual
#CAISD #BamdadShahabi #SSRF #CyberSecurity
#WebSecurity #OWASP #BugBounty #P1 #CloudSecurity
#AWS #IAM #IMDS #EthicalHacking #AppSec #PenTest
#ServerSideRequestForgery #CWE918 #CloudHacking
#CapitalOneBreach #RedTeam