Task 1 of 5

The Server as Your Proxy

Every time a web app fetches a URL on your behalf — a link preview, an image import, a webhook — it makes an outbound HTTP request from its own server. That request comes from inside the network. It can reach things you cannot: internal dashboards, admin panels, databases, cloud credential services.

SSRF (Server-Side Request Forgery) is when you control what URL the server fetches. The server becomes your proxy into places you have no business reaching.

WHERE SSRF HIDES IN REAL APPS
Link preview
Chat apps, social media, Slack-style tools. You paste a URL, the server fetches it to generate a preview card. You control the URL.
Image import by URL
Profile photo, product image, avatar — "import from URL". The server fetches the image. You give it a localhost address instead.
Webhook / callback URL
Integrations that ping a URL when something happens. You register an internal address as the webhook target.
PDF generator
Services that render a URL to PDF. You give it http://localhost/admin. The server renders the internal page and sends you the PDF.

The lab in this module is a WhatsApp-style chat bot. Send it a link and it fetches a preview. That fetch is server-side — which means you can point it anywhere the server can reach, including itself.

1

Why can a server reach internal services that you cannot reach directly from your browser?

2

Which of these features is most likely to be vulnerable to SSRF?

Answer 2 questions to continue