Mastering Server-Side Request Forgery (SSRF) Exploitation in 2025

Server-Side Request Forgery (SSRF) is one of the most critical web vulnerabilities professionals in cybersecurity must understand. This powerful exploit allows attackers to manipulate servers into making unauthorized requests, potentially compromising internal systems, cloud metadata, or sensitive data. With bug bounty payouts reaching as high as $50,000 for severe SSRF cases, it’s a high-stakes vulnerability for penetration testers and organizations alike.

We analyzed every publicly disclosed reporter since 2020 for SSRF. This article dives deep into SSRF, offering a comprehensive guide to its exploitation techniques, real-world examples, and actionable recommendations for professionals.

Table of Contents

1. What is SSRF?
2. Why SSRF Matters
3. SSRF Exploitation Techniques
   • Basic SSRF Exploitation
   • Exploiting Cloud Metadata Services
   • Using Different URL Schemes
   • Bypassing Restrictions
   • Exploiting Specific Features
   • Blind SSRF
   • Advanced Techniques
4. Tools for SSRF Exploitation
5. Real-World Bug Bounty Examples
6. Insights from Conferences and Blogs
7. Challenges and Considerations
8. Recommendations for Penetration Testers
9. Recommendations for Bug Bounty Programs

---

What is SSRF?

Server-Side Request Forgery (SSRF) is a web vulnerability that enables attackers to trick a server into sending requests to unintended destinations, such as internal networks, cloud metadata services, or external systems. By exploiting SSRF, penetration testers can access sensitive data, like AWS credentials, or interact with internal services, potentially leading to severe breaches. SSRF is classified under CWE-918 and is particularly dangerous in cloud-heavy or API-driven environments.

Key Characteristics

• Manipulation: Attackers inject malicious URLs into server-side request parameters.
• Impact: Ranges from data leakage to remote code execution (RCE).
• Targets: Internal systems, cloud metadata endpoints, or external services.

Why SSRF Matters

SSRF is a top target for bug bounty hunters due to its high impact and lucrative payouts, with rewards ranging from $3,500 to $50,000 for critical vulnerabilities. For organizations, SSRF poses a significant risk, especially in applications relying on cloud infrastructure or APIs. Understanding SSRF exploitation techniques is crucial for strengthening defenses and mitigating potential breaches.

Business Implications

• Financial Loss: Breaches can lead to costly downtime or data leaks.
• Reputation Damage: Exposure of sensitive data erodes customer trust.
• Compliance Risks: Violations of regulations like GDPR or HIPAA.

---

SSRF Exploitation Techniques

Below, we explore the primary methods for exploiting SSRF, drawn from bug bounty reports, conference presentations, and expert insights. These techniques are tailored for penetration testers working on authorized applications.

Basic SSRF Exploitation

Description: Involves inducing the server to request internal resources, such as http://localhost or private IPs (e.g., 10.0.0.0/8), to access restricted services like admin panels.

Techniques:

• Inject URLs into parameters (e.g., ?url=http://127.0.0.1:8080) to probe internal services.
• Target loopback interfaces or private IP ranges to discover hidden endpoints.

Example: A HackerOne report exploited an SSRF to access an internal admin panel, earning a significant bounty (HackerOne Report 285380).

Impact: Unauthorized access to internal systems, potentially leaking sensitive data.

Exploiting Cloud Metadata Services

Description: Targets cloud provider metadata endpoints to extract credentials or SSH keys, critical in AWS, Google Cloud, or DigitalOcean environments.

Techniques:

• AWS: Request http://169.254.169.254/latest/meta-data/ to retrieve IAM roles.
• Google Cloud: Query http://metadata.google.internal/computeMetadata/v1beta1/ for tokens.
• DigitalOcean: Access http://169.254.169.254/metadata/v1.json for instance metadata.

Example: A HackerOne report demonstrated AWS metadata access via SSRF, exposing credentials (HackerOne Report 53088).

Impact: Compromise of cloud credentials can lead to account takeover.

Using Different URL Schemes

Leverages non-HTTP URL schemes (e.g., file://, gopher://) to access local files or interact with services.

For example, file:// can be used to read local files, such as file:///etc/passwd, while gopher:// can send commands to services like Redis, potentially leading to remote code execution (RCE). A sample gopher:// payload for interacting with a Redis server might look like: gopher://127.0.0.1:6379/_*1%0d%0a$4%0d%0aINFO%0d%0a, which sends the INFO command to a local Redis instance.

Description: Leverages non-HTTP URL schemes (e.g., file://, gopher://) to access local files or execute commands.

Techniques:

• file://: Read local files, e.g., file:///etc/passwd.
• gopher://: Send multi-line requests to services like Redis for RCE.
• Other schemes: dict://, sftp://, or ldap:// for service manipulation.

Example: An X post by @hacker_ suggested using gopher:// for Redis RCE, citing a $565,766 bounty total.

Impact: File disclosure or RCE in vulnerable configurations.

Bypassing Restrictions

Circumvents host, protocol, or IP restrictions using techniques like open redirects, DNS rebinding, or alternative IP encodings. For instance, to bypass IP restrictions, an attacker might encode 127.0.0.1 as 2130706433 (decimal format) or use an open redirect, such as https://trusted.com/redirect?url=http://internal.resource, to trick the server into requesting an internal resource.

Sub-Techniques:

• Host Whitelists: Use open redirects or DNS rebinding (e.g., 127.0.0.1.nip.io).
• Protocol Whitelists: Specify protocols like // to bypass restrictions.
• IP Restrictions: Use alternative IP encodings (e.g., octal: 0177.0.0.1).

Example: An X post by @Rhynorater described bypassing regex validation in many different ways. It’s an excellent thread

Impact: Access to restricted resources, escalating SSRF severity.

Exploiting Specific Features

Description: Targets application features like PDF generators or webhooks that process user-supplied URLs.

Sub-Techniques:

• PDF Generators: Inject HTML (e.g., <iframe src="http://169.254.169.254">) to trigger SSRF.
• Webhooks/Proxies: Supply malicious URLs to fetch internal resources.

Example: A DEFCON 27 presentation exploited WeasyPrint to read /etc/passwd (DEFCON 27 Presentation).

Impact: File disclosure or RCE in vulnerable features.

Blind SSRF

Description: Exploits SSRF without direct response feedback, using indirect indicators like time delays.

Techniques:

• Perform port scanning by observing response times.
• Interact with non-HTTP services (e.g., SMTP) and analyze errors.
• Use time-based enumeration to identify subnets.

Example: A HackerOne report used blind SSRF to enumerate Google Cloud services (HackerOne Report 341876).

Impact: Network reconnaissance for further exploitation.

Advanced Techniques

DNS Rebinding:

• Bypasses host validation by switching a domain’s IP to a restricted one (e.g., 169.254.169.254).
• Example: DEFCON 27 used HTTPRebind for Headless Chrome SSRF.

Second-Order SSRF:

• Stores malicious input for later use in internal requests.
• Example: Intigriti Blog described second-order SSRF in API calls.

Chaining with Other Vulnerabilities:

• Combines SSRF with command injection for greater impact.
• Example: A $4,000 bounty chained SSRF with command injection (thehackerish Write-up).

Impact: High-severity outcomes, including RCE.

---

Tools for SSRF Exploitation

• HTTPRebind: Automates DNS rebinding by switching a domain’s IP mid-request, useful for bypassing host validation in SSRF attacks (GitHub).
• SSRFTest: A tool for testing SSRF vulnerabilities by sending crafted requests and analyzing responses to extract metadata or confirm exploitation (GitHub).
• Burp Suite: A comprehensive toolkit for web application testing, including features for enumerating API endpoints and testing SSRF payloads
• Subfinder/Amass: Tools for subdomain enumeration, helping identify potential SSRF targets like api.* subdomains.

---

Real-World Bug Bounty Examples

Report Title	Company	Technique	Bounty	Source
SSRF in Cloud Environment	Unspecified	AWS Metadata Access	Unspecified	HackerOne Report 285380
SSRF via URL Parameter	Unspecified	Basic SSRF to Internal Service	Unspecified	HackerOne Report 53088
Blind SSRF in Google Cloud	Google	Network Enumeration	Unspecified	HackerOne Report 341876
SSRF in Search.gov	GSA	Bypassing URL Protection with LF	$150	HackerOne Report 514224
SSRF Chained to RCE	Unspecified	SSRF + Command Injection	$4,000	thehackerish Write-up

---

Insights from Conferences and Blogs

• DEFCON 27 (2019): Ben Sadeghipour’s talk detailed SSRF via PDF generators, exploiting tools like WeasyPrint to access sensitive files.
• Intigriti (2024): A guide covering basic to advanced SSRF, including DNS rebinding.
• Medium by SaN ThosH (2019): Detailed cloud metadata attacks and URL scheme exploitation.
• X Posts: Experts like @hacker_ and @Rhynorater shared tricks, such as using gopher:// for RCE.

---

Challenges and Considerations

• Dynamic Content: Some bug bounty reports are inaccessible due to authentication barriers.
• Blind SSRF: Proving impact requires creative enumeration techniques.
• Evolving Defenses: Stricter URL validation demands advanced bypasses like DNS rebinding.

---

Recommendations for Penetration Testers

1. Target API Endpoints: Test api.* subdomains for SSRF vulnerabilities.
2. Probe Cloud Environments: Always check for metadata endpoints in AWS or Google Cloud.
3. Use Creative Bypasses: Experiment with URL schemes and IP encodings.
4. Craft Detailed PoCs: Demonstrate data exfiltration to maximize bounty rewards.

---

Recommendations for Bug Bounty Programs

1. Scope High-Risk Assets: Include api.* and webhook endpoints in scope.
2. Validate Inputs: Use strict allowlists for URLs and IPs.
3. Reward Impactful Reports: Offer bonuses for detailed PoCs to encourage quality submissions.

---

Conclusion

SSRF remains a potent vulnerability in 2025, with exploitation methods ranging from basic internal requests to sophisticated cloud metadata attacks. For penetration testers, mastering these techniques can uncover critical flaws in authorized applications. For organizations, robust input validation and scoped bug bounty programs are essential to mitigate risks. By leveraging the insights and tools outlined in this guide, professionals can stay ahead of SSRF threats and secure their systems effectively.

Key Citations

• Intigriti: Complete Guide to Exploiting Advanced SSRF Vulnerabilities
• Medium: SSRF Types and Exploitation Part-1 by SaN ThosH
• DEFCON 27: Owning the Clout through SSRF and PDF Generators
• DEFCON 27: API-Induced SSRF Demo Video
• HackerOne: SSRF in Cloud Environment Report 285380
• HackerOne: SSRF via URL Parameter Report 53088
• HackerOne: Blind SSRF in Google Cloud Report 341876
• HackerOne: SSRF in Search.gov Report 514224
• thehackerish: SSRF to $4000 Bounty Write-up
• GitHub: HTTPRebind for DNS Rebinding
• GitHub: SSRFTest for SSRF Testing
• GitHub: AllThingsSSRF Resource Collection
• PortSwigger: SSRF Tutorial and Examples
• Medium: Advanced SSRF Techniques Part-3 by Maxime Leblanc
• X Post: SSRF Tricks by @hacker_
• X Post: SSRF Tips by @Rhynorater