JuicedShop Security Lab Series: Server-Side Request Forgery (SSRF)

Type: Red Team
Who Should Play: Security analysts, penetration testers, application security engineers, and technical leaders want to deepen their understanding of web application vulnerabilities through hands-on offensive techniques. 

Objective:

This mini game explores how attackers can exploit web applications that allow user-supplied URLs to perform unintended actions on behalf of the server. You'll locate a feature within JuicedShop that accepts an external URL, and use it to trick the server into making requests it shouldn't.

By crafting malicious input, you'll demonstrate how SSRF can be used to access internal services, probe protected networks, or even deliver malware through the server itself. What begins as a simple link field can quickly escalate into a major security risk.

Why it matters: SSRF vulnerabilities are especially dangerous in cloud, native, and microservice-heavy environments. They allow attackers to pivot inside trusted infrastructure and bypass external protections. This mini game reinforces the importance of validating user input, even when the user isn't directly interacting with sensitive resources.

About the JuicedShop Mini Game Series:

Challenge yourself in a dynamic, hands-on mini game series based on OWASP Juice Shop, a purposefully vulnerable web application replicating real-world security flaws in a safe, sandboxed environment. This interactive experience includes ten unique mini games, each aligned with a specific vulnerability from the OWASP Top Ten - the most critical web application security risks recognized by the industry.

Whether you're exploring web app security for the first time or refining advanced ethical hacking skills, this series offers an engaging, gamified way to practice identifying, exploiting, and understanding common flaws found in modern websites.

Included Mini Games:

1. JuicedShop Security Lab Series: Broken Access Control
2. JuicedShop Security Lab Series: Cryptographic Failures
3. JuicedShop Security Lab Series: Injection Attacks
4. JuicedShop Security Lab Series: Insecure Design
5. JuicedShop Security Lab Series: Security Misconfiguration
6. JuicedShop Security Lab Series: Vulnerable and Outdated Components
7. JuicedShop Security Lab Series: Identification and Authentication Failures
8. JuicedShop Security Lab Series: Software and Data Integrity Failures
9. JuicedShop Security Lab Series: Logging and Monitoring Failures
10. JuicedShop Security Lab Series: Server-Side Request Forgery (SSRF)

These bite-sized mini games are designed to sharpen offensive testing techniques and deepen your understanding of how vulnerabilities can be discovered and exploited in real-world scenarios.

How to Get Started

1. Click the "Launch lab" button on the right side of this page
2. Once inside the virtual environment, watch the video in the "Start Here" tab of your lab gateway for next steps
3. Good luck and have fun!

Through these mini games, you will work toward the following key goals and objectives:

• Validate offensive web application testing skills through real-world scenarios
• Identify and exploit vulnerabilities aligned with the OWASP Top Ten
• Strengthen familiarity with tools like Burp Suite in practical environments
• Reinforce understanding of how common security flaws manifest in production apps
• Develop confidence in spotting, testing, and documenting high-impact web flaws

• Kali Linux virtual machine pre-configured with essential offensive security tools
  • curl
  • sqlmap
  • nmap
  • ffuf
  • and more…
• Pre-loaded vulnerable web application based on OWASP Juice Shop
• Burp Suite (Community Edition) – used for intercepting, modifying, and replaying HTTP requests