Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/jdonsec/allthingsssrf
This is a collection of writeups, cheatsheets, videos, books related to SSRF in one single location
https://github.com/jdonsec/allthingsssrf
Last synced: 13 days ago
JSON representation
This is a collection of writeups, cheatsheets, videos, books related to SSRF in one single location
- Host: GitHub
- URL: https://github.com/jdonsec/allthingsssrf
- Owner: jdonsec
- License: mit
- Created: 2019-08-28T21:41:30.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2021-01-24T17:06:30.000Z (almost 4 years ago)
- Last Synced: 2024-10-26T11:32:18.360Z (about 2 months ago)
- Size: 146 KB
- Stars: 1,215
- Watchers: 66
- Forks: 229
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-security-collection - **196**星
README
# AllThingsSSRF
**This is a collection of writeups, cheatsheets, videos, related to SSRF in one single location**This is currently work in progress I will add more resources as I find them.
![SSRF Logo](/images/ssrf.jpg)
### Created By [@jdonsec](https://twitter.com/jdonsec)
---
#### Learn What is SSRF- [Vickie Li: Intro to SSRF](https://medium.com/swlh/intro-to-ssrf-beb35857771f)
- [Vickie Li: Exploiting SSRFs](https://medium.com/@vickieli/exploiting-ssrfs-b3a29dd7437)
- [Detectfy - What is server side request forgery (SSRF)?](https://blog.detectify.com/2019/01/10/what-is-server-side-request-forgery-ssrf/)
- [What is SSRF By Netsparker](https://www.netsparker.com/blog/web-security/server-side-request-forgery-vulnerability-ssrf/)
- [Hackerone How To: Server-Side Request Forgery(SSRF)](https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF)
- [Nahamsec/Daeken - OWNING THE CLOUT THROUGH SSRF AND PDF GENERATORS](https://docs.google.com/presentation/d/1JdIjHHPsFSgLbaJcHmMkE904jmwPM4xdhEuwhy2ebvo/edit#slide=id.p)
- [Orange Tsai A New Era of SSRF - Exploiting URL Parser in
Trending Programming Languages!](https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf)- [Infosec Institute SSRF Introduction](https://resources.infosecinstitute.com/the-ssrf-vulnerability/)
- [SSRF bible](https://repo.zenk-security.com/Techniques%20d.attaques%20%20.%20%20Failles/SSRFbible%20Cheatsheet.pdf)
- [Book of Bugbounty Tips](https://gowsundar.gitbook.io/book-of-bugbounty-tips/ssrf)
- [Cujanovic - SSRF Testing](https://github.com/cujanovic/SSRF-Testing)
- [EdOverflow - Bugbounty-Cheatsheet](https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/ssrf.md)
- [@ONsec_lab SSRF pwns: New techniques and stories](https://conference.hitb.org/hitbsecconf2013ams/materials/D1T1%20-%20Vladimir%20Vorontsov%20and%20Alexander%20Golovko%20-%20SSRF%20PWNs%20-%20New%20Techniques%20and%20Stories.pdf)
- [Swissky - Payload All The Things SSRF](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery)
- [HAHWUL](https://www.hahwul.com/p/ssrf-open-redirect-cheat-sheet.html)
- [Acunetix - What is Server Side Request Forgery(SSRF)?](https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/)
- [xI17dev - SSRF Tips](https://blog.safebuff.com/2016/07/03/SSRF-Tips/)
- [SaN ThosH SSRF - Server Side Request Forgery (Types and ways to exploit it) Part-1](https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-1-29d034c27978)
- [SaN ThosH SSRF — Server Side Request Forgery (Types and ways to exploit it) Part-2](https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-2-a085ec4332c0)
- [AUXY Blog - SSRF in Depth](http://www.auxy.xyz/research/2017/07/06/all-ssrf-knowledge.html)
- [CTF Wiki - SSRF Introduction](https://ctf-wiki.github.io/ctf-wiki/web/ssrf/)
- [Orangetw - CTF SSRF Writeup](https://github.com/orangetw/My-CTF-Web-Challenges/blob/master/README.md#ssrfme)
#### Writeups
- [@albinowax Cracking the lens: targeting HTTP's hidden attack-surface](https://portswigger.net/research/cracking-the-lens-targeting-https-hidden-attack-surface) [NEW Credit to @atul_hax]
- [NoGe: Serer Side Request Forgery (SSRF) Testing](https://medium.com/bugbountywriteup/server-side-request-forgery-ssrf-testing-b9dfe57cca35)
- [@leonmugen: SSRF Reading Local Files from DownNotifier server](https://www.openbugbounty.org/blog/leonmugen/ssrf-reading-local-files-from-downnotifier-server/)
- [Fireshell Security Team: SunshineCTF - Search Box Writeup](https://fireshellsecurity.team/sunshinectf-search-box/)
- [SSRF vulnerability via FFmpeg HLS processing](https://medium.com/@valeriyshevchenko/ssrf-vulnerability-via-ffmpeg-hls-processing-f3823c16f3c7)
- [Escalating SSRF to RCE](https://medium.com/cesppa/escalating-ssrf-to-rce-f28c482eb8b9)
- [Exploiting SSRF like a Boss — Escalation of an SSRF to Local File Read!](https://medium.com/@zain.sabahat/exploiting-ssrf-like-a-boss-c090dc63d326)
- [Chris Young: SSRF - Server Side Request Forgery](https://chris-young.net/2018/04/13/ssrf-server-side-request-forgery/)
- [Day Labs: SSRF attack using Microsoft's bing webmaster central](https://blog.0daylabs.com/2015/08/09/SSRF-in-Microsoft-bing/)
- [Elber Andre: SSRF Tips SSRF/XSPA in Microsoft’s Bing Webmaster Central](https://medium.com/@elberandre/ssrf-trick-ssrf-xspa-in-microsofts-bing-webmaster-central-8015b5d487fb)
- [Valeriy Shevchenko: SSRF Vulnerability due to Sentry misconfiguration](https://medium.com/@valeriyshevchenko/ssrf-vulnerability-due-to-sentry-misconfiguration-5e758bdb4e44)
- [Vickie Li: Bypassing SSRF Protection](https://medium.com/@vickieli/bypassing-ssrf-protection-e111ae70727b)
- [Vickie Li: SSRF in the Wild](https://medium.com/swlh/ssrf-in-the-wild-e2c598900434)
- [Tug Pun: From SSRF to Local File Disclosure](https://medium.com/@tungpun/from-ssrf-to-local-file-disclosure-58962cdc589f)
- [Neeraj Sonaniya: Reading Internal Files using SSRF vulnerability](https://medium.com/@neerajedwards/reading-internal-files-using-ssrf-vulnerability-703c5706eefb)
- [Pratik yadav: Ssrf to Read Local Files and Abusing the AWS metadata](https://medium.com/@pratiky054/ssrf-to-read-local-files-and-abusing-the-aws-metadata-8621a4bf382)
- [Shorebreak Security: SSRF’s up! Real World Server-Side Request Forgery (SSRF)](https://www.shorebreaksecurity.com/blog/ssrfs-up-real-world-server-side-request-forgery-ssrf/)
- [Hack-Ed: A Nifty SSRF Bug Bounty Write Up](https://hack-ed.net/2017/11/07/a-nifty-ssrf-bug-bounty-write-up/)
- [abcdsh Asis 2019 Quals - Baby SSRF](https://abcdsh.blogspot.com/2019/04/writeup-asis-2019-quals-baby-ssrf.html)
- [W00troot: How I found SSRF on TheFacebook.com](https://w00troot.blogspot.com/2017/12/how-i-found-ssrf-on-thefacebookcom.html)
- [Deepak Holani: Server Side Request Forgery(SSRF){port issue hidden approch }](https://medium.com/@w_hat_boy/server-side-request-forgery-ssrf-port-issue-hidden-approch-f4e67bd8cc86)
