Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Wrong Definition ( SSRF )

Mesh3l | Last updated: May 22, 2021 10:19PM UTC

Hello Portswigger Academy, I really hope this email finds you doing very well. Portswigger web academy is considered as one of the most famous training's source when it comes to the web applications penetration testing field so that is the reason behind my concern since thousands and thousands of beginners including myself have been learning from your academy. I have noticed that there is a mistake in SSRF definition that says" Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing.In typical SSRF examples, the attacker might cause the server to make a connection back to itself, or to other web-based services within the organization's infrastructure, or to external third-party systems." According to Portswigger Academy. " allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing " and " or to external third-party systems ". As you know this will make the beginner think that forcing the server to make an external http requests is always considered as SSRF while it is not the case because simply a lot of services can make an external http requests as an ( intended functionality ) and by using one of these services I could manage forcing the server to send an external http requests to my own server which is not considered as SSRF at all. Thank you in advance. Sincerely, Meshal ( @Mesh3l_911 )

Uthman, PortSwigger Agent | Last updated: May 24, 2021 10:02AM UTC

Hi Meshal, Thanks. We have reported this to our technical writer and will get back to you via email with any feedback.

Mesh3l | Last updated: May 25, 2021 11:48PM UTC

Hello Uthman, Thanks for your kind response.Really hope this could help anyone by any sense and I will be Waiting for your decision. Sincerely, Meshal ( @Mesh3l_911 )

Mesh3l | Last updated: May 25, 2021 11:59PM UTC

Hello Uthman, I think that your technical writer has already modified the definition. I'm so thankful for your professional support. Sincerely, Meshal ( @Mesh3l_911 )

Uthman, PortSwigger Agent | Last updated: May 26, 2021 08:27AM UTC

You are welcome. Let us know if you spot anything else.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.