URL Scanner
π Can you scan what you're not supposed to see?
π― Master Server-Side Request Forgery (SSRF) attacks and internal network reconnaissance techniques
π οΈ Learn to exploit URL scanning services and discover hidden internal administrative endpoints
π SSRF vulnerabilities affect 67% of web applications that process user-provided URLs
π Enhance your penetration testing toolkit with advanced server-side exploitation techniques
miltonjmelo
user
Varythor
user
H3xCore
user
oNvR
user
ghost00001
user
honkeyponkey
user
ChrisMaher
user
AzmiJO
user
0xkakashi
user
KruKnight
user
0xHUNTER
user
skalvin
user
MONARCH
user
mfmfuyu
user
BinaryBeast2110
user
Server-Side Request Forgery (SSRF) is a web security vulnerability that allows attackers to make the server perform HTTP requests to arbitrary destinations, including internal network resources that are normally inaccessible from the outside. SSRF has consistently ranked among the OWASP Top 10 critical vulnerabilities and has been responsible for some of the most significant cloud security breaches in recent years, particularly in AWS environments where it can expose IAM credentials and metadata.
How SSRF Attacks Work
SSRF vulnerabilities arise when web applications fetch resources from URLs provided by users without adequate validation. Common features that introduce SSRF risk include URL preview generators, webhook processors, file importers, PDF generators, and - as in this case - URL scanning services. When an attacker submits a URL pointing to http://127.0.0.1, http://169.254.169.254 (the AWS metadata endpoint), or internal network addresses, the server dutifully makes the request and may return the response to the attacker.
In cloud environments, SSRF is especially dangerous. AWS EC2 instances expose an Instance Metadata Service (IMDS) at 169.254.169.254 that provides temporary IAM credentials, instance configuration, user data scripts, and other sensitive information. An SSRF vulnerability on an EC2 instance can allow attackers to steal IAM credentials and use them to access S3 buckets, databases, and other AWS services - potentially compromising an entire cloud infrastructure.
SSRF Bypass Techniques
Even when applications implement URL validation, attackers have numerous bypass techniques at their disposal. DNS rebinding can trick allowlist checks by resolving to an internal IP after validation. URL parsing inconsistencies between the validator and the HTTP client can be exploited using techniques like URL encoding, IPv6 addressing, decimal IP notation, and redirect chains. Alternative protocols like file://, gopher://, and dict:// may also be available depending on the HTTP library in use.
Defending Against SSRF
Effective SSRF prevention requires a defense-in-depth approach. Applications should validate and sanitize URLs on the server side, use allowlists of permitted domains and IP ranges, and block requests to private IP ranges and cloud metadata endpoints. AWS offers IMDSv2, which requires a session token obtained through a PUT request, making SSRF exploitation significantly harder. Network-level controls like VPC security groups and firewall rules provide additional protection by limiting what internal resources the web server can reach.
What You Will Learn
- Understand how Server-Side Request Forgery enables access to internal network resources
- Learn to exploit SSRF in URL scanning and fetching services
- Master techniques for accessing AWS metadata endpoints through SSRF
- Recognize SSRF bypass methods including DNS rebinding and URL parsing tricks
- Develop skills for cloud security assessment and SSRF prevention
Prerequisites
Ready to hack this lab?
Create a free account and start practicing cybersecurity hands-on.
Start Your Challenge
New here? Here's what to do
Ready to hack this lab?
Create a free account to start your own dedicated server, submit flags, and earn XP on the leaderboard.
Start Hacking Free
