Hands-On LabBeginner

Server-Side Request Forgery (SSRF): Requesting Hidden Resources in OWASP Juice Shop

Learn to exploit SSRF vulnerabilities in OWASP Juice Shop by leveraging a Gravatar URL field to interact with restricted server-side resources.

Browse all labs
30 minEstimated time
3Guided steps
AutoVerification
IsolatedSandbox
Server-Side Request Forgery (SSRF): Requesting Hidden Resources in OWASP Juice Shop

Lab overview

Server-Side Request Forgery (SSRF) is a critical vulnerability that allows attackers to trick a server into fetching or interacting with internal or external resources. In this lab, you will explore SSRF vulnerabilities in the OWASP Juice Shop application by leveraging a vulnerable Gravatar URL field to simulate an attack. Through this exercise, you will understand how attackers exploit SSRF vulnerabilities to access restricted server-side functionality and learn the importance of securing server resource requests.

Objectives

Upon completion of this lab, you will be able to:

  • Understand Server-Side Request Forgery (SSRF) vulnerabilities.
  • Craft SSRF payloads to exploit internal server resources.
  • Recognize the risks of improper server-side validation.

Who is this lab for?

This lab is designed for:

  • Security professionals looking to enhance their skills in exploiting and mitigating SSRF vulnerabilities.
  • Developers aiming to understand SSRF risks and implement secure server-side validation.
  • IT professionals and beginners interested in server-side security concepts.

Verified against your live environment

An automated validation engine inspects your actual resources and configurations as you work. Completion means the task was performed — not multiple choice, real-world proficiency.

[CHECK] validation_activelive
Inspecting deployed resources...
Verifying configuration state...
✓ Step requirements satisfied

More labs like this

30 minutes

Advanced XSS Techniques: Bypassing Client-Side and Server-Side Protection in OWASP Juice Shop

Explore advanced XSS techniques to bypass client-side and server-side protection in OWASP Juice Shop.

30 minutes

Exploiting Hidden Vulnerabilities: Null Byte Injection and API Tampering in OWASP Juice Shop

Learn to exploit hidden vulnerabilities using Poison Null Byte Injection and API request tampering to uncover secrets and manipulate data in OWASP Juice Shop.

45 minutes

CSP Bypass: Exploiting Content Security Policy Vulnerabilities in OWASP Juice Shop

Learn how to bypass Content Security Policies (CSP) to execute XSS attacks by exploiting weaknesses in the OWASP Juice Shop profile page.

Related reading

Mastering OWASP Top 10: A Hands-on Journey Through Real-World VulnerabilitiesDefend your applications with practical knowledge of OWASP Top 10 vulnerabilities through expert explanations and hands-on labs to build real security skills.
PremiumIncluded in Premium
Duration
30 min
Steps
3

Environment

Web App Workspace

Every lab includes

  • Real environment, pre-credentialed
  • Automated checks on every step
  • Isolated sandbox, auto cleanup
  • AI-recommended next steps

Lab curriculum

  1. 01

    Understanding Server-Side Request Forgery (SSRF)

  2. 02

    Simulating an SSRF Attack Using Gravatar URL Field

    1 automated check

  3. 03

    Mitigation and Takeaways

Not the lab you were looking for?

Browse 150+ hands-on labs across AWS, Azure, Kubernetes, Docker, and cloud security.

Explore the catalog