SSRF: Common Attack Surfaces

SSRF surfaces are not always labeled with a URL field. Any feature where the server makes a network request based on user-controlled data is a potential SSRF point. The constraint on exploitation varies by feature: some accept arbitrary schemes, some resolve hostnames in a context the attacker can influence, some pass user data through a component that makes network requests as a side effect.

Webhooks

Webhooks are user-configured URLs that the application POSTs event data to. The URL is stored during setup and triggered when events occur. SSRF through webhooks is typically blind: the application sends a POST request to the configured URL and does not return the response to the user. The HTTP client used for webhook delivery determines which schemes and protocols are available.

Webhook SSRF is often persistent: a URL pointing to an internal service is stored and triggered repeatedly for each event. The attack surface persists until the configuration is changed.

Document and PDF Processors

Server-side HTML-to-PDF converters (wkhtmltopdf, headless Chrome, PhantomJS) render web pages. If user-supplied HTML or URLs are passed to the renderer, the renderer makes HTTP requests to load referenced resources. An <img src="http://169.254.169.254/..."> tag embedded in user HTML causes the rendering engine to fetch from the metadata endpoint during rendering. The response content may appear in the rendered output.

wkhtmltopdf fetches external resources by default and supports file:// URIs, making it a particularly wide SSRF surface when rendering user-supplied content. Disabling external resource loading (--no-images, --disable-javascript) and running the renderer in a network-isolated environment are the controls.

Image Processors

Applications that fetch remote images for resizing, transcoding, or CDN upload accept URLs. ImageMagick, the most widely deployed image processing library, supports a broad set of URL schemes through its delegate system. The https:// delegate calls curl; the exact set of supported schemes depends on the ImageMagick build and delegate configuration. ImageMagick's MVG and SVG parsers have historically introduced additional SSRF paths through file includes and HTTP requests embedded in vector graphics.

XML Parsers and XXE

XML External Entity (XXE) injection is a related vulnerability where XML parsers that resolve external entities fetch URLs from user-supplied XML. The DOCTYPE declaration in XML can define an external entity that references a URL:

<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/">]>

When the parser expands the entity, it makes an HTTP request to the specified URL. XXE is a subtype of SSRF: the server makes a request on behalf of the attacker, originating from the server's network position. The constraints differ from standard SSRF because the parser controls the HTTP client, not the application code; protocol support and header injection are more limited.

URL Preview and Link Unfurling

Chat applications and social platforms fetch URLs to generate previews showing title, description, and thumbnail. The fetch is made by the application server using the URL as-submitted. Blocking access to private IP ranges is less commonly implemented for these features than for explicit file import features, because the feature is perceived as low-risk metadata fetching. The same fetch that retrieves Open Graph tags from a public URL will also fetch the contents of an internal service if the URL points to one.