ssrf-testinglisted

Use when testing for SSRF in web applications, accessing internal services through SSRF, bypassing SSRF filters, auditing applications that fetch user-supplied URLs, or implementing SSRF prevention. Covers blind and non-blind SSRF, cloud metadata exploitation, protocol smuggling, and defense strategies.
Lu1sDV/skillsmd · ★ 1 · Testing & QA · score 62

Install: claude install-skill Lu1sDV/skillsmd

# SSRF Testing & Prevention ## Overview Find, exploit, and fix Server-Side Request Forgery. SSRF tricks the server into making HTTP requests to unintended destinations -- accessing internal services, cloud metadata, or other systems that the server can reach but the attacker cannot. ``` Normal flow: User -> Server -> External API (intended) SSRF attack: User sends: url=http://169.254.169.254/latest/meta-data/ Server -> AWS Metadata Service (unintended) Server returns: IAM credentials, instance info, etc. ``` ## Quick Reference | What | Details | |------|---------| | **OWASP** | A10:2021 Server-Side Request Forgery | | **CWE** | CWE-918 | | **Severity** | Critical (CVSS 9.1) when cloud metadata or internal data exposed | | **Key tools** | Burp Suite Pro, SSRFmap, interactsh, Gopherus | | **Common params** | `url`, `uri`, `link`, `href`, `src`, `dest`, `redirect`, `callback`, `webhook`, `image_url`, `feed_url`, `proxy_url` | | **Cloud metadata IP** | `169.254.169.254` (AWS/Azure/DO), `metadata.google.internal` (GCP), `100.100.100.200` (Alibaba) | | **Blind detection** | Timing differences, OOB callbacks (Collaborator/interactsh), error message variations | ## When to Use - Application fetches user-supplied URLs server-side (webhooks, URL previews, image imports, PDF generators) - Testing for access to cloud metadata endpoints - Auditing URL validation / allowlist bypass - Implementing SSRF prevention controls **When NOT to use:** - Client-side request forgery (