Time-based SSRF Lab

Master timing-based Server-Side Request Forgery detection

Select Challenge Level

Level 1: Basic Time-based SSRF Level 2: Filtered Time-based SSRF Level 3: Advanced Time-based SSRF
Progress Level 2 of 3
2
Current Level
3
Total Levels
Hard
Difficulty

Level 2: Filtered Time-based SSRF Hard

Clue: The hostname "timed-internal-api" is blocked! But the service still runs at IP 172.33.0.50. Use timing analysis to confirm your bypass works.
Hint: Use the IP address instead: http://172.33.0.50/flag2 - Response time > 5000ms indicates success.
Concept: Hostname blocking can be bypassed with IP addresses. Timing analysis confirms the bypass.

Network Topology

  • This app (timed-ssrf-app) - Port 8043 - fetches URLs server-side
  • Internal API (timed-internal-api) at IP 172.33.0.50 - no external port, hosts flags with deliberate delays
  • The internal API responds to specific hostnames and adds deliberate processing delays to specific endpoints

Your Challenge

Enter a URL below. The server will fetch it and measure the response time. If the timing indicates the internal API was reached, the flag for this level will be revealed. Each flag follows the format: IDS{...}

Time-based SSRF Lab — Educational CTF Environment — Timing analysis reveals internal service access