One of your services fetches a URL supplied by the user — for previews or webhooks. Walk me through why that's dangerous in the cloud and how you'd defend it properly.

technical-conceptual · Senior level · cloud-devops-security

What the interviewer is really asking

Assesses whether the candidate understands SSRF — especially the cloud-specific escalation to the instance metadata endpoint to steal credentials (the Capital One pattern) — and can layer real defenses: allowlisting over denylisting, enforcing IMDSv2 and disabling IMDSv1, and network egress controls, rather than blocking obvious internal IPs.

What to say

What to avoid

Example answers

Strong: The cloud danger isn't just hitting an internal service — it's that the server can be steered at the instance metadata endpoint and made to read the workload's credentials, which is the Capital One pattern. So at the app layer I allowlist the destinations the feature is actually allowed to fetch rather than denylisting internal IPs, because denylists fall to DNS rebinding, redirects, and weird IP encodings — and I re-resolve and re-check the address and refuse redirects to non-allowlisted hosts. Then defense-in-depth: enforce IMDSv2 and actually disable IMDSv1, so a basic SSRF can't read metadata at all, and lock the service's egress to only what it needs.

Weak: I'd validate the URL and block requests to localhost and the private IP ranges like 10.x and 192.168.x so it can't hit our internal network, and make sure the input is a well-formed URL before we fetch it. That stops it from reaching internal services.

Want questions matched to your role? Paste a job title, job description, or CV and get a personalized set, or go Pro to unlock the full bank.