
Server-side Attacks Medium
A backend that handles user-supplied input insecurely can lead to sensitive information disclosure and remote code execution. This module covers how to identify and exploit server-side bugs. This module introduces Server-Side Request Forgery (SSRF), Server-Side Template Injection (SSTI), and Server-Side Includes (SSI) injection attacks, alongside other server-side vulnerabilities.
Created by Andres D
Summary
When interacting with modern web applications, we need to be aware that multiple machines and components are likely involved in the process. There may be intrusion detection/prevention systems, content delivery networks for better performance, load balancers, reverse proxies, other application servers, template engines, and database servers between us and the application server. As you can imagine, the IP associated with the domain name may have nothing to do with the actual application server. When we issue HTTP requests to a target application, all the machines and components involved in the process do not simply pass requests through but also interpret them in order, for example, to apply restrictions or identify and block attacks.
At this point, we need to consider the below:
- Do those intermediary machines and components interpret and treat the requests the same way the final application server does? If not, this could be the root cause of a security issue.
- Do those intermediary machines and components perform (enough) validation before the user request hits the final application server? If not, this could also be the root cause of a security issue.
The attack scenarios mentioned above leverage the trust between the final application server and the intermediary machines and components. However, there are scenarios where server-side attacks can be executed against the hosting server itself without the interference of any intermediary machines and components, leveraging the trust between the server and itself. In the latter scenarios, a URL is usually passed with a hostname of 127.0.0.1 or localhost.
From a penetration tester's perspective, it is worth checking for inefficiencies in how user requests are being treated or validated from these types of intermediary machines and components or the application server itself since they can lead to severe information leakage or even remote code execution.
This module will discuss the basics of identifying and exploiting server-side bugs.
This module is broken into sections with accompanying hands-on exercises to practice each of the tactics and techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.
You can start and stop the module at any time and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.
As you work through the module, you will see example commands and command output for the various topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts presented in each section. You can do this in the PwnBox
provided in the interactive sections or your virtual machine.
The module is classified as "Medium
" and assumes a working knowledge of the Linux command line and an understanding of information security fundamentals. The module also assumes basic knowledge of web applications and web requests. It will build on this understanding to teach how server-side bugs can be exploited.
In addition to the above, a firm grasp of the following modules can be considered as prerequisites for the successful completion of this module:
- Linux Fundamentals
- Web Requests
- Introduction to Web Applications
- Using Web Proxies
- Cross-Site Scripting (XSS)
Sections
- Introduction to Server-Side Attacks
- AJP Proxy
- Nginx Reverse Proxy & AJP
- Apache Reverse Proxy & AJP
- Server-Side Request Forgery (SSRF) Overview
- SSRF Exploitation Example
- Blind SSRF
- Blind SSRF Exploitation Example
- Time-Based SSRF
- Server-Side Includes Overview
- SSI Injection Exploitation Example
- Edge-Side Includes (ESI)
- Introduction to Template Engines
- SSTI Identification
- SSTI Exploitation Example 1
- SSTI Exploitation Example 2
- SSTI Exploitation Example 3
- Attacking XSLT
- Server-Side Attacks - Skills Assessment
Relevant Paths
This module progresses you towards the following Paths

Medium 257 Sections
Cubes Required: 1410
The Bug Bounty Hunter Job Role Path is for individuals who want to enter the world of Bug Bounty Hunting with little to no prior experience. This path covers core web application security assessment and bug bounty hunting concepts and provides a deep understanding of the attack tactics used during bug bounty hunting. Armed with the necessary theoretical background, multiple practical exercises, and a proven bug bounty hunting methodology, students will go through all bug bounty hunting stages, from reconnaissance and bug identification to exploitation, documentation, and communication to vendors/programs. Upon completing this job role path, you will have become proficient in the most common bug bounty hunting and attack techniques against web applications and be in the position of professionally reporting bugs to a vendor.