ATR-2026-00013criticalTool Poisoningexperimental

SSRF via Agent Tool Calls

Detects Server-Side Request Forgery (SSRF) attempts through agent tool calls. Attackers manipulate agents into making requests to internal network endpoints, cloud metadata services, localhost, or private IP ranges through tool parameters. Detection covers: AWS/GCP/Azure/DigitalOcean metadata endpoints, localhost and loopback variants (including decimal, hex, octal IP encoding), private RFC1918 ranges, internal hostnames, exotic URI schemes (file, gopher, dict, tftp, ldap), DNS rebinding indicators, redirect-based SSRF patterns, cloud-specific IMDS token headers, IPv6 loopback and mapped addresses, and hostname-based internal service discovery. IP encoding evasion techniques (decimal, octal, hex) are specifically addressed.

Severity

critical

Response Actions

block toolalertsnapshotkill agent

References

CVE

CVE-2019-5418 CVE-2021-21311

OWASP Agentic

ASI02:2026 - Tool Misuse and Exploitation

OWASP LLM

LLM06:2025 - Excessive AgencyLLM05:2025 - Improper Output Handling

MITRE ATLAS

AML.T0049 - Exploit Public-Facing Application

View full YAML on GitHub →

More Tool Poisoning Rules

ATR-2026-00010criticalMalicious Content in MCP Tool Response ATR-2026-00011highInstruction Injection via Tool Output ATR-2026-00012highUnauthorized Tool Call Detection ATR-2026-00061mediumSkill Description-Behavior Mismatch ATR-2026-00062criticalHidden Capability in MCP Skill