Great video mate! Also I thought it might be worth mentioning that the definition of SSRF is a bit misleading on some sources such as Portswigger page, a lot of people refer to it. They use terms such as “inducing the server to make HTTP requests to arbitrary domain of attacker’s choosing“. I don’t quite agree to this the reason being the points you mentioned, attacker should be able to hit internal endpoints or access some part of network which is not reachable outside, say a cloud instance metadata endpoint. Maybe this is why a lot of people confuse this with SSRF.
3:26 actually it is. You can set up a squid proxy, allow only external ip requests. AFAIK many social networks use such proxies which limit the internal network access.
It's actually similar to CVSS but without impact any CIA Triads. It's useless. It should be consider as CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N which is again 0/10.
Great video mate! Also I thought it might be worth mentioning that the definition of SSRF is a bit misleading on some sources such as Portswigger page, a lot of people refer to it. They use terms such as “inducing the server to make HTTP requests to arbitrary domain of attacker’s choosing“. I don’t quite agree to this the reason being the points you mentioned, attacker should be able to hit internal endpoints or access some part of network which is not reachable outside, say a cloud instance metadata endpoint. Maybe this is why a lot of people confuse this with SSRF.
Thank you! I finally have a video to send the "beg bounty" people.
3:26 actually it is. You can set up a squid proxy, allow only external ip requests. AFAIK many social networks use such proxies which limit the internal network access.
yeah true, you can do that for your app. My investigation was based on having a CTF challenge with RCE, and thus cannot block that kind of traffic
Does some have the Github Url with the Metadata Urls?
2:01 you can see it there
It's actually similar to CVSS but without impact any CIA Triads. It's useless.
It should be consider as CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N which is again 0/10.
Hey @LiveUnderflow,
please do a video on how to learn hacking technically.
@KushalThanks for the help but I've already seen this video of him millions of times
Love from india ❤️🇮🇳
I WAS LOOK ON THIS VULN AND I FOUND YOU MADE VEDIO LOL