Share 
## https://sploitus.com/exploit?id=7239610D-FB67-5EDA-8E6D-DDC6D8735AE5
# CVE-2026-40072 SSRF Lab

Hands-on local lab to demonstrate CVE-2026-40072 in web3.py, show the SSRF impact in Burp Suite, and verify the official fix.

## Overview

This repository contains a safe, local-only proof of concept for CVE-2026-40072, a Server-Side Request Forgery (SSRF) issue tied to CCIP Read / OffchainLookup handling in web3.py. The lab uses Kali Linux, a Python virtual environment, Flask as a fake internal service, and Burp Suite to intercept the outbound request.

## Repository Structure

```text
.
โ”œโ”€โ”€ requirements.txt
โ”œโ”€โ”€ lab/
โ”‚   โ”œโ”€โ”€ fake_internal_server.py
โ”‚   โ”œโ”€โ”€ ssrf_demo.py
โ”‚   โ””โ”€โ”€ ssrf_fixed_check.py
โ”œโ”€โ”€ docs/
โ”‚   โ””โ”€โ”€ blog-post-outline.md
โ””โ”€โ”€ screenshots/
```

## What You Will Learn

- How the vulnerability works at a high level.
- How to reproduce the request safely in a lab.
- How to intercept and inspect the request with Burp Suite.
- How to verify the official fix by upgrading web3.py.

## Prerequisites

- Kali Linux
- Python 3.13+
- Burp Suite Community or Pro
- Internet access for package installation

## Safety Notice

This lab is for authorized, local, educational use only. Run everything in your own isolated environment. Do not test against systems you do not own or have permission to assess.

## Setup

### 1. Create a virtual environment

```bash
python3 -m venv ~/ssrf-lab
source ~/ssrf-lab/bin/activate
```

### 2. Install dependencies

```bash
pip install -r requirements.txt
```

If Kali blocks system-wide pip, keep using the venv above.

## Running the Lab

### Step 1: Start the fake internal service

```bash
source ~/ssrf-lab/bin/activate
python3 lab/fake_internal_server.py
```

Keep this terminal open. It simulates a sensitive internal endpoint.

### Step 2: Open Burp Suite

- Launch Burp Suite.
- Ensure Proxy listener is running on `127.0.0.1:8080`.
- Turn on Intercept if you want to capture the request.

### Step 3: Run the SSRF demo

```bash
source ~/ssrf-lab/bin/activate
python3 lab/ssrf_demo.py
```

The request should appear in Burp and the fake service should return a demo credential string.

### Step 4: Verify the patched version

Upgrade to the fixed release:

```bash
pip install "web3==7.15.0"
```

Then confirm the version:

```bash
pip show web3 | grep Version
```

Run the check script:

```bash
python3 lab/ssrf_fixed_check.py
```

You should confirm the patched environment and document that the SSRF request no longer occurs.

## Expected Outcome

- Vulnerable version: Burp captures the outbound request, Flask logs the hit, and Repeater shows the demo key.
- Patched version: No SSRF request appears, and the fix is documented with a version screenshot.

## License

MIT