SlideShare a Scribd company logo

Ssrf

I
Ilan Mindel

Server-Side Request Forgery (SSRF) refers to an attack where an attacker is able to send a crafted request from a vulnerable web application to target internal systems normally inaccessible from outside. SSRF typically occurs when an attacker has partial or full control over a request being sent by the web application, such as controlling the URL a request is made to. To prevent SSRF, applications should whitelist allowed domains and protocols for requests, and avoid directly using untrusted user input in functions making external requests on the server's behalf.

Internet
1 of 4
1
2
Most read
3
Most read
4
Most read
Web Attacks Vulnerabilities SSRF 1
2 Server-Side Request Forgery (SSRF) SSRF Server Side Request Forgery (SSRF) refers to an attack where in an attacker is able to send a crafted request from a vulnerable web application. SSRF is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network. Typically Server Side Request Forgery (SSRF) occurs when a web application is making a request, where an attacker has full or partial control of the request that is being sent. A common example is when an attacker can control all or part of the URL to which the web application makes a request to some third-party service.
3 CSRF – Attack Explanation Attack explanation • The Firewall allows all users use HTTP service. • The Firewall blocks SSH request. • The attacker use HTTP service from Web Server to gain SSH Access at the internal network. (Via HTTP the Firewall doesn’t block the request.
4 SSRF Prevention Protection To prevent SSRF vulnerabilities in your web applications it is strongly advised to use a whitelist of allowed domains and protocols from where the web server can fetch remote resources. Also, as a rule of thumb you should avoid using user input directly in functions that can make requests on behalf of the server. You should also sanitize and filter user input, but it is typically very hard to implement mainly because it is virtually impossible to cover all the different scenarios.

More Related Content

PDF
SSRF workshop
Ivan Novikov
 
PPTX
SSRF exploit the trust relationship
n|u - The Open Security Community
 
PPTX
Deep dive into ssrf
n|u - The Open Security Community
 
PPTX
Vulnerabilities in modern web applications
Niyas Nazar
 
PPTX
Understanding Cross-site Request Forgery
Daniel Miessler
 
PPT
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
PDF
Api security-testing
n|u - The Open Security Community
 
PPTX
Xss attack
Manjushree Mashal
 
SSRF workshop
Ivan Novikov
 
SSRF exploit the trust relationship
n|u - The Open Security Community
 
Deep dive into ssrf
n|u - The Open Security Community
 
Vulnerabilities in modern web applications
Niyas Nazar
 
Understanding Cross-site Request Forgery
Daniel Miessler
 
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Api security-testing
n|u - The Open Security Community
 
Xss attack
Manjushree Mashal
 

What's hot (20)

PPTX
Cross Site Request Forgery (CSRF) Scripting Explained
Valency Networks
 
PPTX
SSRF For Bug Bounties
OWASP Nagpur
 
PPTX
Directory Traversal & File Inclusion Attacks
Raghav Bisht
 
PPTX
Cross Site Scripting ( XSS)
Amit Tyagi
 
PPTX
Command injection
penetration Tester
 
PPT
Cross Site Request Forgery
Tony Bibbs
 
PPTX
Getting Started with API Security Testing
SmartBear
 
PPTX
Sql injections - with example
Prateek Chauhan
 
PPTX
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
PDF
CSRF Basics
n|u - The Open Security Community
 
PDF
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
Lenur Dzhemiliev
 
PDF
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
PPTX
SQL Injections - A Powerpoint Presentation
Rapid Purple
 
PDF
HTTP Security Headers
Ismael Goncalves
 
PPTX
Xss ppt
penetration Tester
 
PPTX
Web application security
Kapil Sharma
 
PPTX
Introduction to path traversal attack
Prashant Hegde
 
PPT
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
PPT
SQL Injection
Adhoura Academy
 
PPTX
Attacking thru HTTP Host header
Sergey Belov
 
Cross Site Request Forgery (CSRF) Scripting Explained
Valency Networks
 
SSRF For Bug Bounties
OWASP Nagpur
 
Directory Traversal & File Inclusion Attacks
Raghav Bisht
 
Cross Site Scripting ( XSS)
Amit Tyagi
 
Command injection
penetration Tester
 
Cross Site Request Forgery
Tony Bibbs
 
Getting Started with API Security Testing
SmartBear
 
Sql injections - with example
Prateek Chauhan
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
CSRF Basics
n|u - The Open Security Community
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
Lenur Dzhemiliev
 
