This lesson pulls together every SSRF technique into a progressive challenge range. Each challenge targets a specific skill from the course: basic URL parameter injection, cloud metadata extraction, internal service discovery, blind SSRF callback detection, and DNS rebinding bypass. The sim gives you a target and a code hint — you supply the exploit.
- Synthesise SSRF detection and exploitation techniques across five challenge levels.
- Read a vulnerable code snippet and construct the correct payload.
- Select the appropriate bypass technique for each defensive configuration.
- Apply blind SSRF detection via OOB callbacks in a realistic scenario.
- Challenge range
- A set of deliberately vulnerable endpoints that test the learner’s ability to detect and exploit SSRF across different defensive configurations (CWE-918).
- Payload construction
- The skill of reading source code, identifying the injection point, and crafting a URL that achieves the attacker’s goal given the application’s validation logic.
Five challenges, one course final
Each challenge presents a short code snippet showing a vulnerable URL-fetching endpoint. Your goal is to supply a URL that reaches an internal target or triggers a detectable callback. The challenges escalate in difficulty: start with a basic GET parameter injection, then move through cloud metadata extraction, internal port scanning, blind callback detection, and finally DNS rebinding against a hardened allowlist.
The app takes a "url" GET parameter and fetches it with no validation. Read /etc/hostname from the server via file:// protocol.
file:///etc/hostnameconst url = req.query.url; const resp = await fetch(url); return resp.text();
How real SSRF chains escalate
Every major SSRF-related breach follows the same pattern: find a parameter that controls a URL, reach an internal service or cloud metadata endpoint, extract credentials, pivot laterally. The Capital One breach (2019), the Uber breach (2016), and the AlfaBank breach (2019) all began with an SSRF in a public-facing web application. The specific technique varied — one used IMDSv1, another used an internal Elasticsearch endpoint, another reached a Redis instance — but the kill chain was identical.
Apply every layer you have learned
By now you understand that no single control is sufficient. The review challenges are designed to show why: each challenge that you solve represents a real bypass of a defence that appeared sufficient. The only reliable approach is layered defence — allowlist, IP validation, no redirects, egress filtering, and IMDSv2 — combined with continuous review of every URL-fetching endpoint in the codebase.
// Before the course: a single allowlist check
const url = req.query.url;
if (allowedHosts.includes(new URL(url).hostname)) {
const resp = await fetch(url); // everything after this is wrong
}
// After the course: layered defence
const parsed = new URL(url);
if (!allowedHosts.has(parsed.hostname)) return 403;
const ip = await resolve(parsed.hostname);
if (!isPublicIP(ip)) return 403;
const resp = await fetch(url, { redirect: 'manual' });The SSRF course in one list
- SSRF turns the server into a proxy — every URL parameter is a potential entry point.
- Discovery comes from reading the application's HTTP interactions, not from scanning.
- Cloud metadata endpoints (169.254.169.254) are the highest-value target for SSRF in cloud environments.
- Blind SSRF requires out-of-band callback infrastructure — always have a listener ready when testing.
- Bypass techniques exploit gaps between validation and execution — close the gap, not the hostname.
- Defence in depth means the attacker must bypass every layer, not just one.
Knowledge check
0/3 answered · 0 correct1.An endpoint takes a "url" parameter and fetches it with redirects enabled. The hostname must end with ".example.com". Which technique reaches http://169.254.169.254/latest/meta-data/?
2.Review challenges progress from basic injection through blind detection to DNS rebinding. What skill does the DNS rebinding challenge specifically test?
3.After completing this course, you find an SSRF in a production application. What is your first step?