Lab 1: Basic URL Fetcher

Difficulty: Low

Lab Overview

This lab demonstrates a basic SSRF vulnerability in a URL fetcher service. The application makes server-side requests to user-supplied URLs without proper validation, allowing access to internal services.

Objective: Use SSRF to access internal services, cloud metadata, or local files.

Vulnerable PHP Code

// Handle URL fetch request
if (isset($_GET['url']) && !empty($_GET['url'])) {
    $url = $_GET['url'];
    
    // Vulnerable: No validation of URL
    try {
        $context = stream_context_create([
            'http' => [
                'timeout' => 10,
                'user_agent' => 'SSRF-Lab/1.0'
            ]
        ]);
        
        $response = file_get_contents($url, false, $context);
        
        if ($response !== false) {
            // Display response content
        }
    } catch (Exception $e) {
        // Error handling
    }
}

// Example vulnerable usage:
// ?url=https://example.com
// ?url=http://localhost:8080
// ?url=file:///etc/passwd

URL Fetcher Demo

URL fetched successfully!

Quick Test URLs:

Response Content: https://httpbin.org/get

{
  "args": {}, 
  "headers": {
    "Host": "httpbin.org", 
    "User-Agent": "SSRF-Lab/1.0", 
    "X-Amzn-Trace-Id": "Root=1-69f06232-0ef0388240fe54d53216cde0"
  }, 
  "origin": "49.12.85.254", 
  "url": "https://httpbin.org/get"
}

Response Headers:

HTTP/1.1 200 OK
Date: Tue, 28 Apr 2026 07:30:58 GMT
Content-Type: application/json
Content-Length: 233
Connection: close
Server: gunicorn/19.9.0
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true

Vulnerability Details

Type: Server-Side Request Forgery (SSRF)
Severity: High
Parameter: url
Method: GET
Issue: Direct URL fetching without validation

Test Payloads

Try these payloads in the url parameter:

http://localhost:8080 - Local service
http://127.0.0.1:3306 - Database port
file:///etc/passwd - Local file
http://169.254.169.254/ - Cloud metadata
http://localhost:22 - SSH port

Example URLs:

1.php?url=http://localhost:8080
1.php?url=file:///etc/passwd

Quick Test URLs

Click these links to test the vulnerability:

Real-World Attack Scenarios

Access to internal services and APIs
Cloud metadata and credentials exposure
Database access and data exfiltration
Local file system access
Port scanning and service enumeration
Bypassing firewalls and network restrictions

Mitigation Strategies

Validate and whitelist allowed URLs
Block private IP ranges and localhost
Use URL parsing libraries to validate URLs
Implement proper error handling
Use outbound proxies with restrictions
Disable dangerous protocols (file://, gopher://)
Implement request timeouts and size limits