# SSRF ## Introduction Server-Side Request Forgery (SSRF), is a vulnerability that allows an attacker to induce the server-side of the application to make requests to arbitrary locations, leading to unauthorized access to internal services or files within the application or even external functions of other services. Examples of this vulnerability are: * `/media.php?query=../../v1/settings` * `?link=http://example.com/` * `stockApi=http://localhost/admin` However, this vulnerability is not limited to HTTP protocol, you can perform requests to different protocols such as `file://`, `phar://`, `gopher://`, `data://`, `dict://`, etc. Finally, this vulnerability is hard to find in the wild and requires manual analysis to find a valid input. So there is no special trick to finding them. ## Filter bypass Commonly, most applications with SSRF behaviour are built with defences trying to prevent malicious exploitation. In order to bypass these defences, there are several approaches. ### Black List bypass Some applications might block input containing hostnames like `127.0.0.1` or `localhost`, which can be circumvented using the following techniques: * Alternative representation of `127.0.0.1`: 2130706433, 017700000001, 127.1 * Registering a domain/subdomain that resolves into 127.0.0.1. * Obfuscate the blocked string using URL encoding or case variation. ### White List bypass In this case, the application only allows input that contains, begins or ends with a certain string. In this case, you can circumvent the filter with the following techniques: * `https://@/` * `https://#/` * `https://./` * URL encoding. * Combinations of all of the above. ## References * [Testing for Server-Side Request Forgery](https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/19-Testing_for_Server-Side_Request_Forgery) * [Server-side request forgery (SSRF)](https://portswigger.net/web-security/ssrf) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://the-pentesting-guide.marmeus.com/web/ssrf.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.