1. Training
  2. Education & Training Catalog
  3. CMD+CTRL Security
  4. Defending TypeScript Applications Against SSRF

Defending TypeScript Applications Against SSRF

This lab introduces Server-side Request Forgery (SSRF) vulnerabilities that occur when an attacker can manipulate the destination of web requests issued by an application. In that case, they can access internal network resources or local filesystem objects or invoke functionality exposed by web APIs, such as the cloud server metadata APIs, database HTTP interfaces, and web APIs exposed by other parts of the application or other applications. SSRF impact includes extracting authentication credentials from cloud server metadata interfaces and sensitive application data from NoSQL databases. The solution to this issue is to restrict the destinations of the requests to only valid external services or to calculate the destinations of requests without including user input. This Skill Lab offers a virtual environment that contains a vulnerable application and its source code for training developers to identify and remediate SSRF vulnerabilities.

Course Overview

Overall Proficiency Level
3 - Advanced
Course Catalog Number
LAB 314
Training Purpose
Skill Development
Specific Audience
All
Delivery Method
Online, Self-Paced
  • Online, Self-Paced

Learning Objectives

In this Defending TypeScript Skill Lab, learners can gain hands-on experience testing for SSRF vulnerabilities and implementing suitable mitigations. The possible mitigations include restricting the destinations to which the application can send requests to valid external services, calculating the destinations without including user input, or avoiding sending requests to external services when unnecessary.

Framework Connections

The materials within this course focus on the NICE Framework Task, Knowledge, and Skill statements identified within the indicated NICE Framework component(s):

Feedback

If you would like to provide feedback on this course, please e-mail the NICCS team at NICCS@mail.cisa.dhs.gov. Please keep in mind that NICCS does not own this course or accept payment for course entry. If you have questions related to the details of this course, such as cost, prerequisites, how to register, etc., please contact the course training provider directly. You can find course training provider contact information by following the link that says “Visit course page for more information...” on this page.

Last Published Date: