⚠ Intentionally vulnerable.
Every endpoint here has a real SSRF bug. Find it, exploit it, see what your tools see.
SSRF labs
ssrf.vulnlab.dev
A dozen labs covering the SSRF detection surface most tools care about: unfiltered fetch, broken validators, parser-disagreement bypasses, redirect chases, scheme abuse, gopher-to-TCP pivots, fully and semi-blind variants, and cloud metadata in three flavors (AWS, GCP, Azure).
Internal targets that exist on this host (and would normally be unreachable from the public internet):
http://127.0.0.1:8089/ — internal admin/secret API (HTTP)
http://127.0.0.1:6479/ — "redis-like" TCP service (raw bytes, no HTTP)
Source for every lab is published. Each lab page links to its own source via /source/<slug>. Run your SAST/DAST/LLM-based reviewer against the deployed app or the GitHub repo and see what each catches.