- [Brett Buerhaus: SSRF Writeups](https://buer.haus/tag/ssrf/)
- [GeneralEG: Escalating SSRF to RCE](https://generaleg0x01.com/2019/03/10/escalating-ssrf-to-rce/)
- [Coen Goedegebure: How I got access to local AWS info via Jira](https://www.coengoedegebure.com/how-i-got-access-to-local-aws-info-via-jira/)
- [Corben Leo: Hacking the Hackers: Leveraging an SSRF in HackerTarget](https://www.corben.io/hackertarget/)
- [Orange Tsai: How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE!](https://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html)
- [Peter Adkins: Pivoting from blind SSRF to RCE with HashiCorp Consul](https://www.kernelpicnic.net/2017/05/29/Pivoting-from-blind-SSRF-to-RCE-with-Hashicorp-Consul.html)
- [pwntester: hackyou2014 Web400 write-up](http://www.pwntester.com/tag/ssrf/)
- [Azure Assassin Alliance SSRF Me](https://ctftime.org/writeup/16067)
- [003Random’s Blog: H1-212 CTF ~ Write-Up](https://poc-server.com/blog/2017/11/20/h1-212-ctf-write-up/)
- [Bubounty POC SSRF Bypass in private website](https://bugbountypoc.com/ssrf-bypass-in-private-website/)
- [Peerlyst: Top SSRF Posts](https://www.peerlyst.com/tags/ssrf)
- [Elber "f0lds" Tavares: $1.000 SSRF in Slack](https://fireshellsecurity.team/1000-ssrf-in-slack/)
- [Kongweinbin: Write-up for Gemini Inc: 1](https://kongwenbin.com/write-up-for-gemini-inc-1/#more-1548)
- [LiveOverFlow: SSRF targeting redis for RCE via IPv6/IPv4 address embedding chained with CLRF injection in the git:// protocol.](https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/)
- [GitLab SSRF in project integrations (webhook)](https://gitlab.com/gitlab-org/gitlab-ce/issues/53242)
- [Maxime Leblanc: Server-Side Request Forgery (SSRF) Attacks - Part 1: The basics](https://medium.com/poka-techblog/server-side-request-forgery-ssrf-attacks-part-1-the-basics-a42ba5cc244a)
- [Maxime Leblanc: Server-Side Request Forgery (SSRF) Attacks — Part 2: Fun with IPv4 addresses](https://medium.com/poka-techblog/server-side-request-forgery-ssrf-attacks-part-2-fun-with-ipv4-addresses-eb51971e476d)
- [Maxime Leblanc: Server-Side Request Forgery (SSRF) — Part 3: Other advanced techniques](https://medium.com/poka-techblog/server-side-request-forgery-ssrf-part-3-other-advanced-techniques-3f48cbcad27e)
- [Maxime Leblanc: Privilege escalation in the Cloud: From SSRF to Global Account Administrator](https://medium.com/poka-techblog/privilege-escalation-in-the-cloud-from-ssrf-to-global-account-administrator-fd943cf5a2f6)
- [Asterisk Labs: Server-side request forgery in Sage MicrOpay ESP](https://labs.asteriskinfosec.com.au/tag/ssrf/)
- [EdOverflow: Operation FGTNY 🗽 - Solving the H1-212 CTF](https://edoverflow.com/2017/h1-212-ctf/)
- [Alyssa Herrera: Piercing the Veil: Server Side Request Forgery to NIPRNet access](https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a)
- [Alyssa Herrera: Wappalyzer SSRF Write up](https://medium.com/@alyssa.o.herrera/wappalyzer-ssrf-write-up-2dab4df064ae)
- [Contribution by $root: Whomai - Harsh Jaiswal: Vimeo SSRF with code execution potential.](https://medium.com/@rootxharsh_90844/vimeo-ssrf-with-code-execution-potential-68c774ba7c1e)
- [Agarri: Server-side browsing considered harmful](https://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf)
#### Hackerone Reports
- [#223203 SVG Server Side Request Forgery (SSRF)](https://hackerone.com/reports/223203)
