SSRF Cheatsheet

An SSRF vulnerability allows an attacker to make requests originating from the web server

Checks

Look for anything that takes a URL input or fetches a resource (e.g., screenshot utility, pdf generator, etc.)
If 127.0.0.1 or localhost aren't working, try variations to see if poor filtering rules are being used
- Also make note of any internal IP addresses disclosed throughout the application. Try those to see if you can access resources on those hosts.
Check to see if the server can communicate with any other servers on the internal network
Try to get an external interaction to a server we control. Collaborator, interactsh, etc.

Try other URI schemes, file://, etc.
Try looking for common images like favicon.ico
- Check the location of the image on the server

Important note

Make sure the request is coming from the server and not your browser before reporting.

Mitigation	Bypass
Whitelisting	Look for an open redirect
Blacklisting	Create a custom CNAME and point it to the internal IP address of the target Check for poor regex handling
Restricted content-types, characters, or extensions	Fuzzing or finding a bypass (encoding, other)
No response	JavaScript XHR request

Try different ways of entering IP addresses. e.g., 127.1 instead of 127.0.0.1
- Also try different encodings
Point a custom subdomain to 127.0.0.1 and use that
- localhost.tomfieber.dev -> 127.0.0.1
Use nip.io
- 127.0.0.1.nip.io -> 127.0.0.1

Try to figure out how the filter is working
- Can we append a domain we own? e.g., victim.com.hacker.com
- Or hackervictim.com
- etc.
Chaining an open redirect
- If we can find an open redirect in another part of the application, we can use THAT URL with the SSRF to redirect to our desired site. https://teal.ctfio.com/?redirect=https://YOUR-OAST-PAYLOAD
Chaining HTML injection/XSS
- Try something like <script>document.write(document.location)</script>
- `