API7:2023 - Server Side Request Forgery (SSRF)

Features like URL previews, webhooks, imports, and connectors often require server-side requests. If user-supplied destinations are not restricted, attackers can pivot into private networks and cloud metadata services.

• Access to internal-only services and admin interfaces.
• Credential theft from cloud instance metadata endpoints.
• Lateral movement inside private infrastructure.

• Use strict allowlists for outbound hosts and protocols.
• Block private IP ranges, localhost, and metadata addresses.
• Resolve and verify DNS/IP after redirects and before each request.
• Route outbound traffic through controlled egress proxies.