Lab 1: Basic URL Fetcher

SSRF in basic URL fetching functionality

Difficulty: Low

Lab Overview

This lab demonstrates a basic SSRF vulnerability in a URL fetcher service. The application makes server-side requests to user-supplied URLs without proper validation, allowing access to internal services.

Objective: Use SSRF to access internal services, cloud metadata, or local files.

Vulnerable PHP Code 
// Handle URL fetch request
if (isset($_GET['url']) && !empty($_GET['url'])) {
    $url = $_GET['url'];
    
    // Vulnerable: No validation of URL
    try {
        $context = stream_context_create([
            'http' => [
                'timeout' => 10,
                'user_agent' => 'SSRF-Lab/1.0'
            ]
        ]);
        
        $response = file_get_contents($url, false, $context);
        
        if ($response !== false) {
            // Display response content
        }
    } catch (Exception $e) {
        // Error handling
    }
}

// Example vulnerable usage:
// ?url=https://example.com
// ?url=http://localhost:8080
// ?url=file:///etc/passwd
URL Fetcher Demo
Quick Test URLs:
Vulnerability Details
  • Type: Server-Side Request Forgery (SSRF)
  • Severity: High
  • Parameter: url
  • Method: GET
  • Issue: Direct URL fetching without validation
Test Payloads

Try these payloads in the url parameter:

  • http://localhost:8080 - Local service
  • http://127.0.0.1:3306 - Database port
  • file:///etc/passwd - Local file
  • http://169.254.169.254/ - Cloud metadata
  • http://localhost:22 - SSH port

Example URLs:

  • 1.php?url=http://localhost:8080
  • 1.php?url=file:///etc/passwd
Quick Test URLs

Click these links to test the vulnerability:

Real-World Attack Scenarios
Mitigation Strategies
  • Validate and whitelist allowed URLs
  • Block private IP ranges and localhost
  • Use URL parsing libraries to validate URLs
  • Implement proper error handling
  • Use outbound proxies with restrictions
  • Disable dangerous protocols (file://, gopher://)
  • Implement request timeouts and size limits