Expert Analysis of Recent SaaS Attacks That Shocked Global Brands. Watch now

bishopfox-logo-grey
Get Started

Information Security Summit 2025

Date:
October 31, 2025
Time:
2:30–3:30 p.m. EDT
Location:
LaCentre Conference & Banquet Facility in Westlake, Ohio | Bordeaux A
Information Security Summit Conference logo on Bishop Fox 2025 branding of computer with graphic in background.

David Garlak, Senior Security Consultant at Bishop Fox, takes the stage at Information Security Summit 2025 as he presents a focused, demo-driven session on Server-Side Request Forgery (SSRF) and the underappreciated ways forged responses can influence downstream asynchronous workflows.

For full details, visit the conference website: https://www.informationsecuritysummit.org/2025-iss-information-registration.

"Chasing SSRF in Downstream Asynchronous Workflows"

Speakers: David Garlak, Senior Security Consultant

Date/Time: October 31, 2025 at 2:30–3:30 p.m. EDT

Location: Bordeaux A

Abstract:

Server-Side Request Forgery is a common and versatile web vulnerability that occurs when an actor can influence where a server makes requests. While detection and basic mitigation techniques are well known, the consequences of SSRF often extend beyond the immediate request/response cycle — especially in systems that rely on asynchronous or downstream workflows. This talk examines SSRF in those real-world contexts: how forged requests can be routed to unexpected locations, how forged responses can alter downstream behavior, and why these interactions frequently increase impact and complexity.

The following points will be covered during the lecture:

  1. SSRF Categories: A taxonomy of SSRF types and how they commonly appear in modern web apps and services.
  2. Mitigations and Pitfalls: Practical defenses (allow/deny lists, network segmentation, request validation) and frequent mistakes made during implementation.
  3. Forged Responses as Injection Points: How SSRF can be leveraged to inject data or control into downstream asynchronous processing and background jobs.
  4. Case Study: A real vulnerability discovered using this technique, including impact analysis and remediation steps.
  5. Demo Lab: A walk-through of a demo environment where attendees can reproduce the technique and practice safe testing.

Target audience: Pentesters, red teamers, application security engineers, backend developers, and defenders interested in understanding how SSRF can affect asynchronous systems and how to defend against higher-impact scenarios.

Ready to get started? We can help.

Contact Us

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.