Server-Side Request Forgery (A10:2021)

Analyze source code for server-side request forgery vulnerabilities including URL fetching from user input, missing URL validation, internal network access, redirect following, DNS rebinding, and cloud metadata endpoint access. SSRF is especially critical in cloud environments where metadata endpoints expose credentials and instance configuration.

Supported Flags

Read ../../shared/schemas/flags.md for the full flag specification. This skill supports all cross-cutting flags. Key flags for this skill:

--scope determines which files to analyze (default: changed)
--depth standard reads code and checks URL fetch calls for user-controlled input
--depth deep traces URL input from request parameters through all transformations to fetch calls
--severity filters output (SSRF to cloud metadata is critical, general SSRF is high)

ssrf

Server-Side Request Forgery (A10:2021)

Supported Flags

Framework Context

More from florianbuetow/claude-code

spec-writer

solid-principles

file-upload

pasta-risk

business-logic

attack-surface