SSRF,A Practical Demo



└──╼ $whoami

- captain fr334aks


What is SSRF

  • a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing. ~portswigger

  • a Web security that lets attackers send requests from the server to other resources, both internal and external, and receive responses. ~acunetix


  • Despite being old in the field it’s still a less known vulnerability

  • impactful to businesses when not careful enough

  • if you look closely it’s almost everywhere

  • despite not being listed in owasp top 10 list in 2017 it’s a probable candidate in coming years


  • Basic understanding of web and how it works,

  • some protocols and schemas used in web technologies resources

  • basic understanding of php (for this lab)

  • Assuming you have found a vulnerable instance,what’s next ??

What to try

  • Accessing local files (file://)

  • Access local ips

    • Local Ip Bypass

    • DNS Spoofing

    • DNS Rebinding

  • Try to make an internal asset discovery and internal port scan owasp

  • Access Private content (Filtered by IP or only accesible locally like /admin path)

How to test for SSRFs

  • The best way to discover SSRF vulnerabilities is a manual code review to see if all URL inputs are being validated. However, when source code is not available and when a full code review is not possible, efforts should be focused on testing the features that are most prone to SSRF.

  • SSRFs occur when a server requires external resources. For example, sometimes a web application would need to create a thumbnail from a URL of an image, or create a screenshot of a video from another site (like If a server doesn’t restrict access to internal resources, SSRF vulnerabilities occur.

  • The following page on allows users to upload a profile photo from the Internet

  • In order to fetch cute_pugs.jpeg from, the web application would have to visit and retrieve contents from If the server doesn’t make a distinction between internal and external resources, an attacker could just as easily request

And make the webserver display the file that contains the password to the webserver.

Features that are often vulnerable to SSRF include webhooks, file upload via URL, document and image processors, link expansion, and proxy services (these features all require visiting and fetching external resources). However, it is worth testing any endpoint that processes a user-provided URL.

How do I prevent SSRF vulnerability?

-It is recommended to restrict using network calls if it’s not required, since it can lead to sensitive information exposure as well — or at least limit the ability to perform network calls to the internal network or critical resources.


We should try out some labs

Courtesy of CyberRanges