WEBVERSE

Loading...

easySSRFFree

Statuscraft

Statuscraft is a self-hosted uptime checker built by two engineers in Berlin. You point it at a URL, it pings the URL every 30 seconds and tells you whether it's up. The "first ping" preview it shows after you add a monitor turns out to be more useful than the engineers intended.

Start This Challenge

The Scenario

Statuscraft is a two-engineer side project out of Berlin, founded in 2022 as a hobbyist alternative to Statuspage — drop in a URL, get a status page, pipe outages to Slack. Hobby tier is free, the team tier is €9/month, and the self-hosted build ships next month. The add-monitor form shows you the first ping inline so you can sanity-check the response before committing the monitor; the engineers built it in a weekend and never came back to harden it.

Challenge Intel

Synopsis

POST /monitors/new takes a URL, runs requests.get() against it server-side with no validation, and renders the first 200 bytes of the response body back to the player. An internal HTTP server on 127.0.0.1:8080 inside the container serves the flag at /. Point the monitor at http://127.0.0.1:8080/ and the flag is reflected on the monitor detail page.

What It Is

Classic textbook SSRF. The add-monitor handler calls `requests.get(url, timeout=3, allow_redirects=True)` with the raw user-supplied URL — no scheme allowlist, no host blocklist, no private-range check, no DNS rebinding mitigation. The first 200 bytes of the response body are stored on the monitor row and rendered (escaped) on the monitor detail page. A second HTTP server running on 127.0.0.1:8080 inside the container exposes GET / and returns the value of the FLAG env var. The flag is also written to /flag.txt per the standard pattern but the intended solve is the internal-server reflection.

Who It's For

First-time SSRF players. No filter bypass required — recognise that the server fetches arbitrary URLs and that "internal" services exist on localhost. One-form, one-payload solve.

Skills You'll Practice

  • Identifying server-side URL fetchers as SSRF surfaces
  • Targeting loopback (127.0.0.1) and non-public ports
  • Reading reflected fetch output as an SSRF exfil channel

What You'll Gain

  • Any server-side URL fetcher that does not validate the host is SSRF
  • Internal-only services on 127.0.0.1 are reachable from the app process
  • Echoing the response body back to the user makes blind SSRF in-band

Ready to hack Statuscraft?

This challenge is free. Sign up and start hacking.

Start This Challenge