Day 12 of 30 Days — 30 Vulnerabilities | Server Side Request Forgery (SSRF)

Day 12: Mastering Server Side Request Forgery Vulnerability — Essential Tricks & Techniques Based on Personal Experience and Valuable POCs

[ In collaboration with Abhijeet Kumawat ( his LinkedIn | Twitter)]

Hey geeks, it4chis3c (Twitter) here with one more write-up on tricks & tips to detect SSRF Vulnerability.

1. Brief Description

• Definition: SSRF is a vulnerability that allows an attacker to force a server to make unauthorized requests to external or internal resources.
• Impact: Can lead to unauthorized access to internal systems, data leakage, or even full control over the server.

2. Where to Detect

Input Fields:

• URLs or IP addresses provided by users.
• Form fields that accept URLs, such as image upload or fetch URLs.

API Endpoints:

• APIs that fetch data from external servers.
• Webhooks that interact with third-party services.

Third-Party Integrations:

• Services relying on external API calls.
• Redirects or URL shorteners.

3. How to Detect

Manual Testing:

• Inject internal IP addresses (e.g., http://127.0.0.1).