Intro to SSRF
Premium roomLearn how to exploit Server-Side Request Forgery (SSRF) vulnerabilities, allowing you to access internal server resources.
easy
To access material, start machines and answer questions login.
What is ?
Server-Side Request Forgery () is a vulnerability that allows an attacker to cause the server-side application to make requests to a destination of the attacker's choosing. In a typical attack, the attacker manipulates a parameter that the application uses to construct a server-side request, redirecting it to an internal service, a cloud metadata endpoint, or an external server under their control.
exploits the trust that internal systems place in the application server. Backend services, databases, and cloud infrastructure often accept requests from the server without additional authentication, because they assume any request arriving from a trusted internal IP address is legitimate. An attacker who can control where the server sends its requests effectively inherits that trust.
Types of
There are two categories of vulnerability, and the distinction affects how exploitation is approached.
| Type | Response Visible? | Description |
|---|---|---|
| Regular | Yes | The response from the back-end request is returned in the application's front-end response. The attacker can directly read the output. |
| Blind | No | The application makes the back-end request but does not return the response. The attacker must use indirect methods to confirm exploitation. |
With a regular , if an attacker forces the server to fetch an internal admin page, the contents of that page appear directly in the response. This provides immediate, readable output.
With a Blind , the application may display a fixed success message regardless of the back-end outcome. However, blind can still be exploited. An attacker can confirm the vulnerability by directing the request to a server they control (using a tool such as Burp Collaborator) and observing whether a callback arrives. Differences in response time or error messages between reachable and unreachable hosts can also reveal information about internal infrastructure.
Impact
The impact of depends on what internal services are reachable from the application server.
| Impact | Description |
|---|---|
| Access to internal endpoints | Admin panels, configuration interfaces, and monitoring dashboards that are not exposed to the internet become reachable. IP-based access controls are bypassed because the request originates from the server itself. |
| Sensitive data exposure | Backend databases, private APIs, and internal tooling that trust the server's network position may return customer data, organisational records, or application secrets. |
| Internal network reconnaissance | By sending requests to different IP addresses and ports, an attacker can map internal hosts and services using variations in response time, status codes, and error messages. |
| Cloud metadata theft | Cloud providers such as , GCP, and Azure expose instance metadata at 169.254.169.254. An attacker who reaches this endpoint can retrieve temporary credentials, role details, and instance configuration data. |
| Credential and token leakage | Authentication tokens and secrets passed between internal services can be intercepted, particularly where back-end communication runs over unencrypted . |
In the following tasks, we will examine how manifests in different application features, how to identify it, and how to bypass common defences.
As opposed to a regular SSRF, what is the other type?
Ready to learn Cyber Security?
The Intro to SSRF room is only available for premium users. Signup now to access more than 500 free rooms and learn cyber security through a fun, interactive learning environment.
Already have an account? Log in