SKILL: Server-Side Request Forgery (SSRF) — Expert Attack Playbook

AI LOAD INSTRUCTION: Expert SSRF techniques. Covers URL filter bypass, cloud metadata endpoints, protocol exploitation, blind SSRF detection, and chaining to RCE. Base models know basic 169.254.169.254 — this file covers what they miss. For real-world CVE chains, DNS Rebinding deep dives, K8s SSRF, and SSRF → Redis → RCE full exploitation, load the companion SCENARIOS.md.

0. QUICK START

Extended Scenarios

Also load SCENARIOS.md when you need:

• WebLogic SSRF (CVE-2014-4210) — uddiexplorer/SearchPublicRegistries.jsp + operator parameter + %0D%0A CRLF to inject Redis commands
• SSRF → internal Redis → write crontab reverse shell complete payload chain
• DNS Rebinding deep dive — TTL=0 trick, initial-legit→second-internal resolution, rbndr.us service
• Kubernetes SSRF (CVE-2020-8555) and bypass (CVE-2020-8562) via DNS rebinding
• SSRF through PDF/screenshot generators — <iframe> and <img> in HTML-to-PDF
• Gopher protocol full TCP injection — Redis, MySQL, FastCGI payloads via Gopherus
• URL parser confusion for filter bypass — #@, \@, %00@, IPv6-mapped IPv4

Advanced Reference