SSRF Validator

🌐 Can you trick the server into revealing its own secrets?

Challenge 23 Nov 2025 Pro Exclusive Solution Available

A seemingly secure URL validation service stands between you and sensitive internal data! 🔒 The server thinks it's safe behind its firewall, but clever request manipulation might just convince it to fetch data from places it shouldn't. 🕵️ Master the art of server-side request forgery and turn the server against itself! 💥

Flags

Points

85%

Success Rate

Start Your Challenge

~1-2 min setup

Dedicated server

Private instance

Industry standard

This solution is for Flags Mode

This walkthrough explains how to hack the lab and capture the flags. For help with Learning Mode questions, use the Request Hint button next to each question.

Challenge

🌐 SSRF Validator - Complete Solution

Objective: Exploit the URL validation service to access internal endpoints and retrieve the flag from the server's internal API.

🔍 Step 1: Understanding the Application

The challenge presents a URL validation service that fetches and displays content from provided URLs. The service has basic protections against accessing localhost and internal IP ranges.

Initial Analysis:
• Service accepts URLs via POST to /validate
• Displays fetched content in response
• Has blacklist filters for localhost/127.0.0.1
• Blocks common internal IP ranges (192.168.x.x, 10.x.x.x)

🔍 Step 2: SSRF Bypass Techniques

Several methods can bypass the URL validation filters:

Method 1: Alternative Localhost Representations
• http://0.0.0.0:8080/flag
• http://0:8080/flag
• http://[::]8080/flag

Method 2: Decimal/Hex IP Encoding
• http://2130706433:8080/flag (127.0.0.1 in decimal)
• http://0x7f000001:8080/flag (127.0.0.1 in hex)

Method 3: URL Encoding
• http://127.0.0.1:8080/flag with URL encoding
• Double encoding techniques

🔍 Step 3: Discovering Internal Services

The internal service runs on port 8080 and has a /flag endpoint that contains sensitive information:

Internal Service Discovery: Use SSRF to scan common internal ports (8080, 3000, 5000, 9000) and endpoints (/flag, /admin, /api, /internal) to locate the flag.

🔍 Step 4: Successful Exploitation

Submit the bypass payload to the validation service:

Exploitation Process:
1. Navigate to the URL validation form
2. Enter bypass payload: http://0.0.0.0:8080/flag
3. Submit the form via POST request
4. The server fetches content from internal endpoint
5. Flag is displayed in the response

🔍 Step 5: Alternative Methods

Multiple SSRF techniques work for this challenge:

Working Payloads:
• http://0:8080/flag
• http://2130706433:8080/flag
• http://localhost:8080/flag (if filter bypass works)
• http://127.1:8080/flag

📚 Learning Points

SSRF Fundamentals: Understanding server-side request forgery mechanics
Filter Bypass: Various techniques to circumvent URL validation
Internal Reconnaissance: Using SSRF for internal network discovery
Security Impact: How SSRF can expose internal services and data

Mitigation: Proper SSRF prevention includes whitelist-based URL validation, network segmentation, and avoiding user-controlled URLs in server requests.