# SSRF Lab Guide This guide covers the labs exposed from /SSRF/ and explains what each one is meant to teach, how to interact with it, and what success looks like. ## Lab Map PHP SSRF example: - Path: /SSRF/ssrfExample/ - Goal: Use a vulnerable server-side fetch to read an internal-only resource. - Success target: /SSRF/ssrfExample/internal/login.php API SSRF bundle: - Landing page: /SSRF/api-ssrf/ - Goal: Practice basic SSRF, blind SSRF, internal-only API access, and hidden SSRF flows. - Main ports: 8100, 8101, 8102, 8103, 8104, 8105, 6000, 8106 ## SSRF Example What it teaches: - User-controlled URLs are dangerous when fetched server-side. - Internal content can become reachable through the application server. How to use it: 1. Open /SSRF/ssrfExample/. 2. Submit a URL through the form. 3. Use the internal target as the payload: https://labs.hackxpert.com/SSRF/ssrfExample/internal/login.php 4. The page is vulnerable if it returns the content from that internal file. What success looks like: - The response contains: Good job!! Notes: - A legacy helper endpoint also exists at /SSRF/ssrfExample/1.php. - It accepts both ?url= and the older ?show= parameter for compatibility. ## API SSRF Labs ### App on port 8100 Purpose: - Demonstrates a public form that triggers a server-side fetch through /internal-fetch. How to test: 1. Open http://labs.hackxpert.com:8100/ 2. Submit a URL such as http://127.0.0.1:8105/internal-data 3. Observe whether the server returns content from the internal service. Expected result: - A JSON response showing the fetched URL, status code, and content. ### Blind SSRF on port 8102 Purpose: - Demonstrates a blind fetch where the request happens but the body is not reflected to the user. How to test: 1. Open the Swagger docs at http://labs.hackxpert.com:8102/apidocs/ 2. Submit POST /blind-ssrf with a URL you control or an internal URL. 3. Verify success through server-side logging or an out-of-band target. Expected result: - The API responds with a generic message instead of the fetched body. ### Internal API on port 8105 Purpose: - Simulates an internal-only endpoint that should reject direct external access. How to test: 1. Visit http://labs.hackxpert.com:8105/apidocs/ 2. Try GET /internal-data directly. 3. Then access it through the SSRF lab on port 8100. Expected result: - Direct external access should be forbidden. - Server-side access through another vulnerable service should succeed. ### Intranet service on port 6000 Purpose: - Simulates an internal business service that becomes reachable if an SSRF primitive exists elsewhere. How to test: 1. Visit http://labs.hackxpert.com:6000/intranet-data 2. Use that URL as a target in the other SSRF labs. Expected result: - The service returns a JSON payload with internal system details. ### Theme Park API on port 8106 Purpose: - Demonstrates a hidden SSRF flow where a public endpoint forwards requests internally. How to test: 1. Open http://labs.hackxpert.com:8106/public/info 2. Supply a query value that contains an internal URL. 3. Example: http://labs.hackxpert.com:8106/public/info?query=http://127.0.0.1:8106/internal/maintenance Expected result: - The public endpoint triggers the internal SSRF check and returns the result of the internal request path. ### Big, Book Review, and Exploit Management Purpose: - These apps provide additional SSRF-style fetch endpoints with slightly different business contexts. Useful entry points: - http://labs.hackxpert.com:8101/ - http://labs.hackxpert.com:8103/ - http://labs.hackxpert.com:8104/exploits What to look for: - Parameters such as link, data_url, or similar URL-like fields. - Admin-only or hidden endpoints that still perform server-side requests. ## Troubleshooting If a lab looks broken: 1. Confirm the linked route actually exists. 2. Check whether the service is bound to 0.0.0.0 instead of only localhost. 3. For local-only protections, account for IPv4 and IPv6 loopback addresses. 4. Prefer 127.0.0.1 in self-calls when localhost resolution is inconsistent. ## Quick Validation Checklist 1. The PHP SSRF example fetches the submitted URL instead of a hard-coded page. 2. The form posts to a real handler. 3. The API landing page links point to usable routes rather than dead roots. 4. Internal-only checks treat 127.0.0.1 and ::1 as local. 5. Services meant to be reachable from the browser bind to 0.0.0.0.