Skip to content

🌐 SSRF Tutorial – Flask Lab + WebGoat + Docker

πŸ“Œ What is SSRF?

Server-Side Request Forgery (SSRF) allows an attacker to make the server send requests on their behalf, often to internal systems.

⚠️ Real-World Example

A website lets users fetch profile pictures from a URL:

GET /fetch?url=http://example.com/image.jpg

What if an attacker supplies:

http://localhost:8080/admin

The server will access internal systems, which the attacker can’t reach directly.

πŸ› οΈ 1. Build Your Own SSRF-Vulnerable Flask App

πŸ“ Project Structure:

ssrf-flask-app/
β”œβ”€β”€ app.py
β”œβ”€β”€ Dockerfile
└── requirements.txt

πŸ“„ app.py

from flask import Flask, request
import requests

app = Flask(__name__)

@app.route("/")
def index():
    return '''
    <h2>πŸ“Έ Fetch Image From URL</h2>
    <form action="/fetch">
        <input name="url" placeholder="Enter image URL">
        <button type="submit">Fetch</button>
    </form>
    '''

@app.route("/fetch")
def fetch():
    url = request.args.get("url")
    try:
        r = requests.get(url, timeout=3)
        return f"<h4>βœ… Response from {url}</h4><pre>{r.text[:300]}</pre>"
    except Exception as e:
        return f"<p style='color:red'>❌ Error: {str(e)}</p>"

if __name__ == "__main__":
    app.run(host="0.0.0.0", port=5000)

πŸ“„ requirements.txt

flask
requests

πŸ“„ Dockerfile

FROM python:3.11-slim
WORKDIR /app
COPY . .
RUN pip install -r requirements.txt
EXPOSE 5000
CMD ["python", "app.py"]

▢️ Run the Lab

docker build -t ssrf-lab .
docker run -d -p 5000:5000 --name ssrf-lab ssrf-lab

Visit http://localhost:5000

πŸ§ͺ SSRF Testing

Try inputs like:

  • http://localhost:5000

  • http://127.0.0.1:5000

  • http://169.254.169.254 (AWS metadata)

  • file:///etc/passwd (for local file read)

If successful, the server fetches data it shouldn’t.

πŸ”’ SSRF Prevention

βœ… Tips to prevent SSRF:

  • Block internal IPs (127.0.0.1, localhost, 169.254.*, 10.*, 192.168.*)

  • Use a URL allowlist

  • Avoid user-controlled URLs

  • Use DNS pinning (optional)

  • Restrict outbound traffic from servers

πŸ§ͺ 2. Practice SSRF in WebGoat

🐳 Run WebGoat + WebWolf:

docker run -d -p 8080:8080 -p 9090:9090 --name webgoat-ssrf webgoat/webgoat-8.2

Access:

Go to:

A10 - SSRF β†’ SSRF Basics & SSRF Advanced

It includes:

  • URL parsing attacks

  • Bypassing filters (e.g. 127.1, 0x7f000001)

  • Cloud metadata exploitation

🧠 Summary

Concept Details
SSRF Server makes requests attacker controls
Impact Internal service access, cloud metadata leaks
Fix 1 Block internal IPs
Fix 2 Use allowlist of domains
Fix 3 Avoid user-controlled URLs
Fix 4 Sanitize and validate URL schemes