Skip to content
Lesson 7 of 8

SSRF and Vulnerable Components

4 min read

Server-Side Request Forgery (SSRF)

SSRF (Server-Side Request Forgery, CWE-918) is a vulnerability that gained so much relevance that the OWASP Top 10 dedicates its own category to it (A10:2021). It occurs when an application fetches a remote resource from a user-supplied URL without validating it. The attacker gets the server to make requests on their behalf, using the server's privileged position within the network.

What makes SSRF so dangerous is that the server usually has access to internal resources the attacker cannot reach directly: services on the internal network, databases, admin panels, or, in cloud environments, the metadata endpoints that expose the instance's temporary credentials. An SSRF can thus become the gateway to the internal network or to the theft of cloud credentials, escalating from a seemingly harmless parameter to a serious infrastructure compromise.

How to Prevent SSRF

The most robust defense against SSRF is to never trust user-supplied URLs for server-side requests. When the functionality requires it, validate the URL with a strict allow-list: only explicitly authorized domains and paths, instead of trying to block the dangerous ones with a deny-list, which can always be bypassed.

As additional layers, resolve and validate the destination IP address to block internal and loopback ranges, disable automatic redirects or validate them as well, and restrict the allowed protocols to http and https. At the network level, apply segmentation and outbound firewall rules so that, even if the SSRF occurs, the server cannot reach sensitive internal services. In the cloud, use the latest, hardened version of the metadata service. The combination of input validation and network segmentation is the appropriate defense in depth.

Insecure Deserialization

Insecure deserialization (CWE-502) occurs when an application reconstructs objects from serialized data that comes from an untrusted source. Serialization converts objects into a transmittable format; deserialization reconstructs them. If an attacker can manipulate the serialized data, in some languages and libraries they can manipulate which objects are created and which methods are invoked during the reconstruction process.

The impact can reach remote code execution on the server, one of the worst possible scenarios. The primary prevention is to avoid deserializing untrusted data whenever possible. When you need to exchange data, prefer pure data formats like JSON with strict schemas, instead of the language's native object serialization. If you must deserialize objects, cryptographically sign the data to verify its integrity, restrict the types that can be deserialized, and run the process with the least possible privileges.

Vulnerable Components and Dependencies

Modern applications are built on hundreds of third-party libraries. The OWASP Top 10 dedicates category A06:2021 — Vulnerable and Outdated Components to this risk, and it is enormous precisely because of its scale: a single vulnerable dependency, possibly one you did not even know you had (a transitive dependency), can compromise the entire application. Historical incidents such as the vulnerabilities in widely used frameworks and libraries affected thousands of organizations simultaneously.

The problem is aggravated because dependencies become outdated silently. A library that was secure when you added it may have a vulnerability discovered months later. Without a process to detect and update these components, you accumulate invisible security debt. Client-side vulnerabilities also fit here, where third-party scripts loaded on your page can be compromised.

Supply Chain Security

Supply chain security consists of managing the risk introduced by all the external components your software depends on. The first step is visibility: keep an up-to-date inventory of all your dependencies, ideally generating an SBOM (Software Bill of Materials) that lists each component and its version.

On that basis, integrate software composition analysis (SCA) into your development pipeline: tools that compare your dependencies against databases of known vulnerabilities (CVE) and alert you when a new one appears. Automate security updates, pin versions to avoid unexpected changes, and verify the integrity of the packages you download. Reduce your surface by removing dependencies you do not use. Combine this with the tools we have mentioned throughout the course, Burp Suite, OWASP ZAP, and SAST/DAST scanners, for a complete posture. Your application is only as secure as its weakest component, even if that component was written by someone else.