Back to Dark Arts
Educational Lab Environment

This lab demonstrates SSRF (Server-Side Request Forgery) attacks. Never attempt these techniques on systems without explicit authorization.

SSRF Attack Lab

Learn how attackers abuse server-side URL fetching to access internal resources

Attack Flow
Attacker
Web Server
Internal API
Cloud Metadata

Vulnerable Application

VULNERABLE

LinkPreview Pro - URL Preview Service

Server Response
Enter a URL and click Fetch to preview content

Attack Payloads

Internal Admin Panel INTERNAL
http://localhost:8080/admin
Access admin interface not exposed to internet
Internal Network Device INTERNAL
http://192.168.1.1/config
Access router/switch configuration
AWS Metadata Service CLOUD
http://169.254.169.254/latest/meta-data/
Steal AWS IAM credentials from EC2 instance
GCP Metadata Service CLOUD
http://metadata.google.internal/computeMetadata/v1/
Access Google Cloud service account tokens
Local File Read PROTOCOL
file:///etc/passwd
Read local files via file:// protocol
Internal Redis INTERNAL
http://127.0.0.1:6379/
Connect to internal Redis cache
IPv6 Localhost Bypass BYPASS
http://[::1]:8080/admin
Bypass localhost filter using IPv6
IP Obfuscation (Hex) BYPASS
http://0x7f.0x0.0x0.0x1:8080/
127.0.0.1 in hexadecimal notation

Defenses & Activity Log

Defense Mechanisms

IP Blocklist Block 127.0.0.1, 192.168.x.x, 10.x.x.x, 169.254.x.x
Protocol Allowlist Only allow http:// and https:// protocols
DNS Resolution Check Resolve hostname and verify IP before request
Redirect Prevention Don't follow redirects to blocked destinations

Server Activity Log

[System] LinkPreview service started...

What is SSRF?

  • Server-Side Request Forgery makes the server send requests on attacker's behalf
  • Bypasses firewalls since requests originate from trusted server
  • Access internal services not exposed to the internet
  • Steal cloud credentials from metadata services
  • Port scan internal networks

Common Targets

  • 169.254.169.254 - AWS/Azure/GCP metadata
  • localhost:8080 - Internal admin panels
  • 192.168.x.x - Internal network devices
  • file:///etc/passwd - Local file system
  • redis://localhost:6379 - Cache servers

Bypass Techniques

  • IPv6: [::1] instead of 127.0.0.1
  • Decimal IP: 2130706433 = 127.0.0.1
  • Hex IP: 0x7f000001
  • URL encoding: %31%32%37
  • DNS rebinding attacks

Defense Strategies

  • Allowlist approved domains only
  • Block private IP ranges at DNS resolution
  • Disable unnecessary URL schemes (file://, gopher://)
  • Don't follow redirects automatically
  • Use IMDSv2 for cloud metadata (requires token)

Knowledge Check

1. What makes SSRF particularly dangerous in cloud environments?

It allows direct database access
Metadata services can expose IAM credentials and secrets
It enables Cross-Site Scripting attacks
It bypasses HTTPS encryption

2. Which IP address is commonly used for cloud metadata services?

192.168.1.1
10.0.0.1
169.254.169.254
172.16.0.1

3. What is the MOST effective defense against SSRF?

Rate limiting requests
Using HTTPS only
Allowlist of approved domains + DNS resolution validation
Adding CSRF tokens