8:02 · May 2026 ★ Members only

Server Side Request Forgery: Pivot From a URL Field to Internal Systems

We dive deep into server-side request forgery using WebGoat as the exploitable application. Learn how attackers can modify URL references within web requests to gain access to sensitive data or attack remote systems. This vulnerability is identified on the OWASP Top 10 as: A10:2021 - Server-Side Request Forgery The weaknesses identified during this test shows that "flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL)."