⚠ Intentionally vulnerable. Every endpoint here has a real SSRF bug. Find it, exploit it, see what your tools see.

Labs All classes Source on GitHub

Basic SSRF

/basic · sink: requests.get

Unfiltered server-side URL fetch.

URL to fetch:

Hint

There's a service the public can't reach: http://127.0.0.1:8089/. Try /admin or /secret on it.

View source for this lab →

Source: github.com/sampsonc/vulnlab.dev · security.txt · Part of vulnlab.dev