Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.
Awesome Lists | Featured Topics | Projects
https://github.com/jdonsec/AllThingsSSRF

This is a collection of writeups, cheatsheets, videos, books related to SSRF in one single location
https://github.com/jdonsec/AllThingsSSRF
Last synced: 10 days ago
JSON representation
This is a collection of writeups, cheatsheets, videos, books related to SSRF in one single location
Host: GitHub
URL: https://github.com/jdonsec/AllThingsSSRF
Owner: jdonsec
License: mit
Created: 2019-08-28T21:41:30.000Z (about 5 years ago)
Default Branch: master
Last Pushed: 2021-01-24T17:06:30.000Z (almost 4 years ago)
Last Synced: 2024-10-14T13:40:51.957Z (20 days ago)
Size: 146 KB
Stars: 1,211
Watchers: 66
Forks: 229
Open Issues: 2
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project

awesome-hacking-lists - jdonsec/AllThingsSSRF - This is a collection of writeups, cheatsheets, videos, books related to SSRF in one single location (Others)
README

        # AllThingsSSRF

**This is a collection of writeups, cheatsheets, videos, related to SSRF in one single location**

This is currently work in progress I will add more resources as I find them.

![SSRF Logo](/images/ssrf.jpg)

### Created By [@jdonsec](https://twitter.com/jdonsec)

---

#### Learn What is SSRF

- [Vickie Li: Intro to SSRF](https://medium.com/swlh/intro-to-ssrf-beb35857771f)

- [Vickie Li: Exploiting SSRFs](https://medium.com/@vickieli/exploiting-ssrfs-b3a29dd7437)

- [Detectfy - What is server side request forgery (SSRF)?](https://blog.detectify.com/2019/01/10/what-is-server-side-request-forgery-ssrf/)

- [What is SSRF By Netsparker](https://www.netsparker.com/blog/web-security/server-side-request-forgery-vulnerability-ssrf/)

- [Hackerone How To: Server-Side Request Forgery(SSRF)](https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF)

- [Nahamsec/Daeken - OWNING THE CLOUT THROUGH SSRF AND PDF GENERATORS](https://docs.google.com/presentation/d/1JdIjHHPsFSgLbaJcHmMkE904jmwPM4xdhEuwhy2ebvo/edit#slide=id.p)

- [Orange Tsai A New Era of SSRF - Exploiting URL Parser in

Trending Programming Languages!](https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf)

- [Infosec Institute SSRF Introduction](https://resources.infosecinstitute.com/the-ssrf-vulnerability/)

- [SSRF bible](https://repo.zenk-security.com/Techniques%20d.attaques%20%20.%20%20Failles/SSRFbible%20Cheatsheet.pdf)

- [Book of Bugbounty Tips](https://gowsundar.gitbook.io/book-of-bugbounty-tips/ssrf)

- [Cujanovic - SSRF Testing](https://github.com/cujanovic/SSRF-Testing)

- [EdOverflow - Bugbounty-Cheatsheet](https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/ssrf.md)

- [@ONsec_lab SSRF pwns: New techniques and stories](https://conference.hitb.org/hitbsecconf2013ams/materials/D1T1%20-%20Vladimir%20Vorontsov%20and%20Alexander%20Golovko%20-%20SSRF%20PWNs%20-%20New%20Techniques%20and%20Stories.pdf)

- [Swissky - Payload All The Things SSRF](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery)

- [HAHWUL](https://www.hahwul.com/p/ssrf-open-redirect-cheat-sheet.html)

- [Acunetix - What is Server Side Request Forgery(SSRF)?](https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/)

- [xI17dev - SSRF Tips](https://blog.safebuff.com/2016/07/03/SSRF-Tips/)

- [SaN ThosH SSRF - Server Side Request Forgery (Types and ways to exploit it) Part-1](https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-1-29d034c27978)

- [SaN ThosH SSRF — Server Side Request Forgery (Types and ways to exploit it) Part-2](https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-2-a085ec4332c0)

- [AUXY Blog - SSRF in Depth](http://www.auxy.xyz/research/2017/07/06/all-ssrf-knowledge.html)

