SSRF via Agent Tool Calls - ATR-2026-00013 (29ca7067-b6bd-50af-90b7-d7b1c2db07b3)
Detects Server-Side Request Forgery (SSRF) attempts through agent tool calls. Attackers manipulate agents into making requests to internal network endpoints, cloud metadata services, localhost, or private IP ranges through tool parameters. Detection covers: AWS/GCP/Azure/DigitalOcean metadata endpoints, localhost and loopback variants (including decimal, hex, octal IP encoding), private RFC1918 ranges, internal hostnames, exotic URI schemes (file, gopher, dict, tftp, ldap), DNS rebinding indicators, redirect-based SSRF patterns, cloud-specific IMDS token headers, IPv6 loopback and mapped addresses, and hostname-based internal service discovery. IP encoding evasion techniques (decimal, octal, hex) are specifically addressed.