SSRF Lab - Server-Side Request Forgery

Learn to exploit SSRF by attacking internal services via HTTP requests

Select Challenge Level

Lvl 1: Basic SSRF Lvl 2: SSRF Service Enumeration Lvl 3: SSRF Hostname Filter Bypass Lvl 4: SSRF Cloud Metadata Access Lvl 5: SSRF with IP + Hostname Blocking Lvl 6: SSRF via Open Redirect Bypass

Level 2: SSRF Service Enumeration Easy

SSRF Concept: SSRF can be used to enumerate and discover internal API endpoints and sensitive data.
Clue: The internal API has hidden endpoints that contain sensitive data. You know the service exists at "internal-api" but you need to find the right path. Common API paths include /api/, /admin/, /secret/, /v1/, /v2/.
Hint: Try enumerating: /api/v1/, /api/v2/, /api/v2/credentials. The flag is hidden in an API credentials endpoint.

Network Topology

This application runs in a Docker network. Key information:

  • Your app (this page): ssrf-app - accessible from internet on port 8041
  • Internal API: internal-api - NOT exposed to the internet
  • Server uses cURL with HTTP/HTTPS protocols only (no file://)

Your Challenge

Enter a URL below. The server will fetch it using cURL (HTTP/HTTPS only). Find the flag. Format: IDS{32_character_hexadecimal}

Server Response:

Enter a URL above to make the server fetch it... Example: http://internal-api/flag1