Bug Hunter Handbook
  • Introduction
  • Getting Started in InfoSec and Bug Bounties.
  • Presentations
  • Checklists / Guides
  • Useful Twitter Threads
  • List of Vulnerabilities
    • Recon and OSINT
      • Recon
      • Sensitive information using Github
      • Subdomain Enumeration
        • Resolvers
      • Javascript Enumeration
      • After Recon
      • Finding Information Using Public Resources
      • OSINT
      • Cloud
      • Wayback
      • Parameter / Content Discovery
      • Broken Link Highjacking
    • Host Header
    • Injection
      • Other Injection
    • DNS Rebinding
    • Cross Site Scripting (XSS)
      • Weaponizing XSS
      • WAF Bypass
    • Cross Origin Resource Sharing (CORS)
    • Local / Remote File Inclusion (LFI / RFI)
    • Server Side Request Forgery (SSRF)
    • Remote Code Execution (RCE)
    • XML Entity Injecton (XXE)
    • Price Manipulation
    • Directory / Path Traversal
    • Cross Site Request Forgery (CSRF)
      • JSON CSRF
    • Password Reset
    • Login Page Issues
    • Deserialization Attacks
    • File Upload
    • Account Takeover
    • Insecure Direct Object References (IDOR)
    • Open Redirect
    • Business Logic Flaws
    • Rate Limit Bypass / 2FA / OTP Bypass
    • Ruby on Rails
      • Mass Assginment
    • S3 Bucket
    • Race Condition
    • CRLF
    • SSTI
    • Prototype Pollution
  • Approach
  • API Security
  • Mobile Security
  • Fuzzing / Wordlists
  • BugBounty Short Write-ups
  • Burp Suite Tips and Tricks
  • HackerOne Reports
  • Response Manipulation
  • Client Vs Server Side Vulnerabilities
  • DevSecOps
  • Containers
    • Docker
    • Kubernetes
    • Containers
  • AWS
  • Azure
  • Others
    • Code Review
    • Web Sockets
    • Web Cache
    • HTTP Desync Attacks
    • Zone Transfer
    • CSP Bypass
    • Payment Bypasses
    • Http Parameter Pollution
    • Postmessage
    • Others
    • GraphQL
    • Unix / Linux
    • Email Related
    • Dependency confusion
    • Nginx Misconfigs
    • JIRA
    • OAUTH
  • Chaining of Bugs
  • Bug Bounty Automation
  • Mindmaps
  • Oneliner Collections
  • Red Teaming
  • Blue Teamining
  • Recon One Liners
  • Misc
  • Wordpress
  • Fuzzing / FuFF
  • OWASP ZAP
  • Bug List
  • Setting up burp collaborator
  • Admin Panel PwN
  • Credential Stuffing / Dump / HaveibeenPwned?
  • Tools Required
  • Nuclei Template
  • Other BugBounty Repos / Tips
  • Interview
  • Threat Modelling
  • AppSec
Powered by GitBook
On this page

Was this helpful?

  1. List of Vulnerabilities

Server Side Request Forgery (SSRF)

References for SSRF

Blogs / Articles:

  • SSRF Bible - https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/edit

  • http://niiconsulting.com/checkmate/2015/04/server-side-request-forgery-ssrf/

  • https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF

  • https://cfdb.io/Web/Server-Side%20Request%20Forgery

  • http://www.smeegesec.com/2017/10/detecting-ssrf-using-aws-services.html

  • https://medium.com/bugbountywriteup/bug-bounty-fastmail-feeda67905f5

  • http://www.sxcurity.pro/2017/12/17/hackertarget/

  • https://mike-n1.github.io/SSRF_P4toP2

  • https://medium.com/@auxy233/the-design-and-implementation-of-ssrf-attack-framework-550e9fda16ea

  • https://blog.christophetd.fr/abusing-aws-metadata-service-using-ssrf-vulnerabilities/

  • https://www.shawarkhan.com/2018/05/getting-read-access-on-edmodo.html

  • https://medium.com/@valeriyshevchenko/subdomain-takeover-with-shopify-heroku-and-something-more-6e9504da34a1

  • https://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf

  • https://medium.com/@arbazhussain/svg-xlink-ssrf-fingerprinting-libraries-version-450ebecc2f3c

  • https://desc0n0cid0.blogspot.com/2019/01/chaining-2-low-impact-bugs-into-gitlab.html

  • Blind SSRF - https://lab.wallarm.com/blind-ssrf-exploitation/

  • Bypasses - https://subhajitsaha.com/bypassing-ssrfs-like-a-king/

  • https://t.co/oMmwp61vt6?amp=1

  • https://secureitmania.medium.com/an-unknown-linux-secret-that-turned-ssrf-to-os-command-injection-6fe2f4edc202

  • https://bughunter25.medium.com/a-tale-of-html-to-pdf-converter-ssrf-and-various-bypasses-4a3e11030c77

  • https://chawdamrunal.medium.com/how-i-exploit-out-of-band-resource-load-http-using-burp-suite-extension-plugin-taborator-2c5065d6a50b

  • https://wya.pl/2021/12/20/bring-your-own-ssrf-the-gateway-actuator/

  • https://notifybugme.medium.com/chaining-an-blind-ssrf-bug-to-get-an-rce-92c09de3c0ba

Cheatsheets / Guides:

  • https://github.com/cujanovic/SSRF-Testing

  • https://gist.github.com/jhaddix/78cece26c91c6263653f31ba453e273b

  • https://github.com/allanlw/svg-cheatsheet

Tips / Twitter Threads:

  • http://blog.safebuff.com/2016/07/03/SSRF-Tips/

  • https://twitter.com/omespino/status/998603788020781056

  • https://twitter.com/trouble1_raunak/status/1216200502309871616

  • SSRF Breakpoints - https://twitter.com/s0md3v/status/1210130223334715393

  • SSRF - bypass https://twitter.com/SMHTahsin33/status/1293601681834307584

  • https://twitter.com/HusseiN98D/status/1258217821693190154?s=20

Tools / Payloads:

  • https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SSRF%20injection

SSRF Bypass list for localhost (127.0.0.1):

http://127.1/ http://0000::1:80/ http://[::]:80/ http://2130706433/ http://whitelisted@127.0.0.1 http://0x7f000001/ http://017700000001 http://0177.00.00.01

Also using a redirect to localhost will often work.

Blind - https://lab.wallarm.com/blind-ssrf-exploitation/

  • https://resources.securitycompass.com/blog/ssrf-as-a-service-mitigating-a-design-level-software-security-vulnerability-2

  • https://www.rfk.id.au/blog/entry/security-bugs-ssrf-via-request-splitting/

PreviousLocal / Remote File Inclusion (LFI / RFI)NextRemote Code Execution (RCE)

Last updated 5 months ago

Was this helpful?

LogoThreats & Research Archives - F-Secure BlogF-Secure Blog
https://twitter.com/m4ll0k/status/1328375464281452547