#bugbountytips #learn #learn365 #SSRF

Let's learn SSRF in a Thread 🧵

Here is my notes on SSRF (Just Basics) ->
SSRF → Server Side Request Forgery Attack

In this attack, vulnerable server accept user’s request without filtering and thus trusting user’s input and give back response to user
Attacker forge the request in such a way that server accept it thinking it as legit and give the response what the attacker want

Actually , these days , server is around many technologies like → Internal Network, WAF, Databases etc
If target have features to fetch URLs from 3rd party websites and trust it and no filter → Then attacker can use own controllable server as 3rd party to fetch Internal Data from Vulnerable Server
So, we can say that SSRF is a vulnerability where attacker Send Malicious Requests to Internal Server on behalf of a Vulnerable Server without filtering it

Example →
Suppose target have URL-Fetch Feature for a user as allowing user to fetch whatever page he want as server accepting it and not filtering it

Then user can send internal server requests like →
localhost, or internal ip like or and can gather internal information

Why this happen ?

Because there is no Access Control on such request + No Filtering and accepting user’s requests as thinking legit
So, because of no Access Control → i.e no Privilege check → Attacker can bypass WAF, and can control Internal Network

So, in SSRF → attacker target Internal Network which is not possible by External Network and thus gather Internal Information from there
Why exactly this happen ? → Because Server is trusting 3rd Party Server

Remember → In SSRF → We can communicate with different services running on different protocols by utilizing URI schemes
# Types of SSRF

- Normal SSRF →
- we can see the response of SSRF Request in our browser or interceptor
- We can say Error based SSRF → where we can see our response in error
- Blind SSRF →
- Can’t see the response but still can execute SSRF blindly
- For this we need to setup listener to get the idea of working for blind ssrf
- First setting listener and then send payloads to vulnerable application including listener address and then check response in our own listener
- Listener can be → **webhook, ngrok, netcat, burp collaborator, vps ip** etc
- Time Based SSRF →
- We can determine SSRF according to response time for requests going to existing or not existing internal resources.
# Protocols used while testing SSRF →

- ftp://
- dict://
- gopher://
- file://
- ldap://
- ssh://
- smb://
- http://
- https://
# What features to test for SSRF →

- Webhooks Functionality
- File Uploading Functionality
- Fetching URL Online Functionality
- Document & Image Processing Functionality
- PDF & Document Parsing Functionality
- Proxy Services
- Host Header
- etc etc
# In starting what use to test for SSRF ?

- Test following IP Addresses [mostly but there are more] →

Resources →

- Check for common ports like → 80,111,8080 etc
- But also try for non-exist port to see server response
- We need to understand Server Behaviour while using this → Like
- Check response while using ports and non-exist ports → and even open and closed ports
- Response like → HTML Content, Server Banner
- Check Response time → like if port close or not check based on what response time there from server to requests
# What can do using SSRF →

- Scan the network for hosts,
- Port scan internal machines and fingerprint internal services,
- collect instance metadata,
- bypass access controls,
- leak confidential data,
- and even execute code on reachable machines.
Internal Services like ->

- Internal Services like →
- Elastic Cache
- File Servers
- Databases
- Network Infrastruction Switches, Routers, Firewalls etc
- Directory Traversal
- Send an email using [localhost](http://localhost) SMTP

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Aakash Choudhary

Aakash Choudhary Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @LearnerHunter

Sep 10
Hi Friends #bugbountytips #recon #bugbountytip

Here is a good thread of my brother @tabaahi_

Beside this I am also gonna share my old Notes on Recon which I shared in past but again sharing

Below is thread 🧵🧵🧵🧵
1. Finding all subdomains -> amass + assetfinder + findomain + subfinder + github-subdomain

2. Sort and Unique mean merge them to all-subdomains.txt

3. Resolve those subdomains - is ip/domain live?

4. check for alive subdomains -> httpx or httprobe -> prefer httpx
5. got https subdomains -> arrange with status code like 200,302,403,404,500

6. visual recon on these subdomains -> gowitness, eyewitness, aquatone

7. Port scans on these subdomains => naabu + nmap

8. Content discovery on them -> ffuf, wfuzz, dirsearch, gobuster
Read 22 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!


0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy


3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!