- [115857 SSRF and local file read in video to gif converter](https://hackerone.com/reports/115857)
- [237381 SSRF and local file disclosure in https://wordpress.com/media/videos/ via FFmpeg HLS processing](https://hackerone.com/reports/237381)
- [228377 SSRF in upload IMG through URL](https://hackerone.com/reports/228377)
- [302885 ImageMagick GIF coder vulnerability leading to memory disclosure](https://hackerone.com/reports/302885)
- [392859 Sending Emails from DNSDumpster - Server-Side Request Forgery to Internal SMTP Access](https://hackerone.com/reports/392859)
- [395521 SSRF vulnerability on proxy.duckduckgo.com (access to metadata server on AWS)](https://hackerone.com/reports/395521)
- [285380 www.threatcrowd.org - SSRF : AWS private key disclosure](https://hackerone.com/reports/285380)
- [287762 SSRF protection bypass](https://hackerone.com/reports/287762)
- [115748 SSRF in https://imgur.com/vidgif/url](https://hackerone.com/reports/115748)
- [508459 SSRF in webhooks leads to AWS private keys disclosure](https://hackerone.com/reports/508459)
- [643622 SSRF In Get Video Contents](https://hackerone.com/reports/643622)
- [398641 D0nut: SSRF on duckduckgo.com/iu/](https://hackerone.com/reports/398641)
- [398799 Jobert Abma (jobert): Unauthenticated blind SSRF in OAuth Jira authorization controller](https://hackerone.com/reports/398799)
- [369451 Dylan Katz (plazmaz): SSRF in CI after first run](https://hackerone.com/reports/369451)
- [341876 André Baptista (0xacb): SSRF in Exchange leads to ROOT access in all instances](https://hackerone.com/reports/341876)
- [374737 ruvlol (ruvlol): Blind SSRF on errors.hackerone.net due to Sentry misconfiguration](https://hackerone.com/reports/374737)
- [386292 Elb (elber): Bypass of the SSRF protection in Event Subscriptions parameter](https://hackerone.com/reports/386292)
- [411865 Robinooklay: Blind SSRF at https://chaturbate.com/notifications/update_push/](https://hackerone.com/reports/411865)
- [517461 Ninja: Blind SSRF/XSPA on dashboard.lob.com + blind code injection](https://hackerone.com/reports/517461)
- [410882 Steven Seeley: Vanilla Forums domGetImages getimagesize Unserialize Remote Code Execution Vulnerability (critical)](https://hackerone.com/reports/410882)
- [395521 Predrag Cujanović: SSRF vulnerability on proxy.duckduckgo.com (access to metadata server on AWS)](https://hackerone.com/reports/395521)
- [223203 floyd: SVG Server Side Request Forgery (SSRF)](https://hackerone.com/reports/223203)
- [301924 jax: SSRF vulnerability in gitlab.com webhook](https://hackerone.com/reports/301924)
- [204513 Skansing: Infrastructure - Photon - SSRF](https://hackerone.com/reports/204513)
- [115748 Eugene Farfel: SSRF in https://imgur.com/vidgif/url](https://hackerone.com/reports/115748)
- [263169 Tung Pun: New Relic - Internal Ports Scanning via Blind SSRF](https://hackerone.com/reports/263169)
- [280511 Suresh Narvaneni: Server Side Request Forgery on JSON Feed](https://hackerone.com/reports/280511)
- [281950 Tung Pun: Infogram - Internal Ports Scanning via Blind SSRF](https://hackerone.com/reports/281950)
- [289187 Predrag Cujanović: DNS pinning SSRF](https://hackerone.com/reports/289187)
- [288183 Dr.Jones: SSRF bypass for https://hackerone.com/reports/285380 (query AWS instance)](https://hackerone.com/reports/288183)
