What is Server-side Request Forgery (SSRF)?

Twitter: @webpwnized

Thank you for watching. Please upvote and subscribe.

Server-side request forgery (aka SSRF) is a web (or mobile) application security vulnerability that may allow an attacker to trick the server-side application into making HTTP requests to an unintended location. The attacker may be able to access sensitive information, download data from systems behind firewalls, process unintended transactions, or access sensitive functionality that should have been off-limits.

SSRF is a type of insecure direct object reference which itself is an access control failure. The video discusses the issue in detail and shows a live demonstration.

Features
Has over 40 vulnerabilities and challenges. Contains vulnerabilities for all of the OWASP Top Ten 2007, 2010, 2013 and 2017
Actually Vulnerable (User not asked to enter “magic” statement)
Hints, tutorials, and video tutorials are built into the project
Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP, and is available as a Docker build, and pre-built Docker containers
Preinstalled on Rapid7 Metasploitable 2, Samurai Web Testing Framework (WTF), and OWASP Broken Web Apps (BWA)
System can be restored to default with single-click of “Reset” button
User can switch between secure and insecure modes
Used in many training courses, universities, and as an “assess the assessor” target for vulnerability software
Updated frequently