From the course: Dynamic Application Security Testing
Unlock the full course today
Join today to access over 23,200 courses taught by industry experts.
A10: Server-side request forgery (SSRF) - Burp Suite Tutorial
From the course: Dynamic Application Security Testing
A10: Server-side request forgery (SSRF)
- [Teacher] The final set of risks in the OWASP top 10 are server side request forgery or SSRF flaws. These flaws enable attackers to convince internal infrastructure to access or abuse resources that they were never meant to expose externally. SSRF flaws differ slightly from command injection attacks. When exploiting a command injection flaw, an attacker tries to trick an internal system to perform an action on their behalf. Something like listing the contents of a directory or adding a local user account. When exploiting an SSRF flaw, the attacker tries to gain access to internal resources or to glean information about the target based on how that request is handled. If an application assumes that every URL that processes can be trusted, then the likelihood of an SSRF flaw goes way up. This brings us back to the concept of misuse and abuse cases. An attacker can type anything they want into the URL field and as long as…
Contents
-
-
-
-
-
-
(Locked)
The OWASP Top Ten3m 16s
-
(Locked)
A1: Broken access control5m 58s
-
(Locked)
A2: Cryptographic failures6m 49s
-
(Locked)
A3: Injection7m 44s
-
(Locked)
A4: Insecure design5m 30s
-
(Locked)
A5: Security misconfiguration7m 25s
-
(Locked)
A6: Vulnerable and outdated components7m 7s
-
(Locked)
A7: Identification and authentication failures6m 59s
-
(Locked)
A8: Software and data integrity failures5m 58s
-
(Locked)
A9: Security Logging and monitoring failures6m 54s
-
(Locked)
A10: Server-side request forgery (SSRF)5m 4s
-
(Locked)
-