Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The author of this Tweet has made over 500K in SSRF bugs. In this thread, they go through their best tricks. The first trick, is using other URL schemes like file:// and many others. This can lead to RCE or arbitrary file reads.

If you can't hit internal parts, try using alternative encodings. For instance, octal, hex, binary and others. They recommend the tool IPFuscator for doing this. Different representations of localhost like 127.0.0.1, 0.0.0.0 can make it possible to bypass these.

This is probably my favorite trick: if you can't hit the AWS instance 169.254.169.254 then use instance-data to resolve to this IP instead. That's pretty fire and clutch that this works on EC2 instances. On top of this, they mention knowing your technologies. Different techs have different internal endpoints to hit.

If you can't supply a full URL, there are still many ways to get SSRF. The @, ?, # and ; all have a sticky history with URL parsing. The SSRF bible is a good resource for thinking outside the box on this. The URL has 9 parts: protocol, user, password, subdomain, domain, top level domain, port, path, query and fragment.

Directory traversal can be very powerful with a relative path as well. This could allow hitting unintended endpoints on the application. Justin Gardner has even more tricks.

Different layers of URL encoding can cause issues. Justin mentions using 3 layers of URL encoding in an exploit. Another common issue is using a literal . within a regex. Although this seems fine, the . within a regex is actually a single character wildcard.

DNS rebinding attacks. If there is a TOCTOU bug then go to a public IP to begin with then a private one after the first check has been done. On the same type of thing, the When TLS Hacks You technique works good as well.