SSRF Lab - Server-Side Request Forgery

Learn to exploit SSRF by attacking internal services via HTTP requests

Select Challenge Level

Lvl 1: Basic SSRF Lvl 2: SSRF Service Enumeration Lvl 3: SSRF Hostname Filter Bypass Lvl 4: SSRF Cloud Metadata Access Lvl 5: SSRF with IP + Hostname Blocking Lvl 6: SSRF via Open Redirect Bypass

Level 4: SSRF Cloud Metadata Access Medium

SSRF Concept: Cloud metadata endpoints expose sensitive IAM credentials. SSRF is the primary attack vector to steal them.
Clue: In cloud environments (AWS, GCP, Azure), instance metadata is accessible at special internal URLs. This lab simulates that. The internal API also responds to the hostname "metadata.internal". Can you access the simulated cloud metadata?
Hint: AWS metadata is at http://169.254.169.254/latest/meta-data/. In this lab, try: http://metadata.internal/latest/meta-data/

Network Topology

This application runs in a Docker network. Key information:

  • Your app (this page): ssrf-app - accessible from internet on port 8041
  • Internal API: internal-api - NOT exposed to the internet
  • Server uses cURL with HTTP/HTTPS protocols only (no file://)

Your Challenge

Enter a URL below. The server will fetch it using cURL (HTTP/HTTPS only). Find the flag. Format: IDS{32_character_hexadecimal}

Server Response:

Enter a URL above to make the server fetch it... Example: http://internal-api/flag1