AllThingsSSRF
This is a collection of writeups, cheatsheets, videos, related to SSRF in one single location
This is currently work in progress I will add more resources as I find them.
Created By @jdonsec
Learn What is SSRF
- Vickie Li: Intro to SSRF
- Vickie Li: Exploiting SSRFs
- Detectfy – What is server side request forgery (SSRF)?
- What is SSRF By Netsparker
- Hackerone How To: Server-Side Request Forgery(SSRF)
- Nahamsec/Daeken – OWNING THE CLOUT THROUGH SSRF AND PDF GENERATORS
- Orange Tsai A New Era of SSRF – Exploiting URL Parser in Trending Programming Languages!
- Infosec Institute SSRF Introduction
- SSRF bible
- Book of Bugbounty Tips
- Cujanovic – SSRF Testing
- EdOverflow – Bugbounty-Cheatsheet
- @ONsec_lab SSRF pwns: New techniques and stories
- Swissky – Payload All The Things SSRF
- HAHWUL
- Acunetix – What is Server Side Request Forgery(SSRF)?
- xI17dev – SSRF Tips
- SaN ThosH SSRF – Server Side Request Forgery (Types and ways to exploit it) Part-1
- SaN ThosH SSRF — Server Side Request Forgery (Types and ways to exploit it) Part-2
- AUXY Blog – SSRF in Depth
- CTF Wiki – SSRF Introduction
- Orangetw – CTF SSRF Writeup
Writeups
- @albinowax Cracking the lens: targeting HTTP’s hidden attack-surface [NEW Credit to @atul_hax]
- NoGe: Serer Side Request Forgery (SSRF) Testing
- @leonmugen: SSRF Reading Local Files from DownNotifier server
- Fireshell Security Team: SunshineCTF – Search Box Writeup
- SSRF vulnerability via FFmpeg HLS processing
- Escalating SSRF to RCE
- Exploiting SSRF like a Boss — Escalation of an SSRF to Local File Read!
- Chris Young: SSRF – Server Side Request Forgery
- Day Labs: SSRF attack using Microsoft’s bing webmaster central
- Elber Andre: SSRF Tips SSRF/XSPA in Microsoft’s Bing Webmaster Central
- Valeriy Shevchenko: SSRF Vulnerability due to Sentry misconfiguration
- Vickie Li: Bypassing SSRF Protection
- Vickie Li: SSRF in the Wild
- Tug Pun: From SSRF to Local File Disclosure
- Neeraj Sonaniya: Reading Internal Files using SSRF vulnerability
- Pratik yadav: Ssrf to Read Local Files and Abusing the AWS metadata
- Shorebreak Security: SSRF’s up! Real World Server-Side Request Forgery (SSRF)
- Hack-Ed: A Nifty SSRF Bug Bounty Write Up
- abcdsh Asis 2019 Quals – Baby SSRF
- W00troot: How I found SSRF on TheFacebook.com
- Deepak Holani: Server Side Request Forgery(SSRF){port issue hidden approch }
- Brett Buerhaus: SSRF Writeups
- GeneralEG: Escalating SSRF to RCE
- Coen Goedegebure: How I got access to local AWS info via Jira
- Corben Leo: Hacking the Hackers: Leveraging an SSRF in HackerTarget
- Orange Tsai: How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE!
- Peter Adkins: Pivoting from blind SSRF to RCE with HashiCorp Consul
- pwntester: hackyou2014 Web400 write-up
- Azure Assassin Alliance SSRF Me
- 003Random’s Blog: H1-212 CTF ~ Write-Up
- Bubounty POC SSRF Bypass in private website
- Peerlyst: Top SSRF Posts
- Elber “f0lds” Tavares: $1.000 SSRF in Slack
- Kongweinbin: Write-up for Gemini Inc: 1
- LiveOverFlow: SSRF targeting redis for RCE via IPv6/IPv4 address embedding chained with CLRF injection in the git:// protocol.
- GitLab SSRF in project integrations (webhook)
- Maxime Leblanc: Server-Side Request Forgery (SSRF) Attacks – Part 1: The basics
- Maxime Leblanc: Server-Side Request Forgery (SSRF) Attacks — Part 2: Fun with IPv4 addresses
- Maxime Leblanc: Server-Side Request Forgery (SSRF) — Part 3: Other advanced techniques
- Maxime Leblanc: Privilege escalation in the Cloud: From SSRF to Global Account Administrator
- Asterisk Labs: Server-side request forgery in Sage MicrOpay ESP
- EdOverflow: Operation FGTNY 🗽 – Solving the H1-212 CTF
- Alyssa Herrera: Piercing the Veil: Server Side Request Forgery to NIPRNet access
- Alyssa Herrera: Wappalyzer SSRF Write up
- Contribution by $root: Whomai – Harsh Jaiswal: Vimeo SSRF with code execution potential.
