Start Free

Block SSRF Attacks — Prevent Attackers from Pivoting to Your Cloud

Server-Side Request Forgery lets attackers turn your server into a proxy — reaching internal services, cloud metadata, and private APIs. PowerWAF blocks every SSRF vector at the edge before the request leaves your perimeter.

Start with a Free Plan See How It Works

Limited free plan spots available

OWASP A10:2021

Your Server Is the Attack Vector

SSRF attacks exploit server-side functionality that fetches URLs, processes webhooks, or generates previews. The attacker provides a malicious URL that points to internal resources — cloud metadata endpoints, private databases, admin panels, or internal APIs. Because the request originates from your own trusted server, it bypasses firewalls, security groups, and network ACLs entirely.

65% of cloud breaches involve some form of SSRF or internal service exploitation as the initial pivot point

The consequences are catastrophic: leaked IAM credentials, lateral movement across your cloud, data exfiltration from internal databases, and full infrastructure compromise — all from a single forged request. Input validation alone is not enough when attackers use DNS rebinding, IP obfuscation, and URL scheme abuse.

OWASP A10:2021 CWE-918 (SSRF)

How Attackers Exploit SSRF

Five SSRF techniques that turn your server into a gateway to your entire internal network.

☁️

Cloud Metadata Theft

Targeting cloud metadata endpoints to steal IAM credentials, API keys, and instance configuration.

http://169.254.169.254/latest/meta-data/iam/security-credentials/
🌐

Internal Service Access

Reaching internal APIs, admin panels, and databases that are only accessible from the private network.

http://192.168.1.1:8080/admin/debug
📂

URL Scheme Abuse

Using file://, gopher://, dict://, and other schemes to read local files or interact with internal services.

file:///etc/passwd
🔄

DNS Rebinding

Attacker-controlled domains that resolve to public IPs initially, then switch to internal IPs after security checks pass.

attacker.com → 1.2.3.4 → 127.0.0.1
🕶️

Blind SSRF

Requests that don't return data directly but allow port scanning, service enumeration, and triggering internal actions.

http://10.0.0.1:6379/SET+key+value

How PowerWAF Stops Every SSRF Vector

Five protection layers designed specifically to catch SSRF — including obfuscated and zero-day variants.

🛡️

Internal IP Blocking

Automatically blocks requests targeting private IP ranges (10.x, 172.16.x, 192.168.x), loopback addresses, link-local ranges, and cloud metadata IPs — including hex, octal, and decimal-encoded variants.

Stops cloud metadata theft and internal access
🔍

URL Scheme Validation

Restricts allowed URL schemes to http:// and https://. Blocks file://, gopher://, dict://, ftp://, and other dangerous protocols before they reach your application.

Stops protocol-based SSRF and local file reads
🧬

DNS Rebinding Protection

Re-validates resolved IP addresses at connection time, not just at lookup time. Catches domains that switch from public to internal IPs after the initial DNS response.

Stops DNS rebinding bypass attacks
📋

URL Allowlist Enforcement

Define which external domains and paths your application is allowed to request. Everything else is blocked by default — eliminating open redirect chains and unexpected outbound requests.

Stops blind SSRF and redirect chains
🧠

Payload Deobfuscation

Decodes IP obfuscation techniques — hex encoding (0x7f000001), octal (0177.0.0.1), decimal (2130706433), IPv6 mapping, and URL encoding — before evaluating the request.

Stops obfuscated SSRF bypasses

Protected in Minutes, Not Months

No code changes. No server reconfiguration. No library updates.

1

Point DNS

Change your DNS records to route traffic through PowerWAF. No server changes needed.

2

Instant Protection

PowerWAF immediately inspects all traffic and blocks SSRF attacks at the edge in real time.

3

Monitor Everything

Real-time dashboard shows blocked SSRF attempts, targeted endpoints, and attacker patterns.

Ideal for cloud-native applications, webhook processors, and any service that fetches external URLs.

See PowerWAF in Action

Real-time view of SSRF attacks being detected and blocked at the edge — before they reach your internal infrastructure.

powerwaf-access-log — live
09:41:12 BLOCKED 198.51.100.87 GET /api/fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/ → SSRF: Cloud metadata access
09:41:13 BLOCKED 198.51.100.23 POST /webhook/preview → SSRF: gopher://127.0.0.1:6379/_SET+pwned+true
09:41:14 ALLOWED 203.0.113.50 GET /api/fetch?url=https://cdn.example.com/image.png → Legitimate external fetch
09:41:15 BLOCKED 203.0.113.42 GET /proxy?target=http://0x7f000001:8080/admin → SSRF: Hex-encoded loopback
09:41:16 BLOCKED 198.51.100.87 POST /api/import → SSRF: file:///etc/shadow in body
09:41:17 ALLOWED 198.51.100.12 GET /api/weather?city=london → Valid API request
09:41:18 BLOCKED 198.51.100.23 GET /render?url=http://attacker.com → SSRF: DNS rebinding (resolved to 10.0.0.5)
09:41:19 ALLOWED 203.0.113.50 POST /api/webhooks/stripe → Verified webhook callback
09:41:20 BLOCKED 203.0.113.42 GET /fetch?u=http://[::ffff:127.0.0.1]:3000/env → SSRF: IPv6-mapped loopback
09:41:21 BLOCKED 198.51.100.87 GET /api/screenshot?url=http://192.168.1.1:8443/admin/config → SSRF: Internal network scan

Simulated log showing how PowerWAF blocks SSRF attempts while allowing legitimate outbound requests through.

