Home  ›  All Blogs  ›  arjuns  › 

A Basic Approach To SSRF


Server Side Request Forgery


What is SSRF?

SSRF (Server Side Request Forgery) is the attack that allows an attacker to send a request on behalf of the server, It is a web to network level attack that compromises the internal machines, basically, a request being getting forged and sending it to the victim’s server. The risk of SSRF may depend on how much information is being accessed, from low to critical

SSRF Types

Typical SSRF

This is the basic SSRF, when an attacker can see the response of their malicious payload getting executed. Here we are able to perform read/write operation In the response

Blind SSRF

In this type, the attacker can’t actually see the payload response, but they can see if the outbound connection has been done or not via providing there server URL. Here an attacker has to log the output in his own server. Typically a Blind SSRF harder to exploit

Detected SSRF?

• Make sure the request is incoming from the target system and
not from your own IP

• Try to Scan the Internal/External Port

• Try reading the files

• Read AWS metadata

Why does an SSRF Occur?

Whenever any parameter makes the request to any third-party URL, it may be vulnerable to SSRF if the proper filtration is not done, A developer must set the whitelist URL, which is a website should strictly access. If the whitelist is not sufficient. the developer can approach the blacklist URL, which can blacklist the malicious URL. The developer should never trust the user input

Impact of SSRF

The actual impact of SSRF may depend on how much information is accessed or read. The Severity of SSRF begins from Low to High.The attacker can scans the ports of the network. If local network is secure, he can scan any other website port, through the victim’s network. it works like proxy. If the file:/// and gopher:/// schema is enabled we can read the internal files as well

An Example of Port Scanning

Here we have provided the for reading the local network with 22 port for reading the SSH


We can see the attacker was able to read the SSH Port number 22


An Example of File Reading


Output of file reading.. Attacker can read the Internal Files


Approaching the SSRF

Till now, we know what is SSRF, and its impact. In this section, we will learn how to approach and where to look for it. There will be two methods we will show you in order to define an approach for basic SSRF

Import Function


Some Application integrate-third party services for importing images to their services, for example Google drive, Drop box, One drive. when importing the images from their service to your target, make sure to intercept each and every request. You may encounter a URL or similar parameter which is carring the image URL. Here you can try for SSRF. The Request method could be GET or POST. Here is the example


You can change the URL parameter value and can check for SSRF

Web Hooks

A web hook delivers data to other applications as it happens, meaning you get data immediately. Unlike typical APIs where you would need to poll for data very frequently in order to get it real-time. This makes web hooks much more efficient for both the provider and the consumer. The only drawback to webhooks is the difficulty of initially setting them up.

Note: Not all the outbound connection is SSRF, sometimes your browser makes the request, so make sure to check the IP in your log, from where the request is coming

Bypassing Basic Filters

Whenever you encounter a parameter that makes the outbound connection, that doesn’t necessarily mean you can easily read the file and escalate (of course you can).There are some filters on the backend which restrict and reject the payload. Those are Blacklist and Whitelist filter. Both filters work differently, and keeping that in mind you have construct your payload.

Note: Not all the outbound connection is SSRF, sometime your browser makes the request, so make sure to check the IP in your log, from where the request is coming

For Bypassing filter, you can visit the
Click here to know cheat of SSRF filter

Reading the AWS Metadata

After confirming the SSRF. We can move to the next step, where we can pull the data from the AWS instance. We can pull the access key, Secret keys, and other credentials

Here are some of the payload that pulls the data from an AWS instance[ROLE NAME][ROLE NAME][ID]/openssh-key



About Payatu

Payatu is a Research Focused, CERT-In impaneled Cybersecurity Consulting company specializing in security assessments of IoT product ecosystem, Web application & Network with a proven track record of securing applications and infrastructure for customers across 20+ countries.

Get in touch with us. Click on the get started button below.

Get to know more about our process, methodology & team!

Close the overlay

I am looking for
Please click one!