SSRF

Server-side request forgery

SSRF is an attack vector that abuses an application to interact with the internal/external network or the local machine. As the name suggests, SSRF works by crafting a forged request from the server's side. One of the facilitators of this vector is the mishandling of URLs, as demonstrated in the following examples:

Image on an external server (for example, the user inputs the URL of their avatar image for the application to download and use).
Custom WebHook (users need to specify WebHook handlers or callback URLs).
Internal requests to interact with another service to fulfill a specific functionality. Most of the time, user data is sent to be processed, and if mishandled, it can perform specific injection attacks.

Lab 1: Basic SSRF against the local server

PreviousBlind SQL injection with conditional errors NextLab 1: Basic SSRF against the local server

Last updated 1 year ago