- [CTF Wiki -  SSRF Introduction](https://ctf-wiki.github.io/ctf-wiki/web/ssrf/)

- [Orangetw - CTF SSRF Writeup](https://github.com/orangetw/My-CTF-Web-Challenges/blob/master/README.md#ssrfme)

#### Writeups

- [@albinowax Cracking the lens: targeting HTTP's hidden attack-surface](https://portswigger.net/research/cracking-the-lens-targeting-https-hidden-attack-surface) [NEW Credit to  @atul_hax]

- [NoGe: Serer Side Request Forgery (SSRF) Testing](https://medium.com/bugbountywriteup/server-side-request-forgery-ssrf-testing-b9dfe57cca35)

- [@leonmugen: SSRF Reading Local Files from DownNotifier server](https://www.openbugbounty.org/blog/leonmugen/ssrf-reading-local-files-from-downnotifier-server/)

- [Fireshell Security Team: SunshineCTF - Search Box Writeup](https://fireshellsecurity.team/sunshinectf-search-box/)

- [SSRF vulnerability via FFmpeg HLS processing](https://medium.com/@valeriyshevchenko/ssrf-vulnerability-via-ffmpeg-hls-processing-f3823c16f3c7)

- [Escalating SSRF to RCE](https://medium.com/cesppa/escalating-ssrf-to-rce-f28c482eb8b9)

- [Exploiting SSRF like a Boss — Escalation of an SSRF to Local File Read!](https://medium.com/@zain.sabahat/exploiting-ssrf-like-a-boss-c090dc63d326)

- [Chris Young: SSRF - Server Side Request Forgery](https://chris-young.net/2018/04/13/ssrf-server-side-request-forgery/)

- [Day Labs: SSRF attack using Microsoft's bing webmaster central](https://blog.0daylabs.com/2015/08/09/SSRF-in-Microsoft-bing/)

- [Elber Andre:  SSRF Tips SSRF/XSPA in Microsoft’s Bing Webmaster Central](https://medium.com/@elberandre/ssrf-trick-ssrf-xspa-in-microsofts-bing-webmaster-central-8015b5d487fb)

- [Valeriy Shevchenko: SSRF Vulnerability due to Sentry misconfiguration](https://medium.com/@valeriyshevchenko/ssrf-vulnerability-due-to-sentry-misconfiguration-5e758bdb4e44)

- [Vickie Li: Bypassing SSRF Protection](https://medium.com/@vickieli/bypassing-ssrf-protection-e111ae70727b)

- [Vickie Li: SSRF in the Wild](https://medium.com/swlh/ssrf-in-the-wild-e2c598900434)

- [Tug Pun: From SSRF to Local File Disclosure](https://medium.com/@tungpun/from-ssrf-to-local-file-disclosure-58962cdc589f)

- [Neeraj Sonaniya: Reading Internal Files using SSRF vulnerability](https://medium.com/@neerajedwards/reading-internal-files-using-ssrf-vulnerability-703c5706eefb)

- [Pratik yadav: Ssrf to Read Local Files and Abusing the AWS metadata](https://medium.com/@pratiky054/ssrf-to-read-local-files-and-abusing-the-aws-metadata-8621a4bf382)

- [Shorebreak Security: SSRF’s up! Real World Server-Side Request Forgery (SSRF)](https://www.shorebreaksecurity.com/blog/ssrfs-up-real-world-server-side-request-forgery-ssrf/)

- [Hack-Ed: A Nifty SSRF Bug Bounty Write Up](https://hack-ed.net/2017/11/07/a-nifty-ssrf-bug-bounty-write-up/)

- [abcdsh Asis 2019 Quals - Baby SSRF](https://abcdsh.blogspot.com/2019/04/writeup-asis-2019-quals-baby-ssrf.html)

- [W00troot: How I found SSRF on TheFacebook.com](https://w00troot.blogspot.com/2017/12/how-i-found-ssrf-on-thefacebookcom.html)

- [Deepak Holani: Server Side Request Forgery(SSRF){port issue hidden approch }](https://medium.com/@w_hat_boy/server-side-request-forgery-ssrf-port-issue-hidden-approch-f4e67bd8cc86)

