Time-based SSRF Lab

Master timing-based Server-Side Request Forgery detection

Select Challenge Level

Level 1: Basic Time-based SSRF Level 2: Filtered Time-based SSRF Level 3: Advanced Time-based SSRF
Progress Level 3 of 3
3
Current Level
3
Total Levels
Hard
Difficulty

Level 3: Advanced Time-based SSRF Hard

Clue: Both "timed-internal-api" and IP "172.33.0.50" are blocked. But the service has another hostname alias that the filter does not know about. Find it using timing analysis.
Hint: The service also responds to hostname "secret-api". Try: http://secret-api/flag3 - Response time > 7000ms = success.
Concept: Blacklist-based filtering is never complete. Services may have undiscovered aliases.

Network Topology

  • This app (timed-ssrf-app) - Port 8043 - fetches URLs server-side
  • Internal API (timed-internal-api) at IP 172.33.0.50 - no external port, hosts flags with deliberate delays
  • The internal API responds to specific hostnames and adds deliberate processing delays to specific endpoints

Your Challenge

Enter a URL below. The server will fetch it and measure the response time. If the timing indicates the internal API was reached, the flag for this level will be revealed. Each flag follows the format: IDS{...}

Time-based SSRF Lab — Educational CTF Environment — Timing analysis reveals internal service access