Chapter 22 Further Reading: Server-Side Attacks

Standards and Advisories

  • CISA Log4Shell Advisory (AA21-356A). The US Cybersecurity and Infrastructure Security Agency's official advisory on Log4Shell, including indicators of compromise, detection guidance, and mitigation steps. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-356a

  • AWS IMDSv2 Documentation. Amazon's official guide to Instance Metadata Service Version 2, including migration guidance from IMDSv1 and configuration best practices. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html

  • OWASP Server-Side Request Forgery Prevention Cheat Sheet. Practical defense guidance for SSRF, covering input validation, network architecture, and cloud-specific mitigations. https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html

  • OWASP XML External Entity Prevention Cheat Sheet. Language-specific guidance for disabling external entity processing across all major XML parsing libraries. https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html

  • OWASP Deserialization Cheat Sheet. Comprehensive guidance on preventing insecure deserialization across Java, .NET, PHP, and Python. https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html

Research Papers and Technical Reports

  • "A New Era of SSRF — Exploiting URL Parser in Trending Programming Languages!" by Orange Tsai (Black Hat USA 2017). Groundbreaking research on SSRF exploitation through URL parser differential behavior across programming languages. Introduced many of the bypass techniques used today.

  • "Blind SSRF Exploitation" by Wallarm Research. Detailed analysis of blind SSRF detection and exploitation techniques, including timing-based detection, DNS rebinding, and protocol smuggling.

  • "XXE: XML External Entity Attack" by Portswigger Research. A comprehensive technical overview of XXE attacks including advanced techniques like blind XXE with out-of-band exfiltration and XXE through file formats. https://portswigger.net/web-security/xxe

  • "Deserialization Vulnerability" by Chris Frohoff and Gabriel Lawrence. The original research that introduced ysoserial and documented Java deserialization gadget chains. This work fundamentally changed how the industry understands deserialization risk. https://frohoff.github.io/appsec-deserialize-presentation/

  • "Server-Side Template Injection: RCE for the Modern Web App" by James Kettle (Portswigger, 2015). The foundational research on SSTI that defined the vulnerability class, introduced detection methodology, and demonstrated exploitation across multiple template engines. https://portswigger.net/research/server-side-template-injection

  • "Log4Shell: RCE 0-day exploit found in Log4j" by LunaSec. The initial public disclosure and analysis of CVE-2021-44228, including the first proof-of-concept and early mitigation guidance. https://www.lunasec.io/docs/blog/log4j-zero-day/

Books

  • "Server-Side Attacks" Chapter in "The Web Application Hacker's Handbook" by Stuttard & Pinto (Wiley, 2011). While predating Log4Shell, the foundational techniques for server-side exploitation remain relevant and well-explained.

  • "Bug Bounty Bootcamp" by Vickie Li (No Starch Press, 2021). Includes practical chapters on SSRF, XXE, SSTI, and insecure deserialization from a bug bounty perspective, with real-world examples and methodology.

  • "Black Hat Python, 2nd Edition" by Justin Seitz and Tim Arnold (No Starch Press, 2021). Covers building custom exploitation tools in Python, including HTTP request manipulation and protocol interaction tools useful for server-side attack development.

  • "Hacking APIs" by Corey Ball (No Starch Press, 2022). Covers SSRF and server-side injection attacks in the context of modern API architectures.

Tools and Documentation

  • ysoserial. Java deserialization exploit payload generator supporting multiple gadget chains. The essential tool for Java deserialization testing. https://github.com/frohoff/ysoserial

  • ysoserial.net. .NET deserialization exploit payload generator for BinaryFormatter, ObjectStateFormatter, and other .NET serializers. https://github.com/pwntester/ysoserial.net

  • tplmap. Automated Server-Side Template Injection detection and exploitation tool supporting multiple template engines. https://github.com/epinna/tplmap

  • XXEinjector. Automated XXE injection tool with support for direct, blind, and out-of-band exploitation techniques. https://github.com/enjoiz/XXEinjector

  • interactsh by ProjectDiscovery. Open-source out-of-band interaction server for detecting blind SSRF, XXE, and other callback-based vulnerabilities. https://github.com/projectdiscovery/interactsh

  • Gopherus. Tool for generating gopher protocol payloads for SSRF exploitation against various backend services (MySQL, Redis, SMTP, etc.). https://github.com/tarunkant/Gopherus

  • marshalsec. JNDI exploitation toolkit used in Log4Shell exploitation. Includes an LDAP reference server for delivering malicious Java classes. https://github.com/mbechler/marshalsec

  • defusedxml (Python). Drop-in replacement for Python's XML parsing libraries that disables all dangerous features by default. https://github.com/tiran/defusedxml

Incident Reports and Post-Mortems

  • Capital One Breach Post-Incident Analysis. Multiple analyses of the SSRF-to-S3 breach chain, including the OCC enforcement action and the DOJ criminal complaint.

  • Apache Log4j Vulnerability Timeline. The Apache Foundation's official timeline and advisory history for CVE-2021-44228 through CVE-2021-45105. https://logging.apache.org/log4j/2.x/security.html

  • Sam Curry et al., "We Hacked Apple for 3 Months" (2020). The researchers' blog post describing their 55 Apple vulnerability findings including the iCloud XXE vulnerability. https://samcurry.net/hacking-apple/

Practice Platforms

  • PortSwigger Web Security Academy. Free labs for SSRF, XXE, SSTI, deserialization, and file upload attacks with detailed explanations and progressive difficulty levels. https://portswigger.net/web-security

  • HackTheBox and TryHackMe. Multiple boxes and rooms focused on server-side exploitation techniques, from beginner to advanced. https://www.hackthebox.com/ https://tryhackme.com/

  • PentesterLab. Structured exercises for XXE, deserialization, and SSTI with detailed walkthroughs. https://pentesterlab.com/

  • Vulnerable Applications for Lab Practice:

  • Log4Shell vulnerable app: ghcr.io/christophetd/log4shell-vulnerable-app
  • SSRF Lab: jeroenwillemsen/ssrf-lab
  • Deserlab: tyrantsec/deserlab
  • OWASP WebGoat: Includes server-side vulnerability lessons

Conference Talks

  • "SSRF: The Perimeter has Fallen" by Ben Sadeghipour (NahamCon 2021). Practical demonstration of SSRF exploitation techniques with modern bypass methods.

  • "Exploiting Deserialization Vulnerabilities in Java" by Chris Frohoff (AppSec California 2015). The original presentation introducing ysoserial and Java gadget chain concepts.

  • "Log4Shell — What You Need to Know" by John Hammond (2021). An accessible walkthrough of the Log4Shell vulnerability, exploitation, and defense.

Return to Chapter 22: Server-Side Attacks