Awesome SSRF writeups

AllThingsSSRF

This is a collection of writeups, cheatsheets, videos, related to SSRF in one single location

This is currently work in progress I will add more resources as I find them.

Created By @jdonsec

Learn What is SSRF

• Vickie Li: Intro to SSRF
• Vickie Li: Exploiting SSRFs
• Detectfy – What is server side request forgery (SSRF)?
• What is SSRF By Netsparker
• Hackerone How To: Server-Side Request Forgery(SSRF)
• Nahamsec/Daeken – OWNING THE CLOUT THROUGH SSRF AND PDF GENERATORS
• Orange Tsai A New Era of SSRF – Exploiting URL Parser in Trending Programming Languages!
• Infosec Institute SSRF Introduction
• SSRF bible
• Book of Bugbounty Tips
• Cujanovic – SSRF Testing
• EdOverflow – Bugbounty-Cheatsheet
• @ONsec_lab SSRF pwns: New techniques and stories
• Swissky – Payload All The Things SSRF
• HAHWUL
• Acunetix – What is Server Side Request Forgery(SSRF)?
• xI17dev – SSRF Tips
• SaN ThosH SSRF – Server Side Request Forgery (Types and ways to exploit it) Part-1
• SaN ThosH SSRF — Server Side Request Forgery (Types and ways to exploit it) Part-2
• AUXY Blog – SSRF in Depth
• CTF Wiki – SSRF Introduction
• Orangetw – CTF SSRF Writeup

Writeups

• @albinowax Cracking the lens: targeting HTTP’s hidden attack-surface [NEW Credit to @atul_hax]
• NoGe: Serer Side Request Forgery (SSRF) Testing
• @leonmugen: SSRF Reading Local Files from DownNotifier server
• Fireshell Security Team: SunshineCTF – Search Box Writeup
• SSRF vulnerability via FFmpeg HLS processing
• Escalating SSRF to RCE
• Exploiting SSRF like a Boss — Escalation of an SSRF to Local File Read!
• Chris Young: SSRF – Server Side Request Forgery
• Day Labs: SSRF attack using Microsoft’s bing webmaster central
• Elber Andre: SSRF Tips SSRF/XSPA in Microsoft’s Bing Webmaster Central
• Valeriy Shevchenko: SSRF Vulnerability due to Sentry misconfiguration
• Vickie Li: Bypassing SSRF Protection
• Vickie Li: SSRF in the Wild
• Tug Pun: From SSRF to Local File Disclosure
• Neeraj Sonaniya: Reading Internal Files using SSRF vulnerability
• Pratik yadav: Ssrf to Read Local Files and Abusing the AWS metadata
• Shorebreak Security: SSRF’s up! Real World Server-Side Request Forgery (SSRF)
• Hack-Ed: A Nifty SSRF Bug Bounty Write Up
• abcdsh Asis 2019 Quals – Baby SSRF
• W00troot: How I found SSRF on TheFacebook.com
• Deepak Holani: Server Side Request Forgery(SSRF){port issue hidden approch }
• Brett Buerhaus: SSRF Writeups
• GeneralEG: Escalating SSRF to RCE
• Coen Goedegebure: How I got access to local AWS info via Jira
• Corben Leo: Hacking the Hackers: Leveraging an SSRF in HackerTarget
• Orange Tsai: How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE!
• Peter Adkins: Pivoting from blind SSRF to RCE with HashiCorp Consul
• pwntester: hackyou2014 Web400 write-up
• Azure Assassin Alliance SSRF Me
• 003Random’s Blog: H1-212 CTF ~ Write-Up
• Bubounty POC SSRF Bypass in private website
• Peerlyst: Top SSRF Posts
• Elber “f0lds” Tavares: $1.000 SSRF in Slack
• Kongweinbin: Write-up for Gemini Inc: 1
• LiveOverFlow: SSRF targeting redis for RCE via IPv6/IPv4 address embedding chained with CLRF injection in the git:// protocol.
• GitLab SSRF in project integrations (webhook)
• Maxime Leblanc: Server-Side Request Forgery (SSRF) Attacks – Part 1: The basics
• Maxime Leblanc: Server-Side Request Forgery (SSRF) Attacks — Part 2: Fun with IPv4 addresses
• Maxime Leblanc: Server-Side Request Forgery (SSRF) — Part 3: Other advanced techniques
• Maxime Leblanc: Privilege escalation in the Cloud: From SSRF to Global Account Administrator
• Asterisk Labs: Server-side request forgery in Sage MicrOpay ESP
• EdOverflow: Operation FGTNY 🗽 – Solving the H1-212 CTF
• Alyssa Herrera: Piercing the Veil: Server Side Request Forgery to NIPRNet access
• Alyssa Herrera: Wappalyzer SSRF Write up
• Contribution by $root: Whomai – Harsh Jaiswal: Vimeo SSRF with code execution potential.
• Agarri: Server-side browsing considered harmful

