SSRF Lab
Educational Purpose Only
This lab demonstrates Server-Side Request Forgery (SSRF) attacks and defenses. Use only for learning and authorized testing.
Vulnerable Mode
No input validation. The server will fetch any URL, including internal services and cloud metadata endpoints.
Secure Mode
This mode implements proper SSRF defenses with URL validation, domain allowlisting, and private IP blocking.
Security Defenses Implemented:
- Domain allowlisting (only approved domains)
- URL scheme validation (http/https only)
- Private IP range blocking (169.254.x.x, 10.x.x.x, 172.16-31.x.x, 192.168.x.x)
- Redirect following disabled
Example URLs to try:
Normal: https://api.github.com/users/github AWS Metadata (IMDSv1): http://169.254.169.254/ AWS Metadata Directory: http://169.254.169.254/latest/meta-data/ AWS IAM Credentials Path: http://169.254.169.254/latest/meta-data/iam/security-credentials/Example URLs to try:
Allowed: https://api.github.com/users/github Allowed: https://httpbin.org/get Blocked (Private IP): http://169.254.169.254/ Blocked (Not in allowlist): https://google.com