LAB 314 – Defending TypeScript Applications Against SSRF

Course Overview

This lab introduces Server-side Request Forgery (SSRF) vulnerabilities that occur when an attacker can manipulate the destination of web requests issued by an application. In that case, they can access internal network resources or local filesystem objects or invoke functionality exposed by web APIs, such as the cloud server metadata APIs, database HTTP interfaces, and web APIs exposed by other parts of the application or other applications. SSRF impact includes extracting authentication credentials from cloud server metadata interfaces and sensitive application data from NoSQL databases. The solution to this issue is to restrict the destinations of the requests to only valid external services or to calculate the destinations of requests without including user input. This Skill Lab offers a virtual environment that contains a vulnerable application and its source code for training developers to identify and remediate SSRF vulnerabilities.

In this Defending TypeScript Skill Lab, learners can gain hands-on experience testing for SSRF vulnerabilities and implementing suitable mitigations. The possible mitigations include restricting the destinations to which the application can send requests to valid external services, calculating the destinations without including user input, or avoiding sending requests to external services when unnecessary.