- Agarri: Server-side browsing considered harmful
Hackerone Reports
- #223203 SVG Server Side Request Forgery (SSRF)
- 115857 SSRF and local file read in video to gif converter
- 237381 SSRF and local file disclosure in https://wordpress.com/media/videos/ via FFmpeg HLS processing
- 228377 SSRF in upload IMG through URL
- 302885 ImageMagick GIF coder vulnerability leading to memory disclosure
- 392859 Sending Emails from DNSDumpster – Server-Side Request Forgery to Internal SMTP Access
- 395521 SSRF vulnerability on proxy.duckduckgo.com (access to metadata server on AWS)
- 285380 www.threatcrowd.org – SSRF : AWS private key disclosure
- 287762 SSRF protection bypass
- 115748 SSRF in https://imgur.com/vidgif/url
- 508459 SSRF in webhooks leads to AWS private keys disclosure
- 643622 SSRF In Get Video Contents
- 398641 D0nut: SSRF on duckduckgo.com/iu/
- 398799 Jobert Abma (jobert): Unauthenticated blind SSRF in OAuth Jira authorization controller
- 369451 Dylan Katz (plazmaz): SSRF in CI after first run
- 341876 André Baptista (0xacb): SSRF in Exchange leads to ROOT access in all instances
- 374737 ruvlol (ruvlol): Blind SSRF on errors.hackerone.net due to Sentry misconfiguration
- 386292 Elb (elber): Bypass of the SSRF protection in Event Subscriptions parameter
- 411865 Robinooklay: Blind SSRF at https://chaturbate.com/notifications/update_push/
- 517461 Ninja: Blind SSRF/XSPA on dashboard.lob.com + blind code injection
- 410882 Steven Seeley: Vanilla Forums domGetImages getimagesize Unserialize Remote Code Execution Vulnerability (critical)
- 395521 Predrag Cujanović: SSRF vulnerability on proxy.duckduckgo.com (access to metadata server on AWS)
- 223203 floyd: SVG Server Side Request Forgery (SSRF)
- 301924 jax: SSRF vulnerability in gitlab.com webhook
- 204513 Skansing: Infrastructure – Photon – SSRF
- 115748 Eugene Farfel: SSRF in https://imgur.com/vidgif/url
- 263169 Tung Pun: New Relic – Internal Ports Scanning via Blind SSRF
- 280511 Suresh Narvaneni: Server Side Request Forgery on JSON Feed
- 281950 Tung Pun: Infogram – Internal Ports Scanning via Blind SSRF
- 289187 Predrag Cujanović: DNS pinning SSRF
- 288183 Dr.Jones: SSRF bypass for https://hackerone.com/reports/285380 (query AWS instance)
- 288537 e3xpl0it: Server Side Request Forgery protection bypass № 2
- 141304 ylujion: Blind SSRF on synthetics.newrelic.com
- 128685 Nicolas Grégoire: SSRF on testing endpoint
- 145524 paglababa: Server side request forgery (SSRF) on nextcloud implementation.
- 115857 Slim Shady: SSRF and local file read in video to gif converter
Videos/POC
- Black Hat: Viral Video – Exploiting SSRF in Video Converters
- Hackerone: Hacker101 – SSRF
- Bugcrowd University: Server Side Request Forgery
- Muhammad Junaid: Yahoo SSRF and Local File Disclosure via FFmpeg
- Muhammad Junaid: Flickr (Yahoo!) SSRF and Local File Disclosure
- Corben Leo: SMTP Access via SSRF in HackerTarget API
- Nikhil Mittal: HootSuite SSRF Vulnerability POC
- Hack In The Box Security Conference: HITBGSEC 2017 SG Conf D1 – A New Era Of SSRF – Exploiting Url Parsers – Orange Tsai
- Crazy Danish Hacker: Server-Side Request Forgery (SSRF) – Web Application Security Series #1
- LiveOverFlow: PHP include and bypass SSRF protection with two DNS A records – 33c3ctf list0r (web 400)
- Nahamsec: Owning the Clout through SSRF & PDF Generators – Defcon 27 – (SSRF on ads.snapchat.com)
- Tutorials Point (India) Pvt. Ltd: Penetration Testing – Server Side Request Forgery (SSRF)
- Hack In The Box Security Conference: HITBGSEC 2017 SG Conf D1 – A New Era Of SSRF – Exploiting Url Parsers – Orange Tsai
- AppSec EU15 – Nicolas Gregoire – Server-Side Browsing Considered Harmful
Tools
CTF/Labs
- Bugbounty Notes SSRF Challenge
- Portswigger SSRF labs
- m6a-UdS SSRF Lab
- Pentester Lab Pro account: Essential: Server Side Request Forgery 01
- Pentester Lab Pro account: Essential: Server Side Request Forgery 02
- Pentester Lab Pro account: Essential: Server Side Request Forgery 03
- Pentester Lab Pro account: Essential: Server Side Request Forgery 04
- Se8S0n SSRF Lab Guide
