Exploiting SSRF Vulnerability in OopsSec Store to Access Internal Pages

A security lab named OopsSec Store, designed for penetration testing training, has a Server-Side Request Forgery (SSRF) vulnerability. The application, developed in Next.js, allows a user to exploit a support form to force the server into making requests to internal pages. By submitting a URL pointing to http://localhost:3000/internal, an attacker can access a restricted page and retrieve a flag in the form OSS{s3rv3r_s1d3_r3qu3st_f0rg3ry}. The flaw stems from a lack of URL validation provided by the user, particularly the absence of blocking local or private addresses. The source code is available on GitHub for local and educational use.