$ ./exploit.py [+] Flag: FLAGssrf_is_fun_5b5a9
But the of the internal request was included in the error message! The error page displayed: brokenlatinawhores.com
The short URL redirects to /view?id=f3a9b , which displays the saved phrase. brokenlatinawhores.com
The flag is not visible in the source code or the UI. A quick glance reveals an (Server‑Side Request) point in the “Email me the quote” endpoint. By abusing this endpoint we can make the server request the internal flag service ( http://flag.internal/secret ) and have the response reflected back to us. brokenlatinawhores.com
The page makes an request to /quote when the form is submitted. Intercepting the request with Burp Suite shows the following POST body: