Skip to main content

SSRF Bypass (Part 2 SSRF Series) [incomplete]

What can we do with SSRF?

  1. SSRF to reflection XSS
  2. Try to use URL to access internal resources and make the server perform operations (file: ///, dict: //, ftp: //, gopher: // ..)
  3. Scan internal networks and ports
  4. If it is running on a cloud instance, you can try to get metadata

Change the writing of IP address

Some developers will filter out the intranet IP by regular matching the passed URL parameters. For example, the following regular expressions are used:

The bypassing technique here is similar to the URL redirection bypass or SSRF bypassing technique.


Single slash "/" bypass:

Missing protocol bypass:

Multi-slash "/" prefix bypass:

Bypass with "@":

Use backslash "" to bypass:\

Bypass with "#":

Bypass with "?":

Bypass with "\":\\

Use "." to bypass:

Repeating special characters to bypass: .. ..


As talked about in "SSRF Intro (Part 1 SSRF Series)" there are 2 types of SSRF

1. Show response to attacker (basic)
2. Do now show response (blind)



As mentioned above, it shows the response to the attacker, so after the server gets the URL requested by the attacker, it will send the response back to the attacker. DEMO (using Ruby). Install the following packages and run the code gem install sinatra

require 'sinatra'
require 'open-uri'
get '/' do
  format 'RESPONSE: %s', open(params[:url]).read

The above code will open the local server port 4567.

http: // localhost: 4567 /? url = contacts will open the contacts file and display the response in the front end
http: // localhost: 4567 /? url = / etc / passwd will open etc / passwd and respond to the service
http: // localhost: 4567 /? url = https: // will request on the server and display the response

Just get the file from an external site with a malicious payload with a content type of html. Example: