Server Side Request Forgery (SSRF)

References for SSRF

Blogs / Articles:

SSRF Bible - https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/edit
http://niiconsulting.com/checkmate/2015/04/server-side-request-forgery-ssrf/
https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF
https://cfdb.io/Web/Server-Side%20Request%20Forgery
http://www.smeegesec.com/2017/10/detecting-ssrf-using-aws-services.html
https://medium.com/bugbountywriteup/bug-bounty-fastmail-feeda67905f5
http://www.sxcurity.pro/2017/12/17/hackertarget/
https://mike-n1.github.io/SSRF_P4toP2
https://medium.com/@auxy233/the-design-and-implementation-of-ssrf-attack-framework-550e9fda16ea
https://blog.christophetd.fr/abusing-aws-metadata-service-using-ssrf-vulnerabilities/
https://www.shawarkhan.com/2018/05/getting-read-access-on-edmodo.html
https://medium.com/@valeriyshevchenko/subdomain-takeover-with-shopify-heroku-and-something-more-6e9504da34a1
https://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf
https://medium.com/@arbazhussain/svg-xlink-ssrf-fingerprinting-libraries-version-450ebecc2f3c
https://desc0n0cid0.blogspot.com/2019/01/chaining-2-low-impact-bugs-into-gitlab.html
Blind SSRF - https://lab.wallarm.com/blind-ssrf-exploitation/
Bypasses - https://subhajitsaha.com/bypassing-ssrfs-like-a-king/
https://t.co/oMmwp61vt6?amp=1
https://secureitmania.medium.com/an-unknown-linux-secret-that-turned-ssrf-to-os-command-injection-6fe2f4edc202
https://bughunter25.medium.com/a-tale-of-html-to-pdf-converter-ssrf-and-various-bypasses-4a3e11030c77
https://chawdamrunal.medium.com/how-i-exploit-out-of-band-resource-load-http-using-burp-suite-extension-plugin-taborator-2c5065d6a50b
https://wya.pl/2021/12/20/bring-your-own-ssrf-the-gateway-actuator/
https://notifybugme.medium.com/chaining-an-blind-ssrf-bug-to-get-an-rce-92c09de3c0ba

Cheatsheets / Guides:

https://github.com/cujanovic/SSRF-Testing
https://gist.github.com/jhaddix/78cece26c91c6263653f31ba453e273b
https://github.com/allanlw/svg-cheatsheet

Tips / Twitter Threads:

http://blog.safebuff.com/2016/07/03/SSRF-Tips/
https://twitter.com/omespino/status/998603788020781056
https://twitter.com/trouble1_raunak/status/1216200502309871616
SSRF Breakpoints - https://twitter.com/s0md3v/status/1210130223334715393
SSRF - bypass https://twitter.com/SMHTahsin33/status/1293601681834307584
https://twitter.com/HusseiN98D/status/1258217821693190154?s=20

Tools / Payloads:

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SSRF%20injection

SSRF Bypass list for localhost (127.0.0.1):

http://127.1/ http://0000::1:80/ http://[::]:80/ http://2130706433/ http://whitelisted@127.0.0.1 http://0x7f000001/ http://017700000001 http://0177.00.00.01

Also using a redirect to localhost will often work.

Blind - https://lab.wallarm.com/blind-ssrf-exploitation/

Threats & Research Archives - F-Secure BlogF-Secure Blog

https://resources.securitycompass.com/blog/ssrf-as-a-service-mitigating-a-design-level-software-security-vulnerability-2
https://www.rfk.id.au/blog/entry/security-bugs-ssrf-via-request-splitting/

PreviousLocal / Remote File Inclusion (LFI / RFI)NextRemote Code Execution (RCE)

Last updated 1 month ago