00 — Overview

SSRF — Make the Server Fetch For You

Use the Interceptor to send URLs the server should never fetch — internal admin panels, localhost services, and cloud metadata endpoints. No terminal, no curl.

Intermediate·40 min·5 tasks

// By the end of this module

→Use a proxy to craft and iterate SSRF payloads live

→Reach internal RFC1918 addresses via SSRF

→Exfiltrate AWS metadata credentials through SSRF

// Prerequisites

Injection · Intermediate

SSRF — Server-Side Request Forgery

50 min

→

Tools · Beginner

Burp Suite — The Hacker's Proxy

60 min

→