Login
ChallengesLearn
Scoreboard
Teams
Profile

Preferences

Truesapiens

LearnSsrf
Course

Ssrf

From a single URL parameter to the entire cloud metadata service. Understand how server-side request forgery turns the server into a proxy for internal attacks.

8 lessons116 min total

Curriculum

8 parts in 5 phases
Foundation2 lessons · 22 min
fundLesson 1Beginner

SSRF: The Server Makes the Request

The app fetches a URL the attacker controls. Now the server issues GET requests on behalf of the attacker — to internal IPs, cloud metadata, and services that trust localhost.

SSRFOWASPWeb
12 min
fundLesson 2Beginner

Finding SSRF in the Wild

URL params, webhook URLs, file imports, document preview, SSO SAML assertions — every place the server fetches a URI the attacker controls.

SSRFDiscoveryRecon
10 min
Offense · Core techniques3 lessons · 42 min
coreLesson 3Intermediate

Cloud Metadata Attacks

AWS IMDS, Azure IMDS, GCP metadata. The one URL that returns cloud credentials, access tokens, and infrastructure secrets — accessible from any compute instance.

SSRFCloudMetadata
14 min
coreLesson 4Intermediate

Internal Network Pivot

From the vulnerable app server to every internal service. Redis, Elasticsearch, internal dashboards, Kubernetes API — that the attacker cannot reach directly but the server can.

SSRFPivotInternal
14 min
coreLesson 5Advanced

Blind SSRF

No response body, no error message — only a side-channel pingback. Blind SSRF detection via out-of-band DNS/HTTP callbacks, timing, and error-based inference.

SSRFBlindOOB
14 min
Offense · Deep extraction1 lesson · 16 min
deepLesson 6Advanced

SSRF Bypass Techniques

DNS rebinding, redirect following, IPv6-to-v4 mapping, URL parser differentials, decimal/octal IP notation. How to reach a blocked target when the WAF has an allowlist.

SSRFBypassDNS
16 min
Discovery & Defense1 lesson · 14 min
defLesson 7Intermediate

SSRF Defense

URL allowlist, IP deny list, disable redirect following, network segmentation, IMDSv2, metadata service tokens. The layered defences that make SSRF a finding not a breach.

SSRFDefenseHardening
14 min
Real-world & Review1 lesson · 22 min
capsLesson 8Intermediate

SSRF Review & Practice

A curated set of progressively harder SSRF challenges: URL param injection, cloud metadata extraction, internal service discovery, blind callback detection, bypass techniques. The SSRF course final.

SSRFReviewPractice
22 min

© 2026 Truesapiens.

Terms of ServicePrivacy PolicyCookie Policy