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
SQL Injections - A Powerpoint Presentation
Rapid Purple
 
HTTP Security Headers
Ismael Goncalves
 
Xss ppt
penetration Tester
 
Web application security
Kapil Sharma
 
Introduction to path traversal attack
Prashant Hegde
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
SQL Injection
Adhoura Academy
 
Attacking thru HTTP Host header
Sergey Belov
 
Ad

Similar to Ssrf (20)

PDF
Talking About SSRF,CRLF
n|u - The Open Security Community
 
PPTX
A8 cross site request forgery (csrf) it 6873 presentation
Albena Asenova-Belal
 
PDF
Preventing Web-Proxy Based DDoS using Request Sequence Frequency
IOSR Journals
 
PDF
K017135461
IOSR Journals
 
PDF
Report on xss and do s
mehr77
 
PPTX
TYPES OF CYBER ATTACKS.pptx
RohanMistry15
 
PDF
What are the Denial of Service attacks and what are possible approac.pdf
arjuntelecom26
 
PPTX
Types of attack
RajuPrasad33
 
PDF
Enhancing the impregnability of linux servers
IJNSA Journal
 
PDF
ENHANCING THE IMPREGNABILITY OF LINUX SERVERS
IJNSA Journal
 
PDF
50063
Rui Dong
 
PDF
ECE560 Denial of Service Attacks Fall2020.pdf
TuulTriyason
 
PPT
web _security_ for _confedindality s.ppt
naghamallella
 
PPTX
Cyber Security Acronyms Glossary.pptx
SmartScanner
 
PDF
Protecting Global Records Sharing with Identity Based Access Control List
Editor IJCATR
 
PDF
Different Types of Attacks and Detection Techniques in Mobile Ad Hoc Network
Editor IJCATR
 
PDF
DDoS-bdNOG
Zobair Khan
 
PDF
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
IRJET Journal
 
PDF
Aw36294299
IJERA Editor
 
PDF
A ROBUST MECHANISM FOR DEFENDING DISTRIBUTED DENIAL OF SERVICE ATTACKS ON WEB...
IJNSA Journal
 
Talking About SSRF,CRLF
n|u - The Open Security Community
 
A8 cross site request forgery (csrf) it 6873 presentation
Albena Asenova-Belal
 
Preventing Web-Proxy Based DDoS using Request Sequence Frequency
IOSR Journals
 
K017135461
IOSR Journals
 
Report on xss and do s
mehr77
 
TYPES OF CYBER ATTACKS.pptx
RohanMistry15
 
What are the Denial of Service attacks and what are possible approac.pdf
arjuntelecom26
 
Types of attack
RajuPrasad33
 
Enhancing the impregnability of linux servers
IJNSA Journal
 
ENHANCING THE IMPREGNABILITY OF LINUX SERVERS
IJNSA Journal
 
50063
Rui Dong
 
ECE560 Denial of Service Attacks Fall2020.pdf
TuulTriyason
 
web _security_ for _confedindality s.ppt
naghamallella
 
Cyber Security Acronyms Glossary.pptx
SmartScanner
 
Protecting Global Records Sharing with Identity Based Access Control List
Editor IJCATR
 
Different Types of Attacks and Detection Techniques in Mobile Ad Hoc Network
Editor IJCATR
 
DDoS-bdNOG
Zobair Khan
 
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
IRJET Journal
 
Aw36294299
IJERA Editor
 
A ROBUST MECHANISM FOR DEFENDING DISTRIBUTED DENIAL OF SERVICE ATTACKS ON WEB...
IJNSA Journal
 
Ad

More from Ilan Mindel (12)

