SSRF Labs — Server-Side Request Forgery Practice
SSRF was the bug behind the Capital One breach (100M+ records) and dozens of major incidents since. These labs let you practice SSRF attacks against simulated cloud infrastructure — including bypassing common allowlist defences via HTTP redirects.
SSRF attacks let attackers turn an application's server into a proxy, reaching internal services, cloud metadata APIs, and other normally-unreachable endpoints. These labs simulate the kinds of internal services you'd find on AWS or GCP, and give you both straightforward exploitation and advanced allowlist-bypass scenarios.
SSRF — Image URL Fetcher
AvatarFetcher takes a URL and downloads the image server-side. The fetcher has no allowlist — point it at an internal-only address to read cloud metadata.
SSRF — Allowlist Bypass via Redirect
PreviewBot has an allowlist — only example.com / wikipedia.org / githubusercontent.com URLs are accepted. But the fetcher follows HTTP redirects without re-checking. Find a redirect host that points back to internal.