David Garlak, Senior Security Consultant at Bishop Fox, takes the stage at BSides Cleveland 2025 as he presents a focused, demo-driven session on Server-Side Request Forgery (SSRF) and the underappreciated ways forged responses can influence downstream asynchronous workflows.

For full details, visit the conference website: https://bsidescle.com.

"Chasing SSRF in Downstream Asynchronous Workflows"

Speakers: David Garlak, Senior Security Consultant

Date/Time: October 18, 2025 at 2:30–3:20 p.m. EDT

Location: Stage A Red Team (first floor near reception)

Abstract: Server-Side Request Forgery is a common and versatile web vulnerability that occurs when an actor can influence where a server makes requests. While detection and basic mitigation techniques are well known, the consequences of SSRF often extend beyond the immediate request/response cycle — especially in systems that rely on asynchronous or downstream workflows. This talk examines SSRF in those real-world contexts: how forged requests can be routed to unexpected locations, how forged responses can alter downstream behavior, and why these interactions frequently increase impact and complexity.

The following points will be covered during the lecture:

1. SSRF Categories: A taxonomy of SSRF types and how they commonly appear in modern web apps and services.
2. Mitigations and Pitfalls: Practical defenses (allow/deny lists, network segmentation, request validation) and frequent mistakes made during implementation.
3. Forged Responses as Injection Points: How SSRF can be leveraged to inject data or control into downstream asynchronous processing and background jobs.
4. Case Study: A real vulnerability discovered using this technique, including impact analysis and remediation steps.
5. Demo Lab: A walk-through of a demo environment where attendees can reproduce the technique and practice safe testing.

Target audience: Pentesters, red teamers, application security engineers, backend developers, and defenders interested in understanding how SSRF can affect asynchronous systems and how to defend against higher-impact scenarios.