Server-side request forgery (SSRF)

- [Instructor] The 10th and final item in the 2021 OWASP Top 10 is Server Side Request Forgery, also known as SSRF. OWASP says, "SSRF flaws allow an attacker to coerce the application, to send a crafted request to an unexpected destination." When SSRF is present in a web application, the attackers can send requests while pretending to be the victim server. Because the server is a trusted entity, these requests may result in access to sensitive, and administrative functions like internal API calls and database queries. SSRF can occur when servers send requests to fetch external resources, this is a normal behavior. For example, when a web app needs to display a graphic that is stored somewhere else. However, to prevent SSRF, an only-allowed or not-allowed list should be enforced. If you know that legitimate external resources are coming from a specific location, then you can allow only that IP address or host name. If not, you can use a not-allowed list, and make sure that the server is not allowed to request sensitive internal resources. The key takeaway for this category is that when web applications are vulnerable to SSRF, attackers may be able to bypass regular access controls by masquerading as the server. The official OWASP Top 10 documentation contains several references, which I encourage you to explore if you want to learn more.