Time-based SSRF Lab

Master timing-based Server-Side Request Forgery detection

Select Challenge Level

Level 1: Basic Time-based SSRF Level 2: Filtered Time-based SSRF Level 3: Advanced Time-based SSRF
Progress Level 1 of 3
1
Current Level
3
Total Levels
Medium
Difficulty

Level 1: Basic Time-based SSRF Medium

Clue: There is an internal API at hostname "timed-internal-api". When the server fetches a URL from this service, the response takes significantly longer due to server-side processing delays. Can you detect the timing difference?
Hint: Try: http://timed-internal-api/flag1 - If the response time is > 3000ms, the SSRF was successful and the flag will be revealed.
Concept: Time-based detection: successful SSRF to internal services produces measurable timing differences.

Network Topology

  • This app (timed-ssrf-app) - Port 8043 - fetches URLs server-side
  • Internal API (timed-internal-api) at IP 172.33.0.50 - no external port, hosts flags with deliberate delays
  • The internal API responds to specific hostnames and adds deliberate processing delays to specific endpoints

Your Challenge

Enter a URL below. The server will fetch it and measure the response time. If the timing indicates the internal API was reached, the flag for this level will be revealed. Each flag follows the format: IDS{...}

Time-based SSRF Lab — Educational CTF Environment — Timing analysis reveals internal service access