- [Brett Buerhaus: SSRF Writeups](https://buer.haus/tag/ssrf/)

- [GeneralEG: Escalating SSRF to RCE](https://generaleg0x01.com/2019/03/10/escalating-ssrf-to-rce/)

- [Coen Goedegebure: How I got access to local AWS info via Jira](https://www.coengoedegebure.com/how-i-got-access-to-local-aws-info-via-jira/)

- [Corben Leo: Hacking the Hackers: Leveraging an SSRF in HackerTarget](https://www.corben.io/hackertarget/)

- [Orange Tsai: How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE!](https://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html)

- [Peter Adkins: Pivoting from blind SSRF to RCE with HashiCorp Consul](https://www.kernelpicnic.net/2017/05/29/Pivoting-from-blind-SSRF-to-RCE-with-Hashicorp-Consul.html)

- [pwntester: hackyou2014 Web400 write-up](http://www.pwntester.com/tag/ssrf/)

- [Azure Assassin Alliance SSRF Me](https://ctftime.org/writeup/16067)

- [003Random’s Blog: H1-212 CTF ~ Write-Up](https://poc-server.com/blog/2017/11/20/h1-212-ctf-write-up/)

- [Bubounty POC SSRF Bypass in private website](https://bugbountypoc.com/ssrf-bypass-in-private-website/)

- [Peerlyst: Top SSRF Posts](https://www.peerlyst.com/tags/ssrf)

- [Elber "f0lds" Tavares: $1.000 SSRF in Slack](https://fireshellsecurity.team/1000-ssrf-in-slack/)

- [Kongweinbin: Write-up for Gemini Inc: 1](https://kongwenbin.com/write-up-for-gemini-inc-1/#more-1548)

- [LiveOverFlow: SSRF targeting redis for RCE via IPv6/IPv4 address embedding chained with CLRF injection in the git:// protocol.](https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/)

- [GitLab SSRF in project integrations (webhook)](https://gitlab.com/gitlab-org/gitlab-ce/issues/53242)

- [Maxime Leblanc: Server-Side Request Forgery (SSRF) Attacks - Part 1: The basics](https://medium.com/poka-techblog/server-side-request-forgery-ssrf-attacks-part-1-the-basics-a42ba5cc244a)

- [Maxime Leblanc: Server-Side Request Forgery (SSRF) Attacks — Part 2: Fun with IPv4 addresses](https://medium.com/poka-techblog/server-side-request-forgery-ssrf-attacks-part-2-fun-with-ipv4-addresses-eb51971e476d)

- [Maxime Leblanc: Server-Side Request Forgery (SSRF) — Part 3: Other advanced techniques](https://medium.com/poka-techblog/server-side-request-forgery-ssrf-part-3-other-advanced-techniques-3f48cbcad27e)

- [Maxime Leblanc: Privilege escalation in the Cloud: From SSRF to Global Account Administrator](https://medium.com/poka-techblog/privilege-escalation-in-the-cloud-from-ssrf-to-global-account-administrator-fd943cf5a2f6)

- [Asterisk Labs: Server-side request forgery in Sage MicrOpay ESP](https://labs.asteriskinfosec.com.au/tag/ssrf/)

- [EdOverflow: Operation FGTNY 🗽 - Solving the H1-212 CTF](https://edoverflow.com/2017/h1-212-ctf/)

- [Alyssa Herrera: Piercing the Veil: Server Side Request Forgery to NIPRNet access](https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a)

- [Alyssa Herrera: Wappalyzer SSRF Write up](https://medium.com/@alyssa.o.herrera/wappalyzer-ssrf-write-up-2dab4df064ae)

- [Contribution by $root: Whomai -  Harsh Jaiswal: Vimeo SSRF with code execution potential.](https://medium.com/@rootxharsh_90844/vimeo-ssrf-with-code-execution-potential-68c774ba7c1e)

- [Agarri: Server-side browsing considered harmful](https://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf)

#### Hackerone Reports

- [#223203 SVG Server Side Request Forgery (SSRF)](https://hackerone.com/reports/223203)

