EncryptCodecencryptcodec
Simulations/SSRF

Server-Side Request Forgery

Intermediate

Trick the server into fetching internal URLs — Redis session tokens, AWS IAM credentials, or admin panels — by supplying a malicious URL to an "import from URL" feature.

Progress:
1
Reach Internal Redis
2
Steal AWS IAM Credentials
3
Apply the Fix
⚡ Import from URL
POST /api/import — body.url
🛡 Server Protection
Server response log
Waiting for request…

Challenges

1
Reach Internal Redis
Use the import URL field to fetch http://localhost:6379 — read cached session tokens.
hints
2
Steal AWS IAM Credentials
Fetch the AWS EC2 metadata endpoint at http://169.254.169.254/latest/meta-data/iam/security-credentials/ec2-role-prod
hints
3
Apply the Fix
Enable both protections. Confirm that internal URLs are blocked even when not in the allowlist.
hints
How to fix SSRF
allowlists, private IP blocking, metadata endpoint IMDSv2

Frequently Asked Questions