PPTX
Xxe
Ilan Mindel
 
PPTX
Xss
Ilan Mindel
 
PPTX
Sql injection
Ilan Mindel
 
PPTX
Lfi rfi
Ilan Mindel
 
PPTX
Creds extraction
Ilan Mindel
 
PPTX
Tunneling
Ilan Mindel
 
PPTX
Reverse shell
Ilan Mindel
 
PPTX
Responder
Ilan Mindel
 
PPTX
Ports and services
Ilan Mindel
 
PPTX
Password cracking
Ilan Mindel
 
PPTX
Formula injection/DDE/Macro
Ilan Mindel
 
PPTX
Responder PPT
Ilan Mindel
 
Xxe
Ilan Mindel
 
Xss
Ilan Mindel
 
Sql injection
Ilan Mindel
 
Lfi rfi
Ilan Mindel
 
Creds extraction
Ilan Mindel
 
Tunneling
Ilan Mindel
 
Reverse shell
Ilan Mindel
 
Responder
Ilan Mindel
 
Ports and services
Ilan Mindel
 
Password cracking
Ilan Mindel
 
Formula injection/DDE/Macro
Ilan Mindel
 
Responder PPT
Ilan Mindel
 

Recently uploaded (20)

PPTX
Funds Management Learning Material for Beg
NKKumar16
 
PDF
Vigrab.top – Online Tool for Downloading and Converting Social Media Videos a...
Vigrab Top
 
PPTX
Introuction about WHO-FIC in ICD-10.pptx
naveenithkrishnan
 
PDF
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 
PPTX
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 
PPTX
innovation process that make everything different.pptx
SoumyadipPaul18
 
PPTX
SAP Ariba Sourcing PPT for learning material
NKKumar16
 
PPTX
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
 
PDF
RPKI Status Update, presented by Makito Lay at IDNOG 10
APNIC
 
PPTX
Introduction about ICD -10 and ICD11 on 5.8.25.pptx
naveenithkrishnan
 
PPTX
CHE NAA, , b,mn,mblblblbljb jb jlb ,j , ,C PPT.pptx
sumodmjohn3
 
PDF
Cloud-Scale Log Monitoring _ Datadog.pdf
MuhammadDhomanhuriMa
 
PPT
tcp ip networks nd ip layering assotred slides
pakadamfdp
 
PDF
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
PPTX
international classification of diseases ICD-10 review PPT.pptx
naveenithkrishnan
 
PPTX
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
PDF
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
PPTX
Digital Literacy And Online Safety on internet
riksa rifqi
 
PPTX
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
 
PDF
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
Funds Management Learning Material for Beg
NKKumar16
 
Vigrab.top – Online Tool for Downloading and Converting Social Media Videos a...
Vigrab Top
 
Introuction about WHO-FIC in ICD-10.pptx
naveenithkrishnan
 
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 
innovation process that make everything different.pptx
SoumyadipPaul18
 
SAP Ariba Sourcing PPT for learning material
NKKumar16
 
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
 
RPKI Status Update, presented by Makito Lay at IDNOG 10
APNIC
 
Introduction about ICD -10 and ICD11 on 5.8.25.pptx
naveenithkrishnan
 
CHE NAA, , b,mn,mblblblbljb jb jlb ,j , ,C PPT.pptx
sumodmjohn3
 
Cloud-Scale Log Monitoring _ Datadog.pdf
MuhammadDhomanhuriMa
 
tcp ip networks nd ip layering assotred slides
pakadamfdp
 
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
international classification of diseases ICD-10 review PPT.pptx
naveenithkrishnan
 
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
Digital Literacy And Online Safety on internet
riksa rifqi
 
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
 
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 

Ssrf

  • 2. 2 Server-Side Request Forgery (SSRF) SSRF Server Side Request Forgery (SSRF) refers to an attack where in an attacker is able to send a crafted request from a vulnerable web application. SSRF is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network. Typically Server Side Request Forgery (SSRF) occurs when a web application is making a request, where an attacker has full or partial control of the request that is being sent. A common example is when an attacker can control all or part of the URL to which the web application makes a request to some third-party service.
  • 3. 3 CSRF – Attack Explanation Attack explanation • The Firewall allows all users use HTTP service. • The Firewall blocks SSH request. • The attacker use HTTP service from Web Server to gain SSH Access at the internal network. (Via HTTP the Firewall doesn’t block the request.
  • 4. 4 SSRF Prevention Protection To prevent SSRF vulnerabilities in your web applications it is strongly advised to use a whitelist of allowed domains and protocols from where the web server can fetch remote resources. Also, as a rule of thumb you should avoid using user input directly in functions that can make requests on behalf of the server. You should also sanitize and filter user input, but it is typically very hard to implement mainly because it is virtually impossible to cover all the different scenarios.