- [288537 e3xpl0it: Server Side Request Forgery protection bypass № 2](https://hackerone.com/reports/288537)
- [141304 ylujion: Blind SSRF on synthetics.newrelic.com](https://hackerone.com/reports/141304)
- [128685 Nicolas Grégoire: SSRF on testing endpoint](https://hackerone.com/reports/128685)
- [145524 paglababa: Server side request forgery (SSRF) on nextcloud implementation.](https://hackerone.com/reports/145524)
- [115857 Slim Shady: SSRF and local file read in video to gif converter](https://hackerone.com/reports/115857)
#### Videos/POC
- [Black Hat: Viral Video - Exploiting SSRF in Video Converters](https://www.youtube.com/watch?v=tZil9j7TTps&feature=youtu.be)
- [Hackerone: Hacker101 - SSRF](https://www.youtube.com/watch?v=66ni2BTIjS8)
- [Bugcrowd University: Server Side Request Forgery](https://www.bugcrowd.com/resources/webinars/server-side-request-forgery/)
- [Muhammad Junaid: Yahoo SSRF and Local File Disclosure via FFmpeg](https://www.youtube.com/watch?v=3Z_f69OIQuw)
- [Muhammad Junaid: Flickr (Yahoo!) SSRF and Local File Disclosure](https://www.youtube.com/watch?v=v3YQqTb5geU)
- [Corben Leo: SMTP Access via SSRF in HackerTarget API](https://www.youtube.com/watch?v=F_sC_OrSkIc)
- [Nikhil Mittal: HootSuite SSRF Vulnerability POC](https://www.youtube.com/watch?v=L9bGSNmlJXU)
- [Hack In The Box Security Conference: HITBGSEC 2017 SG Conf D1 - A New Era Of SSRF - Exploiting Url Parsers - Orange Tsai](https://www.youtube.com/watch?v=D1S-G8rJrEk)
- [Crazy Danish Hacker: Server-Side Request Forgery (SSRF) - Web Application Security Series #1](https://www.youtube.com/watch?v=K_ElxRc9LLk)
- [LiveOverFlow: PHP include and bypass SSRF protection with two DNS A records - 33c3ctf list0r (web 400)](https://www.youtube.com/watch?v=PKbxK2JH23Y)
- [Nahamsec: Owning the Clout through SSRF & PDF Generators - Defcon 27 - (SSRF on ads.snapchat.com)](https://www.youtube.com/watch?v=Gcab8sLBmnk)
- [Tutorials Point (India) Pvt. Ltd: Penetration Testing - Server Side Request Forgery (SSRF)](https://www.youtube.com/watch?v=_IVjvNelzMw)
- [Hack In The Box Security Conference: HITBGSEC 2017 SG Conf D1 - A New Era Of SSRF - Exploiting Url Parsers - Orange Tsai](https://www.youtube.com/watch?v=D1S-G8rJrEk)
- [AppSec EU15 - Nicolas Gregoire - Server-Side Browsing Considered Harmful](https://www.youtube.com/watch?v=8t5-A4ASTIU)
#### Tools
- [Bcoles - SSRF Proxy](https://bcoles.github.io/ssrf_proxy/)- [Daeken - SSRFTest](https://github.com/daeken/SSRFTest)
- [Daeken - httptrebind](https://github.com/daeken/httprebind)
#### CTF/Labs
- [Bugbounty Notes SSRF Challenge](https://www.bugbountynotes.com/challenge?id=33)
- [Portswigger SSRF labs](https://portswigger.net/web-security/ssrf)
- [m6a-UdS SSRF Lab](https://github.com/m6a-UdS/ssrf-lab)
- [Pentester Lab Pro account: Essential: Server Side Request Forgery 01](https://pentesterlab.com/exercises/ssrf_01/course)
- [Pentester Lab Pro account: Essential: Server Side Request Forgery 02](https://pentesterlab.com/exercises/ssrf_02/course)
- [Pentester Lab Pro account: Essential: Server Side Request Forgery 03](https://pentesterlab.com/exercises/ssrf_03/course)
- [Pentester Lab Pro account: Essential: Server Side Request Forgery 04](https://pentesterlab.com/exercises/ssrf_04/course)
- [Se8S0n SSRF Lab Guide](https://se8s0n.github.io/2019/05/19/SSRF-LABS%E6%8C%87%E5%8D%97/)