A web API is vulnerable to Server-Side Request Forgery (SSRF) (also known as Cross-Site Port Attack (XPSA)) if it uses user-controlled input to fetch remote or local resources without validation. SSRF flaws occur when an API fetches a remote resource without validating the user-supplied URL. This allows an attacker to coerce the application to send a crafted request to an unexpected destination (especially local ones), bypassing firewalls or VPNs.
For example, lets say we have permission to access an API that shows us products and product photos. When we request product info we also get the path to its photo. If we can also modify the path, we can choose any files that we want to read such as /etc/passwd. Once updates, we can access the API that returns the photo, which will then return the /etc/passwd file instead.