Proven Protection at Scale

< 5 min Average setup time — DNS change only
0 Lines of code to change in your application
24/7 Real-time monitoring and automatic blocking

Real-World Scenarios

Cloud-Native App with Webhook Processing

A SaaS platform accepts webhook URLs from customers for event notifications. An attacker submits a webhook URL pointing to the AWS metadata endpoint, extracting IAM credentials. PowerWAF blocks any URL targeting internal or cloud metadata addresses before the request is processed.

PDF Generator with URL Input

A reporting service generates PDFs from user-provided URLs. Attackers abuse this to read internal files via file:/// or access internal dashboards. PowerWAF restricts URL schemes and blocks requests targeting private IP ranges — keeping the service safe without code changes.

Microservices Behind a Load Balancer

An image proxy service fetches remote images for resizing. Attackers craft URLs that resolve to internal microservice endpoints via DNS rebinding. PowerWAF re-validates resolved IPs at connection time, catching rebinding attacks that pass initial checks.

Works with any web platform

Node.js
Python / Django
Java / Spring
Ruby on Rails
PHP / Laravel
Go
ASP.NET
React / Next.js
WordPress
Custom Apps

Frequently Asked Questions

What is SSRF (Server-Side Request Forgery)?
SSRF is an attack where an attacker tricks a server into making HTTP requests to unintended destinations — such as internal services, cloud metadata endpoints (169.254.169.254), databases, or private APIs. Because the request originates from the trusted server itself, it bypasses firewalls and network ACLs. SSRF is classified under OWASP A10:2021.
How does PowerWAF block SSRF attacks?
PowerWAF inspects every outbound-triggering request at the application layer. It blocks requests targeting internal IP ranges (10.x, 172.16.x, 192.168.x, 127.0.0.1), cloud metadata endpoints (169.254.169.254), and dangerous URL schemes (file://, gopher://, dict://). It also detects DNS rebinding attempts and obfuscated IP representations like hex-encoded or octal addresses.
Can SSRF be used to steal cloud credentials?
Yes. One of the most dangerous SSRF attack patterns targets cloud metadata services at 169.254.169.254. On AWS, this endpoint exposes IAM role credentials, instance identity, and network configuration. A successful SSRF attack can extract temporary access keys that allow the attacker to pivot across your entire cloud environment. PowerWAF blocks all requests to metadata endpoints automatically.
Does PowerWAF protect against blind SSRF?
Yes. Blind SSRF attacks don't return data directly to the attacker but can still be used for port scanning, internal service discovery, and triggering actions on internal systems. PowerWAF detects and blocks these by analyzing request patterns, monitoring for internal IP targeting, and applying behavioral rules that catch reconnaissance-style requests.
What is DNS rebinding and how does PowerWAF stop it?
DNS rebinding is a technique where an attacker controls a domain that initially resolves to a public IP but then switches to an internal IP (like 127.0.0.1 or 169.254.169.254) after the initial security check passes. PowerWAF mitigates this by re-validating resolved IP addresses at connection time and blocking any requests that resolve to internal or reserved IP ranges.
Do I need to change my application code?
No. PowerWAF operates as a reverse proxy in front of your application, inspecting all incoming traffic before it reaches your server. SSRF protection is active immediately after you point your DNS to PowerWAF — no code changes, no library updates, no server reconfiguration required.
Can PowerWAF protect APIs from SSRF?
Yes. APIs that accept URLs as input parameters — such as webhook endpoints, image fetchers, PDF generators, and URL preview services — are prime SSRF targets. PowerWAF inspects these parameters and blocks any that target internal resources, metadata endpoints, or use dangerous URL schemes.

Explore More WAF Protection

PowerWAF covers the full OWASP Top 10. Explore protection for other attack categories.

Cloud Metadata SSRF Protection

Protect AWS and Azure metadata endpoints from SSRF exploitation.

Open Redirect & SSRF

Stop open redirect chains that lead to SSRF attacks with one WAF rule.

CSRF Attack Prevention

Prevent cross-site request forgery on every state-changing request.

Protect Your Infrastructure Today

No credit card required. No code changes. Set up in under 5 minutes.

Start with a Free Plan See Prices

Limited free plan spots available