shnjd/wiki_ shnjd.com

SSRF

Added on April 5, 2026

SSRF stands for Server-Side Request Forgery. It's a vulnerability that allows a malicious user to cause the webserver to make an additional or edited HTTP request to the resource of the attacker's choosing.

There are two types of SSRF vulnerability;

A successful SSRF attack can result in any of the following:

example: suppose user were to request https://example.com/stock?url=/item?id=12, Hacker make use of this by requesting https://example.com/stock?url=https://api.example.com/user/12, (or https://example.com/stock?url=../user/12 in case of relative path).

suppose the expected request is https://example.com/stocker?server=api&id=123, where api is inteded to be the subdomain for the request, this can be forged as https://example.com/stocker?server=api.example.com/user?x=&id=123. This transform the server request as https://api.example.com/user?x=.example.com/stock/item?id=123, turning the inteded path as x= value

Hacker could even change these urls in the param into one of their own server, forcing the the app server to request from their server, this request often contains credentials used by server, revealing them to hacker

Potential SSRF vulnerabilities can be spotted in web applications in many different ways. Here is an example of four common places to look:

If working with a blind SSRF where no output is reflected back to you, you'll need to use an external HTTP logging tool to monitor requests such as requestbin.com, your own HTTP server or Burp Suite's Collaborator client. To act as a request receiver

Attacking Common SSRF Defenses

There are usually two approaches to this, either a deny list or an allow list.

Deny List

A Deny List is where all requests are accepted apart from resources specified in a list or matching a particular pattern. A Web Application may employ a deny list to protect sensitive endpoints.

A specific endpoint to restrict access is the localhost, which may contain server performance data or further sensitive information, so domain names such as localhost and 127.0.0.1 would appear on a deny list.

Attackers can bypass a Deny List by using alternative localhost references such as 0, 0.0.0.0, 0000, 127.1, 127.*.*.*, 2130706433, 017700000001 or subdomains that have a DNS record which resolves to the IP Address 127.0.0.1 such as 127.0.0.1.nip.io.

Also, in a cloud environment, it would be beneficial to block access to the IP address 169.254.169.254, which contains metadata for the deployed cloud server, including possibly sensitive information. An attacker can bypass this by registering a subdomain on their own domain with a DNS record that points to the IP Address 169.254.169.254.

Allow List

An allow list is where all requests get denied unless they appear on a list or match a particular pattern, such as a rule that an URL used in a parameter must begin with https://website.thm. An attacker could quickly circumvent this rule by creating a subdomain on an attacker's domain name, such as https://website.thm.attackers-domain.thm. The application logic would now allow this input and let an attacker control the internal HTTP request.

Open Redirect

If the above bypasses do not work, there is one more trick up the attacker's sleeve, the open redirect.

An open redirect is an endpoint on the server where the website visitor gets automatically redirected to another website address.

For example, https://website.thm/link?url=https://tryhackme.com. This endpoint was created to record the number of times visitors have clicked on this link for advertising/marketing purposes. But imagine there was a potential SSRF vulnerability with stringent rules which only allowed URLs beginning with https://website.thm/. An attacker could utilise the above feature to redirect the internal HTTP request to a domain of the attacker's choice.