SSRF Lab - Server-Side Request Forgery

Learn to exploit SSRF by attacking internal services via HTTP requests

Select Challenge Level

Lvl 1: Basic SSRF Lvl 2: SSRF Service Enumeration Lvl 3: SSRF Hostname Filter Bypass Lvl 4: SSRF Cloud Metadata Access Lvl 5: SSRF with IP + Hostname Blocking Lvl 6: SSRF via Open Redirect Bypass

Level 5: SSRF with IP + Hostname Blocking Hard

SSRF Concept: Services may have multiple hostnames/aliases. Blacklist-based filtering is never complete.
Clue: Now BOTH the hostname "internal-api" and the IP "172.31.0.50" are blocked! Also blocked: "metadata.internal". But the internal database config endpoint still exists. The service also has an alias "db.internal".
Hint: Blacklists are never complete. Services may have multiple hostnames. Try: http://db.internal/db/config

Network Topology

This application runs in a Docker network. Key information:

  • Your app (this page): ssrf-app - accessible from internet on port 8041
  • Internal API: internal-api - NOT exposed to the internet
  • Server uses cURL with HTTP/HTTPS protocols only (no file://)

Your Challenge

Enter a URL below. The server will fetch it using cURL (HTTP/HTTPS only). Find the flag. Format: IDS{32_character_hexadecimal}

Server Response:

Enter a URL above to make the server fetch it... Example: http://internal-api/flag1