Web Security

Server-Side Request Forgery (SSRF)

Risk: Server fetches remote resources without validation. Attackers can access internal resources via SSRF.

WEB-SSRF-01Module ID
Hands-onLab Type
Intermediate+Level
Start Learning All Modules

Overview

Learn to identify SSRF primitives, abuse metadata services, and lock down server-side network access.

Learning Outcomes

  • Recognize SSRF patterns and common sinks
  • Safely parse URLs and handle redirects
  • Restrict egress and block internal address ranges
  • Use allowlists and scheme validation
  • Monitor egress anomalies and failures

Hands-on Labs

Exploit SSRF on a safe target, then add parsing hardening and network egress controls.

Defenses

Containerized egress policies, SSRF proxies, and strict DNS/IP validations.

Launch OS3 Locally View on GitHub