The Ghost in the Machine: Defeating Redirect SSRF in Go
In the world of web security, we often talk about Server-Side Request Forgery (SSRF) as a direct attack: an attacker tells a server to fetch http://localhost:8080, and the server blindly obeys. Most developers now know to check the initial URL to ensure it doesn't point to a private IP.
But there is a more subtle, "ghostly" version of this attack that relies on the way HTTP clients handle redirects. It’s a fascinating look at how trust can be exploited across different layers of the network stack, and it shows why a simple IP check on the initial URL is rarely enough.