Twitter: @webpwnized

Thank you for watching. Please upvote and subscribe.

Server-side request forgery (aka SSRF) is a web (or mobile) application security vulnerability that may allow an attacker to trick the server-side application into making HTTP requests to an unintended location. The attacker may be able to access sensitive information, download data from systems behind firewalls, process unintended transactions, or access sensitive functionality that should have been off-limits.

SSRF is a type of insecure direct object reference which itself is an access control failure. The video discusses the issue in detail and shows a live demonstration.

The lab is from Mutillidae II: [ Ссылка ]. OWASP Mutillidae II is a free, open-source, deliberately vulnerable web application providing a target for web-security training. With dozens of vulnerabilities and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiasts, classrooms, CTF, and vulnerability assessment tool targets.

Features
Has over 40 vulnerabilities and challenges. Contains vulnerabilities for all of the OWASP Top Ten 2007, 2010, 2013 and 2017
Actually Vulnerable (User not asked to enter “magic” statement)
Hints, tutorials, and video tutorials are built into the project
Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP, and is available as a Docker build, and pre-built Docker containers
Preinstalled on Rapid7 Metasploitable 2, Samurai Web Testing Framework (WTF), and OWASP Broken Web Apps (BWA)
System can be restored to default with single-click of “Reset” button
User can switch between secure and insecure modes
Used in many training courses, universities, and as an “assess the assessor” target for vulnerability software
Updated frequently

свернуть