SSRF Lab - Server-Side Request Forgery

Learn to exploit SSRF by attacking internal services via HTTP requests

Select Challenge Level

Lvl 1: Basic SSRF Lvl 2: SSRF Service Enumeration Lvl 3: SSRF Hostname Filter Bypass Lvl 4: SSRF Cloud Metadata Access Lvl 5: SSRF with IP + Hostname Blocking Lvl 6: SSRF via Open Redirect Bypass

Level 6: SSRF via Open Redirect Bypass Hard

SSRF Concept: Open redirects can bypass SSRF filters that only validate the initial URL, not the final destination.
Clue: ALL internal hostnames and IPs are now blocked: internal-api, metadata.internal, db.internal, and 172.28.0.50. The filter checks the HOST of the URL. But... this application has an open redirect vulnerability at /redirect?dest=URL.
Hint: The open redirect at /redirect?dest=URL returns a 302. Since the filter only checks the INITIAL URL host, you can use localhost as host and redirect to an internal service. Try: http://localhost/redirect?dest=http://internal-api/vault/secret

Network Topology

This application runs in a Docker network. Key information:

  • Your app (this page): ssrf-app - accessible from internet on port 8041
  • Internal API: internal-api - NOT exposed to the internet
  • Server uses cURL with HTTP/HTTPS protocols only (no file://)

Your Challenge

Enter a URL below. The server will fetch it using cURL (HTTP/HTTPS only). Find the flag. Format: IDS{32_character_hexadecimal}

Server Response:

Enter a URL above to make the server fetch it... Example: http://internal-api/flag1