Server-Side Request Forgery (SSRF)
App fetches a URL controlled by the user — pivot to internal services unreachable from the internet.
§ Where this technique fits
W-SSRF is catalogued under the Lateral Movement tactic of the offensive-security kill-chain. It appears in 4 approved dossiers in the registry, typically at step 1.3 on average.
§ Dossiers chaining this technique
- step 1 / 5
WAF SSRF → IMDS → S3 mass exfil (Capital One 2019)
A misconfigured ModSecurity rule on a customer-facing app allowed SSRF; SSRF hit EC2 IMDSv1 for the instance role; the role had ListBucket + GetObject on a major customer-data bucket.
- step 1 / 6
SSRF → reach internal Redis → write SSH key → RCE
Web app SSRF lets the attacker hit gopher://redis on the internal network. Inject CONFIG SET dir + dbfilename + SAVE to write an SSH authorized_keys onto the Redis host — log in as the Redis user.
- step 1 / 9
SSRF → IMDS → AssumeRole chain → Org admin
A web SSRF leaks the EC2 instance role; iam:PassRole + sts:AssumeRole hops across two member accounts land you with AdministratorAccess in the organisation's management account.
- step 2 / 6
SSRF → IMDS → cloud creds → lateral
An image-fetcher / link-preview endpoint fetches attacker-controlled URLs server-side. Pivot to the cloud metadata service and steal the instance role credentials.
§ What commonly comes next
- 01IMDSv1 Credential Theftseen 2×C-IMDS-V1 · Credential Access
- 02SSRF → Cloud IMDSseen 1×W-SSRF-IMDS · Lateral Movement
- 03SSRF → Internal Service Exploitseen 1×W-SSRF-INTERNAL · Lateral Movement