# SSRF Server-Side Request Forgery (SSRF) is a web security vulnerability that allows an attacker to coerce the server into making requests to arbitrary URLs. ## Tools & Resources * * * * * [https://owasp.org/www-project-top-25-parameters](https://owasp.org/www-project-top-25-parameters/#top-25-server-side-request-forgery-ssrf-parameters) *** ## Finding SSRF Vectors {% hint style="info" %} If you are facing a BLIND SSRF, use Burp Collaborator, [interact.sh](https://app.interactsh.com/) or similar tools to gain a ping back\ If you are facing a target which validates your input, check out the [PortSwigger Bypass CheatSheet](https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet) {% endhint %} To identify potential SSRF vectors, locate `GET` or `POST` parameters used by the web application to access other resources via explicit or implicit external calls. {% hint style="success" %} Other than the standard `http://` and `https://` schemes, it is sometimes possible to leverage SSRF with other URL schemes such as: * `file://` - Allows reading files from the local file system * `gopher://` - Allows sending arbitrary bytes to other services, potentially causing remote code execution {% endhint %} The [OWASP top 25 vulnerable parameters list](https://owasp.org/www-project-top-25-parameters/#top-25-server-side-request-forgery-ssrf-parameters), as of the time of writing, contains: ``` ?dest={target} ?redirect={target} ?uri={target} ?path={target} ?continue={target} ?url={target} ?window={target} ?next={target} ?data={target} ?reference={target} ?site={target} ?html={target} ?val={target} ?validate={target} ?domain={target} ?callback={target} ?return={target} ?page={target} ?feed={target} ?host={target} ?port={target} ?to={target} ?out={target} ?view={target} ?dir={target} ``` ## Using Gopher to send POST data There is no way to send a POST request with the HTTP URL scheme. Instead, we can use the gopher URL scheme to send arbitrary bytes to a TCP socket. This protocol enables us to create a POST request by building the HTTP request ourselves. Suppose you want to send a POST request to login.php with username sfoffo and password admin. To send a POST request with that data, you need to URL-Encode all special characters to construct a valid gopher URL. In particular, spaces (`%20`) and newlines (`%0D%0A`) must be URL-encoded. {% hint style="success" %} One great tool to generate gopher-based SSRF payload is [**gopherus**](https://github.com/tarunkant/Gopherus) {% endhint %} After that, prefix the data with the gopher URL scheme, the target host and port, and an underscore, resulting in the following gopher URL: {% code overflow="wrap" %} ``` gopher://example.sfoffo:80/_POST%20/login.php%20HTTP%2F1.1%0D%0AHost:%20example.sfoffo%0D%0AContent-Length:%2013%0D%0AContent-Type:%20application/x-www-form-urlencoded%0D%0A%0D%0Ausername%3Dsfoffo%26password%3Dadmin ``` {% endcode %} *** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.sfoffo.com/web-applications/web-attacks/ssrf.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.