SSRF Demo - WebAppRazor

SSRF (Server-Side Request Forgery) Demo

Server-Side Request Forgery (SSRF) is a vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing.

Common Attack Scenarios:

Internal Network Scanning: Access internal services (localhost, 127.0.0.1, 192.168.x.x)
Cloud Metadata Access: Access cloud provider metadata services
Port Scanning: Enumerate open ports on internal systems
File System Access: Use file:// protocol to read local files

Try These Payloads:

            # Access localhost services
            http://localhost:22
            http://127.0.0.1:3306
            http://0.0.0.0:8080
            
            # Cloud metadata (AWS)
            http://169.254.169.254/latest/meta-data/
            
            # Internal network scanning
            http://192.168.1.1
            http://10.0.0.1
            
            # File access (if supported)
            file:///etc/passwd
            file:///C:/Windows/System32/drivers/etc/hosts
        

Protection Methods:

URL Validation: Whitelist allowed domains/protocols
Network Restrictions: Block requests to private IP ranges
Protocol Filtering: Only allow HTTP/HTTPS
Response Filtering: Limit response size and content types

SSRF (Server-Side Request Forgery) Demo

What is SSRF?

Common Attack Scenarios:

Try These Payloads:

Protection Methods: