SSRF Lab - Server-Side Request Forgery

Learn to exploit SSRF by attacking internal services via HTTP requests

Select Challenge Level

Lvl 1: Basic SSRF Lvl 2: SSRF Service Enumeration Lvl 3: SSRF Hostname Filter Bypass Lvl 4: SSRF Cloud Metadata Access Lvl 5: SSRF with IP + Hostname Blocking Lvl 6: SSRF via Open Redirect Bypass

Level 3: SSRF Hostname Filter Bypass Medium

SSRF Concept: Hostname-based blocking is insufficient. Services can be reached via IP address.
Clue: The hostname "internal-api" is now blocked! But the service still runs at IP address 172.31.0.50. Can you access the admin dashboard by bypassing the hostname filter?
Hint: Instead of using the hostname, use the IP address directly. Try: http://172.31.0.50/admin/dashboard

Network Topology

This application runs in a Docker network. Key information:

  • Your app (this page): ssrf-app - accessible from internet on port 8041
  • Internal API: internal-api - NOT exposed to the internet
  • Server uses cURL with HTTP/HTTPS protocols only (no file://)

Your Challenge

Enter a URL below. The server will fetch it using cURL (HTTP/HTTPS only). Find the flag. Format: IDS{32_character_hexadecimal}

Server Response:

Enter a URL above to make the server fetch it... Example: http://internal-api/flag1