# Assessment

## Question 1

Which of the following would make for a good vAPI request to test for SSRF?

<details>

<summary>Solution</summary>

/vapi/serversurfer

</details>

## Question 2

Which type of SSRF attacks is vAPI susceptible to?

<details>

<summary>Solution</summary>

* In-Band
* Out-of-Band
* Blind

</details>

## Question 3

What HTTP status code does vAPI's serversurfer respond with when using <http://127.0.0.1> as a payload?

<details>

<summary>Solution</summary>

403

</details>

## Question 4

What HTTP status code does vAPI's serversurfer respond with for a successful SSRF attack?

<details>

<summary>Solution</summary>

200

</details>

## Question 5

What happens to data retrieved by vAPI with a successful in-band SSRF attack against the serversurfer?

<details>

<summary>Solution</summary>

The resources retrieved are sent back base64 encoded

</details>