BIPI
BIPI

SSRF Chain Tricks: Filter Bypasses to Cloud Metadata to RCE

Cybersecurity

Server-Side Request Forgery is a doorway, not a destination. This guide walks through filter bypasses, redirect chains, DNS rebinding, and the metadata pivots that turn a blind SSRF into cloud credential theft and remote code execution.

By Arjun Raghavan, Security & Systems Lead, BIPI · February 5, 2023 · 11 min read

#ssrf#bug-bounty#cloud-security#imds#rce

Where SSRF Lives

Any feature that fetches a URL on your behalf is a candidate. Webhooks, image proxies, PDF generators, link previews, OAuth callbacks, RSS importers, and SSO metadata endpoints all qualify.

Bypassing the Allowlist

Allowlists fail because URL parsers disagree. The validator sees one host, the HTTP client sees another. Classic tricks include user info in the URL, exotic schemes, and userinfo@target patterns.

  • http://allowed.com@169.254.169.254/ confuses naive parsers
  • http://169.254.169.254%23.allowed.com/ exploits fragment handling
  • Decimal and hex IPs like http://2852039166/ bypass string filters
  • DNS records you control with A pointing to 169.254.169.254

Redirect Chains

When the fetcher follows redirects, you only need to bypass validation once. Host a 302 to the internal target and let the client walk it. Burp Collaborator is your friend for confirming blind callbacks.

DNS Rebinding

Set a short TTL, return a public IP on the first lookup, then swap to 169.254.169.254 on the second. The validator resolves once, the client resolves again. Tools like rbndr and singularity.of-this-world automate this.

Cloud Metadata Pivots

  • AWS IMDSv1 at 169.254.169.254/latest/meta-data/iam/security-credentials/
  • GCP metadata at metadata.google.internal with Metadata-Flavor: Google header
  • Azure IMDS at 169.254.169.254/metadata/identity/oauth2/token
  • Alibaba and Oracle Cloud have similar endpoints with different paths

IMDSv2 requires a PUT to fetch a session token, which blocks many GET-only SSRF primitives. Sites that pin IMDSv1 are still common in bounty scope.

Blind SSRF Confirmation

Use Burp Collaborator or interactsh to capture DNS and HTTP callbacks. Differential timing also works, internal hosts respond in milliseconds while external ones take longer.

From SSRF to RCE

  1. Steal IAM credentials from metadata
  2. Enumerate the role's policies with aws sts get-caller-identity
  3. Find a writable S3 bucket used by Lambda or EC2 user data
  4. Drop a payload and wait for the next deploy or trigger one

Internal Services to Hit

  • Redis on 6379 with CONFIG SET dir and SLAVEOF tricks
  • Elasticsearch on 9200 with _search and scripting
  • Consul on 8500 with KV writes
  • Internal admin panels on 8080, 9090, 8443
  • Kubernetes API on 10250 and 6443

Reporting an SSRF Well

Show the full chain. Start with the entry parameter, prove the internal callback, escalate to metadata or an internal service, and quantify what an attacker could do with the role's permissions.

SSRF is rarely the prize. It is the pivot. The bounty grows with each hop you can demonstrate.

Closing

Treat every URL input as untrusted, on both the validator and the fetcher. The hunters who chain SSRF to credentials and code execution are the ones who write the highest reports.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.