Hackerone Reports

• #223203 SVG Server Side Request Forgery (SSRF)
• 115857 SSRF and local file read in video to gif converter
• 237381 SSRF and local file disclosure in https://wordpress.com/media/videos/ via FFmpeg HLS processing
• 228377 SSRF in upload IMG through URL
• 302885 ImageMagick GIF coder vulnerability leading to memory disclosure
• 392859 Sending Emails from DNSDumpster – Server-Side Request Forgery to Internal SMTP Access
• 395521 SSRF vulnerability on proxy.duckduckgo.com (access to metadata server on AWS)
• 285380 www.threatcrowd.org – SSRF : AWS private key disclosure
• 287762 SSRF protection bypass
• 115748 SSRF in https://imgur.com/vidgif/url
• 508459 SSRF in webhooks leads to AWS private keys disclosure
• 643622 SSRF In Get Video Contents
• 398641 D0nut: SSRF on duckduckgo.com/iu/
• 398799 Jobert Abma (jobert): Unauthenticated blind SSRF in OAuth Jira authorization controller
• 369451 Dylan Katz (plazmaz): SSRF in CI after first run
• 341876 André Baptista (0xacb): SSRF in Exchange leads to ROOT access in all instances
• 374737 ruvlol (ruvlol): Blind SSRF on errors.hackerone.net due to Sentry misconfiguration
• 386292 Elb (elber): Bypass of the SSRF protection in Event Subscriptions parameter
• 411865 Robinooklay: Blind SSRF at https://chaturbate.com/notifications/update_push/
• 517461 Ninja: Blind SSRF/XSPA on dashboard.lob.com + blind code injection
• 410882 Steven Seeley: Vanilla Forums domGetImages getimagesize Unserialize Remote Code Execution Vulnerability (critical)
• 395521 Predrag Cujanović: SSRF vulnerability on proxy.duckduckgo.com (access to metadata server on AWS)
• 223203 floyd: SVG Server Side Request Forgery (SSRF)
• 301924 jax: SSRF vulnerability in gitlab.com webhook
• 204513 Skansing: Infrastructure – Photon – SSRF
• 115748 Eugene Farfel: SSRF in https://imgur.com/vidgif/url
• 263169 Tung Pun: New Relic – Internal Ports Scanning via Blind SSRF
• 280511 Suresh Narvaneni: Server Side Request Forgery on JSON Feed
• 281950 Tung Pun: Infogram – Internal Ports Scanning via Blind SSRF
• 289187 Predrag Cujanović: DNS pinning SSRF
• 288183 Dr.Jones: SSRF bypass for https://hackerone.com/reports/285380 (query AWS instance)
• 288537 e3xpl0it: Server Side Request Forgery protection bypass № 2
• 141304 ylujion: Blind SSRF on synthetics.newrelic.com
• 128685 Nicolas Grégoire: SSRF on testing endpoint
• 145524 paglababa: Server side request forgery (SSRF) on nextcloud implementation.
• 115857 Slim Shady: SSRF and local file read in video to gif converter

Videos/POC

• Black Hat: Viral Video – Exploiting SSRF in Video Converters
• Hackerone: Hacker101 – SSRF
• Bugcrowd University: Server Side Request Forgery
• Muhammad Junaid: Yahoo SSRF and Local File Disclosure via FFmpeg
• Muhammad Junaid: Flickr (Yahoo!) SSRF and Local File Disclosure
• Corben Leo: SMTP Access via SSRF in HackerTarget API
• Nikhil Mittal: HootSuite SSRF Vulnerability POC
• Hack In The Box Security Conference: HITBGSEC 2017 SG Conf D1 – A New Era Of SSRF – Exploiting Url Parsers – Orange Tsai
• Crazy Danish Hacker: Server-Side Request Forgery (SSRF) – Web Application Security Series #1
• LiveOverFlow: PHP include and bypass SSRF protection with two DNS A records – 33c3ctf list0r (web 400)
• Nahamsec: Owning the Clout through SSRF & PDF Generators – Defcon 27 – (SSRF on ads.snapchat.com)
• Tutorials Point (India) Pvt. Ltd: Penetration Testing – Server Side Request Forgery (SSRF)
• Hack In The Box Security Conference: HITBGSEC 2017 SG Conf D1 – A New Era Of SSRF – Exploiting Url Parsers – Orange Tsai
• AppSec EU15 – Nicolas Gregoire – Server-Side Browsing Considered Harmful

Tools

• Bcoles – SSRF Proxy
• Daeken – SSRFTest
• Daeken – httptrebind

CTF/Labs

• Bugbounty Notes SSRF Challenge
• Portswigger SSRF labs
• m6a-UdS SSRF Lab
• Pentester Lab Pro account: Essential: Server Side Request Forgery 01
• Pentester Lab Pro account: Essential: Server Side Request Forgery 02
• Pentester Lab Pro account: Essential: Server Side Request Forgery 03
• Pentester Lab Pro account: Essential: Server Side Request Forgery 04
• Se8S0n SSRF Lab Guide