Skip to content
ATR-2026-00013criticalTool Poisoningexperimental

SSRF via Agent Tool Calls

Detects Server-Side Request Forgery (SSRF) attempts through agent tool calls. Attackers manipulate agents into making requests to internal network endpoints, cloud metadata services, localhost, or private IP ranges through tool parameters. Detection covers: AWS/GCP/Azure/DigitalOcean metadata endpoints, localhost and loopback variants (including decimal, hex, octal IP encoding), private RFC1918 ranges, internal hostnames, exotic URI schemes (file, gopher, dict, tftp, ldap), DNS rebinding indicators, redirect-based SSRF patterns, cloud-specific IMDS token headers, IPv6 loopback and mapped addresses, and hostname-based internal service discovery. IP encoding evasion techniques (decimal, octal, hex) are specifically addressed.

嚴重度
critical
類別
Tool Poisoning
掃描目標
both
作者
ATR Community

建議回應

block toolalertsnapshotkill agent

參考資料

CVE
CVE-2019-5418CVE-2021-21311
OWASP Agentic
ASI02:2026 - Tool Misuse and Exploitation
OWASP LLM
LLM06:2025 - Excessive AgencyLLM05:2025 - Improper Output Handling
MITRE ATLAS
AML.T0049 - Exploit Public-Facing Application
在 GitHub 上查看完整 YAML →

更多 Tool Poisoning 規則

ATR-2026-00010criticalMalicious Content in MCP Tool ResponseATR-2026-00011highInstruction Injection via Tool OutputATR-2026-00012highUnauthorized Tool Call DetectionATR-2026-00061mediumSkill Description-Behavior MismatchATR-2026-00062criticalHidden Capability in MCP Skill