Vulnerability : Server-Side Request Forgery (SSRF)

gayatri r
2 min readMay 23, 2020


Vulnerability Category: A6- Security Misconfiguratio

Vulnerability Description: Server Side Request Forgery (SSRF) refers to an attack where in an attacker is able to send a crafted request from a vulnerable web application.

In a simple way — Attacker asks the server to fetch a URL for him


GET /?url= HTTP/1.1

Here fetch from its server

Types of SSRF –

Basic : The one which displays response to the attacker so after the server fetches the URL asked by attacker for him, it will send the response back to attacker

Blind : The one which does not display response directly. We will come to know this vulnerability existence by observing response status and response time

Thing to Remember while checking for SSRF

● Try URL schemas to read internal and make server perform actions (file:///, dict://, ftp://, gopher://..)


● An attacker can perform RCE using SSRF

● On cloud based services using SSRF , one can possible to gain sensitive tokens/ credentials or metadata information


● It is strongly advised to use a whitelist of allowed domains and protocols from where the web server can fetch remote resources.

Severity : High

CVSS v3.0 Score: 8.3

CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L

How to Test:

Scenario 1: End points which fetch external/internal resources

Scenario 2: Change URLS in post request

Scenario 3: Server converts file uploads to a PDF , try injecting <iframe>,<img>,<base> or <script> functions pointing to internal services

<iframe src=”file:///etc/passwd” width=”400" height=”400">

<iframe src=”file:///c:/windows/win.ini” width=”400" height=”400">

Scenario 3 : File Uploads

When there is a file upload and if you see input type =”file” in the request try to change it to input type=”url” and pass the url

Tools to use:

1)SSRF Map


2) Match and Replace script for BurpSuite


Note: This is just draft for submitting vulnerability in programs and i will also update the content .



gayatri r

#infosec enthusiast, pentester