- [115857 SSRF and local file read in video to gif converter](https://hackerone.com/reports/115857)

- [237381 SSRF and local file disclosure in https://wordpress.com/media/videos/ via FFmpeg HLS processing](https://hackerone.com/reports/237381)

- [228377 SSRF in upload IMG through URL](https://hackerone.com/reports/228377)

- [302885 ImageMagick GIF coder vulnerability leading to memory disclosure](https://hackerone.com/reports/302885)

- [392859 Sending Emails from DNSDumpster - Server-Side Request Forgery to Internal SMTP Access](https://hackerone.com/reports/392859)

- [395521 SSRF vulnerability on proxy.duckduckgo.com (access to metadata server on AWS)](https://hackerone.com/reports/395521)

- [285380 www.threatcrowd.org - SSRF : AWS private key disclosure](https://hackerone.com/reports/285380)

- [287762 SSRF protection bypass](https://hackerone.com/reports/287762)

- [115748 SSRF in https://imgur.com/vidgif/url](https://hackerone.com/reports/115748)

- [508459 SSRF in webhooks leads to AWS private keys disclosure](https://hackerone.com/reports/508459)

- [643622 SSRF In Get Video Contents](https://hackerone.com/reports/643622)

- [398641 D0nut: SSRF on duckduckgo.com/iu/](https://hackerone.com/reports/398641)

- [398799 Jobert Abma (jobert): Unauthenticated blind SSRF in OAuth Jira authorization controller](https://hackerone.com/reports/398799)

- [369451 Dylan Katz (plazmaz): SSRF in CI after first run](https://hackerone.com/reports/369451)

- [341876 André Baptista (0xacb): SSRF in Exchange leads to ROOT access in all instances](https://hackerone.com/reports/341876)

- [374737 ruvlol (ruvlol): Blind SSRF on errors.hackerone.net due to Sentry misconfiguration](https://hackerone.com/reports/374737)

- [386292 Elb (elber): Bypass of the SSRF protection in Event Subscriptions parameter](https://hackerone.com/reports/386292)

- [411865 Robinooklay: Blind SSRF at https://chaturbate.com/notifications/update_push/](https://hackerone.com/reports/411865)

- [517461 Ninja: Blind SSRF/XSPA on dashboard.lob.com + blind code injection](https://hackerone.com/reports/517461)

- [410882 Steven Seeley: Vanilla Forums domGetImages getimagesize Unserialize Remote Code Execution Vulnerability (critical)](https://hackerone.com/reports/410882)

- [395521 Predrag Cujanović: SSRF vulnerability on proxy.duckduckgo.com (access to metadata server on AWS)](https://hackerone.com/reports/395521)

- [223203 floyd: SVG Server Side Request Forgery (SSRF)](https://hackerone.com/reports/223203)

- [301924 jax: SSRF vulnerability in gitlab.com webhook](https://hackerone.com/reports/301924)

- [204513 Skansing: Infrastructure - Photon - SSRF](https://hackerone.com/reports/204513)

- [115748 Eugene Farfel: SSRF in https://imgur.com/vidgif/url](https://hackerone.com/reports/115748)

- [263169 Tung Pun: New Relic - Internal Ports Scanning via Blind SSRF](https://hackerone.com/reports/263169)

- [280511 Suresh Narvaneni: Server Side Request Forgery on JSON Feed](https://hackerone.com/reports/280511)

- [281950 Tung Pun: Infogram - Internal Ports Scanning via Blind SSRF](https://hackerone.com/reports/281950)

- [289187 Predrag Cujanović: DNS pinning SSRF](https://hackerone.com/reports/289187)

- [288183 Dr.Jones: SSRF bypass for https://hackerone.com/reports/285380 (query AWS instance)](https://hackerone.com/reports/288183)

- [288537 e3xpl0it: Server Side Request Forgery protection bypass № 2](https://hackerone.com/reports/288537)

- [141304 ylujion: Blind SSRF on synthetics.newrelic.com](https://hackerone.com/reports/141304)

