OWASP_TOP10A10:2021voice-validated
OWASP_TOP10 A10: A10:2021
OWASP_TOP10
AL
Founder at SQUR · last verified 2026-06-20
Regulation text
SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL).
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1190 | 1.0 confidence. SSRF vulnerabilities are typically exploited through publicly accessible web applications, enabling initial access to internal resources. | 100% |
| T1090 | 1.0 confidence. The vulnerable application functions as an unwitting proxy, forwarding attacker-controlled requests to internal network destinations. | 100% |
| T1572 | 0.9 confidence. SSRF can facilitate tunneling of arbitrary protocols through the compromised application, bypassing network segmentation and firewalls. | 90% |
| T1046 | 1.0 confidence. Attackers use SSRF to scan internal network ranges, identifying active hosts and available services. | 100% |
| T1018 | 1.0 confidence. SSRF enables mapping of internal network topology and identifying specific remote systems within the internal infrastructure. | 100% |
| T1083 | 0.9 confidence. SSRF can be abused to read local files on the server, including configuration files or sensitive data, using schemes like file://. | 90% |
| T1552 | 1.0 confidence. SSRF is frequently used to access cloud metadata services (e.g., AWS IMDS) to retrieve temporary security credentials. | 100% |
| T1210 | 1.0 confidence. SSRF allows attackers to interact with and exploit vulnerabilities in internal services not directly exposed to the internet. | 100% |
| T1021 | 0.9 confidence. The compromised application is coerced into connecting to other internal remote services, enabling lateral movement within the network. | 90% |
| T1005 | 0.9 confidence. SSRF can be leveraged to extract sensitive data or configuration files directly from the application's host system. | 90% |
| T1119 | 0.8 confidence. Attackers can automate SSRF requests to systematically gather large volumes of information from various internal systems. | 80% |
| T1071 | 0.8 confidence. SSRF utilizes standard application layer protocols (e.g., HTTP/S) to communicate with internal resources, acting as a covert channel. | 80% |
| T1499 | 0.7 confidence. SSRF can be used to direct excessive traffic or malformed requests to internal services, causing resource exhaustion and denial of service. | 70% |
| T1068 | 0.8 confidence. Access gained via SSRF to internal administrative interfaces or sensitive services can lead to privilege escalation. | 80% |
| T1098 | 0.7 confidence. If SSRF provides access to internal user management systems, attackers may create or modify accounts for persistent access. | 70% |
Defending mitigations · 6
| Mitigation | What it does | Confidence |
|---|---|---|
| M1035 | 1.0 confidence. Restricting the application's outbound network access to only explicitly permitted destinations directly prevents SSRF exploitation. | 100% |
| M1037 | 1.0 confidence. Implementing egress filtering at the network perimeter or host firewall level blocks unauthorized outbound connections initiated by SSRF. | 100% |
| M1031 | 0.9 confidence. Segmenting internal networks isolates critical services, reducing the potential impact and reach of an SSRF attack. | 90% |
| M1038 | 0.8 confidence. Monitoring application logs and network traffic for unusual outbound connection patterns can detect SSRF attempts. | 80% |
| M1026 | 0.8 confidence. Reducing the privileges of the application's service account limits the scope of damage if SSRF is successfully exploited. | 80% |
| M1040 | 0.7 confidence. Endpoint security solutions can identify and prevent malicious outbound connections originating from the application server. | 70% |
Underlying weaknesses · 6
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-918 | 1.0 confidence. This is the direct vulnerability described by OWASP A10:2021, where an application fetches an unvalidated user-supplied URL. | 100% |
| CWE-20 | 1.0 confidence. The fundamental cause of SSRF is the failure to properly validate or sanitize user-provided URLs before fetching remote resources. | 100% |
| CWE-610 | 0.9 confidence. Assuming internal services are inherently secure due to lack of public exposure is a common misconception exploited by SSRF. | 90% |
| CWE-284 | 0.9 confidence. Internal services often lack robust access controls, allowing an SSRF-enabled attacker to interact with them without proper authorization. | 90% |
| CWE-200 | 0.9 confidence. Successful SSRF attacks frequently lead to the disclosure of sensitive data from internal systems or cloud metadata. | 90% |
| CWE-732 | 0.8 confidence. Over-privileged application accounts can exacerbate SSRF impact, allowing access to critical internal resources. | 80% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0169 compute · voice-rubric self-validated