OWASP_API_TOP10API7:2023voice-validated
OWASP_API_TOP10 API07: API7:2023
OWASP_API_TOP10
AL
Founder at SQUR · last verified 2026-06-20
Regulation text
SSRF flaws occur when an API is fetching a remote resource without validating the user-supplied URI. This enables an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall or VPN.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1190 | 1. SSRF is an exploit of a public-facing API, enabling initial access to internal resources. 2. Attackers use crafted requests to bypass perimeter defenses, as described in API7:2023. | 90% |
| T1595.002 | 1. SSRF allows an attacker to coerce the server into performing vulnerability scans against internal network hosts. 2. This technique facilitates discovery of vulnerable services or open ports behind firewalls. | 80% |
| T1046 | 1. Attackers use SSRF to discover internal network services by sending requests from the vulnerable API. 2. This reveals the network topology and active services, even when protected by a VPN or firewall. | 80% |
| T1082 | 1. SSRF can be used to retrieve system information from internal endpoints, such as cloud metadata services. 2. This provides valuable data about the host environment and configurations. | 70% |
| T1018 | 1. SSRF enables remote system discovery by allowing the attacker to probe internal IP addresses. 2. This identifies other systems on the internal network that are typically inaccessible from the outside. | 70% |
| T1572 | 1. SSRF facilitates protocol tunneling by using the vulnerable server to forward requests. 2. This bypasses network segmentation and firewall rules, allowing access to restricted internal resources. | 80% |
| T1090.003 | 1. The vulnerable API acts as a multi-hop proxy for attacker requests, as described in API7:2023. 2. This allows attackers to reach internal targets that are otherwise unreachable. | 80% |
| T1552.001 | 1. SSRF is commonly used to access cloud metadata services, which often contain temporary application credentials. 2. This provides attackers with sensitive authentication material for further compromise. | 90% |
| T1003.008 | 1. If SSRF allows local file inclusion (e.g., via file:// protocol), attackers can read sensitive OS credential files. 2. This technique is dependent on the specific SSRF implementation and server configuration. | 60% |
| T1005 | 1. SSRF can enable data collection from the local system by reading sensitive files from the server's filesystem. 2. This includes configuration files, logs, or other proprietary data. | 70% |
| T1074.001 | 1. Attackers may use SSRF to fetch data from internal services and stage it on the vulnerable server. 2. This prepares data for subsequent exfiltration, as described in API7:2023. | 60% |
| T1071.001 | 1. SSRF can be used to establish command and control (C2) communication using web protocols (HTTP/S). 2. The vulnerable API acts as an intermediary, masking the attacker's true origin. | 70% |
| T1041 | 1. SSRF can facilitate exfiltration of collected data over a C2 channel. 2. The vulnerable API sends data to an external attacker-controlled server, bypassing network egress controls. | 80% |
| T1499 | 1. SSRF can trigger endpoint denial of service by directing requests to internal services, causing resource exhaustion or crashes. 2. This impacts the availability of critical internal systems. | 60% |
| T1490 | 1. If SSRF provides access to backup systems or critical configuration files, attackers can inhibit system recovery. 2. This can lead to data loss or prolonged service outages. | 50% |
Defending mitigations · 6
| Mitigation | What it does | Confidence |
|---|---|---|
| M1035 | 1. Limiting access to resources over the network is critical. 2. Implement strict firewall rules to restrict outbound connections from the API server, especially to internal IP ranges and sensitive ports, directly addressing API7:2023. | 90% |
| M1037 | 1. Filtering network traffic, specifically egress filtering, prevents the API from making unauthorized outbound requests. 2. This blocks connections to internal IP addresses and non-whitelisted external destinations, as required by API7:2023. | 90% |
| M1038 | 1. Segmenting the network isolates the API server in a DMZ or separate network segment. 2. This reduces the blast radius of an SSRF vulnerability by limiting access to sensitive internal systems. | 80% |
| M1031 | 1. Network intrusion prevention systems (IPS) detect and block suspicious outbound requests originating from the API. 2. This provides an additional layer of defense against SSRF exploitation attempts. | 70% |
| M1026 | 1. Implementing privileged account management ensures the API runs with the principle of least privilege. 2. This minimizes the impact if an SSRF vulnerability is exploited, limiting what the compromised API can access. | 80% |
| M1047 | 1. Comprehensive auditing and logging of all outbound requests made by the API are essential. 2. This enables detection of SSRF attempts and provides forensic data for incident response, as per API7:2023. | 70% |
Underlying weaknesses · 6
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-918 | 1. This CWE directly maps to Server-Side Request Forgery (SSRF), which is the focus of OWASP API7:2023. 2. The control explicitly addresses flaws where an API fetches remote resources without proper validation. | 100% |
| CWE-20 | 1. Improper input validation is the fundamental weakness leading to SSRF. 2. The API fails to validate user-supplied URIs, allowing attackers to specify arbitrary destinations, as stated in API7:2023. | 90% |
| CWE-73 | 1. External control of file name or path can contribute to SSRF if the vulnerability allows local file inclusion. 2. This enables attackers to read sensitive files from the server's filesystem. | 70% |
| CWE-284 | 1. Improper access control on the API's outbound request capabilities allows SSRF. 2. The API is permitted to access resources it should not, violating the principle of least privilege. | 80% |
| CWE-200 | 1. Successful SSRF exploitation often leads to the exposure of sensitive information to an unauthorized actor. 2. This includes internal network details, credentials, or proprietary data, as highlighted by API7:2023. | 80% |
| CWE-441 | 1. The vulnerable API acts as an unintended proxy or intermediary for attacker-controlled requests. 2. This allows attackers to bypass network controls and access internal systems, as described in API7:2023. | 90% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0189 compute · voice-rubric self-validated