- [128685 Nicolas Grégoire: SSRF on testing endpoint](https://hackerone.com/reports/128685)

- [145524 paglababa: Server side request forgery (SSRF) on nextcloud implementation.](https://hackerone.com/reports/145524)

- [115857 Slim Shady: SSRF and local file read in video to gif converter](https://hackerone.com/reports/115857)

#### Videos/POC

- [Black Hat: Viral Video - Exploiting SSRF in Video Converters](https://www.youtube.com/watch?v=tZil9j7TTps&feature=youtu.be)

- [Hackerone: Hacker101 - SSRF](https://www.youtube.com/watch?v=66ni2BTIjS8)

- [Bugcrowd University: Server Side Request Forgery](https://www.bugcrowd.com/resources/webinars/server-side-request-forgery/)

- [Muhammad Junaid: Yahoo SSRF and Local File Disclosure via FFmpeg](https://www.youtube.com/watch?v=3Z_f69OIQuw)

- [Muhammad Junaid: Flickr (Yahoo!) SSRF and Local File Disclosure](https://www.youtube.com/watch?v=v3YQqTb5geU)

- [Corben Leo: SMTP Access via SSRF in HackerTarget API](https://www.youtube.com/watch?v=F_sC_OrSkIc)

- [Nikhil Mittal: HootSuite SSRF Vulnerability POC](https://www.youtube.com/watch?v=L9bGSNmlJXU)

- [Hack In The Box Security Conference: HITBGSEC 2017 SG Conf D1 - A New Era Of SSRF - Exploiting Url Parsers - Orange Tsai](https://www.youtube.com/watch?v=D1S-G8rJrEk)

- [Crazy Danish Hacker: Server-Side Request Forgery (SSRF) - Web Application Security Series #1](https://www.youtube.com/watch?v=K_ElxRc9LLk)

- [LiveOverFlow: PHP include and bypass SSRF protection with two DNS A records - 33c3ctf list0r (web 400)](https://www.youtube.com/watch?v=PKbxK2JH23Y)

- [Nahamsec: Owning the Clout through SSRF & PDF Generators - Defcon 27 - (SSRF on ads.snapchat.com)](https://www.youtube.com/watch?v=Gcab8sLBmnk)

- [Tutorials Point (India) Pvt. Ltd: Penetration Testing - Server Side Request Forgery (SSRF)](https://www.youtube.com/watch?v=_IVjvNelzMw)

- [Hack In The Box Security Conference: HITBGSEC 2017 SG Conf D1 - A New Era Of SSRF - Exploiting Url Parsers - Orange Tsai](https://www.youtube.com/watch?v=D1S-G8rJrEk)

- [AppSec EU15 - Nicolas Gregoire - Server-Side Browsing Considered Harmful](https://www.youtube.com/watch?v=8t5-A4ASTIU)

#### Tools

 

- [Bcoles - SSRF Proxy](https://bcoles.github.io/ssrf_proxy/)

- [Daeken - SSRFTest](https://github.com/daeken/SSRFTest)

- [Daeken - httptrebind](https://github.com/daeken/httprebind)

#### CTF/Labs

- [Bugbounty Notes SSRF Challenge](https://www.bugbountynotes.com/challenge?id=33)

- [Portswigger SSRF labs](https://portswigger.net/web-security/ssrf)

- [m6a-UdS SSRF Lab](https://github.com/m6a-UdS/ssrf-lab)

- [Pentester Lab Pro account: Essential: Server Side Request Forgery 01](https://pentesterlab.com/exercises/ssrf_01/course)

- [Pentester Lab Pro account: Essential: Server Side Request Forgery 02](https://pentesterlab.com/exercises/ssrf_02/course)

- [Pentester Lab Pro account: Essential: Server Side Request Forgery 03](https://pentesterlab.com/exercises/ssrf_03/course)

- [Pentester Lab Pro account: Essential: Server Side Request Forgery 04](https://pentesterlab.com/exercises/ssrf_04/course)

- [Se8S0n SSRF Lab Guide](https://se8s0n.github.io/2019/05/19/SSRF-LABS%E6%8C%87%E5%8D%97/)