SSRF for Beginners: Blueprint
RCCE students will learn Server-Side Request Forgery vulnerabilities including internal service enumeration, cloud metadata access, protocol smuggling, and blind SSRF exploitation. RCCE students will learn to identify SSRF vulnerabilities in web applications and APIs, exploit SSRF to access internal services, cloud instance metadata endpoints, and protected resources, detect SSRF through application logging and network monitoring, implement remediation using allowlisting, URL validation, network segmentation, and metadata service protection, configure WAF rules for SSRF pattern detection, and assess SSRF risk in cloud environments where metadata services provide access to sensitive credentials. Designed for students with no prior experience in this area, this course builds knowledge from the ground up with clear explanations, guided demonstrations, and progressive skill-building. Starting from foundational concepts, RCCE students will learn core concepts through practical examples that connect theory to real-world security operations. By completion, students will have the foundational knowledge and hands-on confidence needed to contribute in professional cybersecurity roles.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing SSRF for Beginners: Blueprint
- Explain Server-Side Request Forgery — Foundations to Professional Practice fundamentals
- Explain Course Overview fundamentals
- Execute hands-on tasks for module scope
- Execute hands-on tasks for learning objectives
- Execute hands-on tasks for attacker input
- Execute hands-on tasks for web application
- Execute hands-on tasks for server-side request
- Execute hands-on tasks for why it matters — covering Bypasses firewalls and network controls.
- Execute hands-on tasks for key characteristic — covering Server acts as a proxy for attacker.
- Execute hands-on tasks for ssrf in the security landscape — covering Added to OWASP Top 10 in 2021, CWE-918: Server-Side Request Forgery.
- Execute hands-on tasks for cwe classification — covering Added to OWASP Top 10 in 2021.
- Execute hands-on tasks for client-side request — covering Browser sends request directly.
| Module 01 | Server-Side Request Forgery — Foundations to Professional Practice |
| Module 02 | Course Overview |
| Module 03 | Module Scope |
| Module 04 | Learning Objectives |
| Module 05 | Attacker Input |
| Module 06 | Web Application |
| Module 07 | Server-Side Request |
| Module 08 | Why It Matters |
| Module 09 | Key Characteristic |
| Module 10 | SSRF in the Security Landscape |
| Module 11 | CWE Classification |
| Module 12 | Client-Side Request |
| Module 13 | Common Server-Side Request Patterns |
| Module 14 | Webhook Delivery |
All hands-on labs run on Rocheston Rose X OS. Students practice ssrf for beginners: blueprint by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Explain Server-Side Request Forgery — Foundations to Professional Practice fundamentals
- Lab 2: Explain Course Overview fundamentals
- Lab 3: Execute hands-on tasks for module scope
- Lab 4: Execute hands-on tasks for learning objectives
- Lab 5: Execute hands-on tasks for attacker input
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for SSRF for Beginners: Blueprint, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI