Server-Side Request Forgery (SSRF)
Critical impact. If this is found on your site, treat it as urgent. It can lead to real damage and is worth fixing before anything else.
What it is
Server fetches an attacker-controlled URL; confirmed by reaching the cloud metadata service, which exposes IAM credentials.
How attackers abuse it
The attacker makes your server send requests on their behalf. They reach internal services and cloud metadata endpoints that are not exposed to the internet, often stealing cloud credentials.
Attacker playbook
- 1Find a feature where the server fetches a URL you control (webhooks, image import, link preview).
- 2Point it at an internal address or the cloud metadata endpoint.
- 3Read internal responses or steal cloud credentials, then pivot.
How VibeSec detects and confirms it
VibeSec tests for this with an active scan, which runs only on targets you confirm you own or are authorized to test. We detect and confirm it using VibeSec native and Nuclei (+ interactsh OOB). When a payload actually proves the issue, it is reported as a confirmed finding rather than a guess.
If this is in your report: how to fix it
- Validate and allow-list the destinations your server may call.
- Block requests to internal and metadata IP ranges.
- Require authentication on internal services and disable unused URL schemes.
Check your site for this
Run a scan and see whether this affects you, in plain language with copy-paste fixes.
Scan your site for free