Exploiting Server-Side Request Forgery

When to Use

• During authorized penetration tests when the application fetches URLs provided by users (webhooks, URL previews, file imports)
• When testing cloud-hosted applications for access to instance metadata services
• For assessing PDF generators, screenshot services, or any feature that renders external content
• When evaluating microservice architectures for internal service access via SSRF
• During security assessments of APIs that accept URL parameters for data fetching

Prerequisites

• Authorization: Written penetration testing agreement including SSRF testing scope
• Burp Suite Professional: With Collaborator for out-of-band detection
• interactsh: Open-source OOB interaction server (go install github.com/projectdiscovery/interactsh/cmd/interactsh-client@latest)
• SSRFmap: Automated SSRF exploitation framework (git clone https://github.com/swisskyrepo/SSRFmap.git)
• curl: For manual SSRF payload testing
• Knowledge of target infrastructure: Cloud provider (AWS, GCP, Azure), internal IP ranges