# SSRF

occurs when an attacker forces an application to make HTTP requests on their behalf.

* used to post or read data from sensitive endpoints such as AWS and Gcloud metadata service, FTP service, LDAP service, and local files.
* If you find an application hosted on Google Cloud or other cloud providers, try to read the metadata service to retrieve API keys and credentials.

#### Testing for SSRF

1. Search for requests that have a URL as a parameter value
2. If the response is reflected back, you could have a possible SSRF vulnerability.
3. change the URL to find a vulnerable endpoint on the system's local host or on an endpoint in the local network.

#### Example

<figure><img src="https://1674729424-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyzdFWSUijzVYOP1hAsit%2Fuploads%2FIv1090AW1lJVOhsUnm5o%2Fimage.png?alt=media&#x26;token=5cd05ea8-d01f-4853-8f80-d8f11e698cb8" alt=""><figcaption><p>SSRF payload</p></figcaption></figure>

* changing the “stockApi” value to an admin directory on the system's local IP
* the request will be performed by the target application against itself
* this endpoint has an admin application hosted on the local host (impossible to access from the internet)
* render the HTML response to see if you are able to access an internal admin application hosted on the target system

<figure><img src="https://1674729424-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyzdFWSUijzVYOP1hAsit%2Fuploads%2F1mLZ0Cg9Gb88Mnc6rt5N%2Fimage.png?alt=media&#x26;token=eb60ae5a-6b97-4692-8bff-7de405a7071e" alt=""><figcaption><p>Admin panel hosted on targets local host</p></figcaption></figure>