Web apps use Server-Side Requests to request data from other servers, e.g., for link previews. However, they are exploited by attackers who might request internal resources or non-public services. This attack is called Server-Side Request Forgery (SSRF). The talk explains what SSRF is, how it can be used to exploit servers, and how to defend against it, which is surprisingly complex. Finally, we will discuss our research on the prevalence of countermeasures in the wild. Licensed to the public under Recorded by Malte Wessels has been a PhD student at the Institute for Application Security at TU Braunschweig since summer '22, where he conducts research on web security and privacy. He is also assessor of the board at the non-profit organization e.V.