SSRF labs

ssrf.vulnlab.dev

Six labs covering the SSRF detection surface most tools care about: unfiltered fetch, broken validators, scheme abuse, blind variants, and cloud metadata.

Internal targets that exist on this host (and would normally be unreachable from the public internet):

http://127.0.0.1:8089/ — internal admin/secret API
http://169.254.169.254/latest/meta-data/ — mock AWS IMDSv1

Labs

Basic SSRF requests.get

Unfiltered server-side URL fetch.

SSRF behind a substring blocklist urllib.request.urlopen

Rejects URLs containing 'localhost' or '127.0.0.1', then fetches.

SSRF behind a substring allowlist requests.get

Only fetches if the URL 'contains' vulnlab.dev — which the validator checks the wrong way.

SSRF with unrestricted URL scheme urllib.request.urlopen

Any scheme urllib supports works — including file:// for local file read.

Blind SSRF httpx.get

Server fetches the URL but tells you nothing about the response.

SSRF in cloud-hosted (mock AWS) app requests.get

A profile-image fetcher running on a fake EC2. Reach the metadata service.

For tool builders

Source for every lab is published. Each lab page links to its own source via /source/<slug>. Run your SAST/DAST/LLM-based reviewer against the deployed app or the GitHub repo and see what each catches.