{"guid":"38ba35b7-c49c-47ea-b04e-c9c247af6e76","title":"SSRF: Attacks, Defense and Status Quo","subtitle":null,"slug":"god2024-56281-ssrf-attacks-defense-and-s","link":"https://c3voc.de","description":"Web apps use Server-Side Requests to request data from other servers, e.g., for link previews. However, they are exploited by attackers who might request internal resources or non-public services. This attack is called Server-Side Request Forgery (SSRF).\n\nThe talk explains what SSRF is, how it can be used to exploit servers, and how to defend against it, which is surprisingly complex.\n\nFinally, we will discuss our research on the prevalence of countermeasures in the wild.\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["Malte Wessels"],"view_count":223,"promoted":false,"date":"2024-11-13T16:15:00.000+01:00","release_date":"2024-11-13T00:00:00.000+01:00","updated_at":"2026-04-17T20:30:04.053+02:00","tags":["56281","god2024","god2024","OWASP","Saal 1","2024","Day 1"],"length":625,"duration":625,"thumb_url":"https://static.media.ccc.de/media/events/god/2024/56281-38ba35b7-c49c-47ea-b04e-c9c247af6e76.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2024/56281-38ba35b7-c49c-47ea-b04e-c9c247af6e76_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2024/56281-38ba35b7-c49c-47ea-b04e-c9c247af6e76.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2024/56281-38ba35b7-c49c-47ea-b04e-c9c247af6e76.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2024-56281-ssrf-attacks-defense-and-s","url":"https://api.media.ccc.de/public/events/38ba35b7-c49c-47ea-b04e-c9c247af6e76","conference_title":"German OWASP Day 2024","conference_url":"https://api.media.ccc.de/public/conferences/god2024","related":[],"recordings":[{"size":60,"length":625,"mime_type":"video/webm","language":"eng","filename":"god2024-56281-eng-SSRF_Attacks_Defense_and_Status_Quo_webm-hd.webm","state":"new","folder":"webm-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2024-11-13T16:59:55.867+01:00","recording_url":"https://cdn.media.ccc.de/events/god/2024/webm-hd/god2024-56281-eng-SSRF_Attacks_Defense_and_Status_Quo_webm-hd.webm","url":"https://api.media.ccc.de/public/recordings/81503","event_url":"https://api.media.ccc.de/public/events/38ba35b7-c49c-47ea-b04e-c9c247af6e76","conference_url":"https://api.media.ccc.de/public/conferences/god2024"},{"size":23,"length":625,"mime_type":"video/webm","language":"eng","filename":"god2024-56281-eng-SSRF_Attacks_Defense_and_Status_Quo_webm-sd.webm","state":"new","folder":"webm-sd","high_quality":false,"width":720,"height":576,"updated_at":"2024-11-13T16:58:36.621+01:00","recording_url":"https://cdn.media.ccc.de/events/god/2024/webm-sd/god2024-56281-eng-SSRF_Attacks_Defense_and_Status_Quo_webm-sd.webm","url":"https://api.media.ccc.de/public/recordings/81502","event_url":"https://api.media.ccc.de/public/events/38ba35b7-c49c-47ea-b04e-c9c247af6e76","conference_url":"https://api.media.ccc.de/public/conferences/god2024"},{"size":47,"length":625,"mime_type":"video/mp4","language":"eng","filename":"god2024-56281-eng-SSRF_Attacks_Defense_and_Status_Quo_fhd.mp4","state":"new","folder":"h264-fhd","high_quality":true,"width":1920,"height":1080,"updated_at":"2024-11-13T16:56:15.049+01:00","recording_url":"https://cdn.media.ccc.de/events/god/2024/h264-fhd/god2024-56281-eng-SSRF_Attacks_Defense_and_Status_Quo_fhd.mp4","url":"https://api.media.ccc.de/public/recordings/81501","event_url":"https://api.media.ccc.de/public/events/38ba35b7-c49c-47ea-b04e-c9c247af6e76","conference_url":"https://api.media.ccc.de/public/conferences/god2024"},{"size":20,"length":625,"mime_type":"video/mp4","language":"eng","filename":"god2024-56281-eng-SSRF_Attacks_Defense_and_Status_Quo_sd.mp4","state":"new","folder":"h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2024-11-13T16:54:55.293+01:00","recording_url":"https://cdn.media.ccc.de/events/god/2024/h264-sd/god2024-56281-eng-SSRF_Attacks_Defense_and_Status_Quo_sd.mp4","url":"https://api.media.ccc.de/public/recordings/81500","event_url":"https://api.media.ccc.de/public/events/38ba35b7-c49c-47ea-b04e-c9c247af6e76","conference_url":"https://api.media.ccc.de/public/conferences/god2024"},{"size":6,"length":625,"mime_type":"audio/opus","language":"eng","filename":"god2024-56281-eng-SSRF_Attacks_Defense_and_Status_Quo_opus.opus","state":"new","folder":"opus","high_quality":false,"width":0,"height":0,"updated_at":"2024-11-13T16:53:29.572+01:00","recording_url":"https://cdn.media.ccc.de/events/god/2024/opus/god2024-56281-eng-SSRF_Attacks_Defense_and_Status_Quo_opus.opus","url":"https://api.media.ccc.de/public/recordings/81499","event_url":"https://api.media.ccc.de/public/events/38ba35b7-c49c-47ea-b04e-c9c247af6e76","conference_url":"https://api.media.ccc.de/public/conferences/god2024"},{"size":9,"length":625,"mime_type":"audio/mpeg","language":"eng","filename":"god2024-56281-eng-SSRF_Attacks_Defense_and_Status_Quo_mp3.mp3","state":"new","folder":"mp3","high_quality":false,"width":0,"height":0,"updated_at":"2024-11-13T16:53:02.484+01:00","recording_url":"https://cdn.media.ccc.de/events/god/2024/mp3/god2024-56281-eng-SSRF_Attacks_Defense_and_Status_Quo_mp3.mp3","url":"https://api.media.ccc.de/public/recordings/81498","event_url":"https://api.media.ccc.de/public/events/38ba35b7-c49c-47ea-b04e-c9c247af6e76","conference_url":"https://api.media.ccc.de/public/conferences/god2024"},{"size":66,"length":625,"mime_type":"video/mp4","language":"eng","filename":"god2024-56281-eng-SSRF_Attacks_Defense_and_Status_Quo_hd.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2024-11-13T16:51:55.286+01:00","recording_url":"https://cdn.media.ccc.de/events/god/2024/h264-hd/god2024-56281-eng-SSRF_Attacks_Defense_and_Status_Quo_hd.mp4","url":"https://api.media.ccc.de/public/recordings/81497","event_url":"https://api.media.ccc.de/public/events/38ba35b7-c49c-47ea-b04e-c9c247af6e76","conference_url":"https://api.media.ccc.de/public/conferences/god2024"}]}