Bypassing SSRF Protection

There’s always more to do…

Error. Requests to this address are not allowed. Please try again.

SSRF Protection Mechanisms

Companies have really caught onto the risk of SSRF attacks. As a result, most have implemented some form of SSRF protection on their web applications. There are two main types of SSRF protection mechanisms out there: blacklists and whitelists.

Bypassing Whitelists

Whitelists are generally harder to bypass because they are by default, stricter than blacklists. But it is possible if there is an open redirect vulnerability within the whitelisted domains.
If you could find an open redirect, you can request a whitelisted URL that redirects to an internal URL.

Bypassing Blacklists

However, due to application requirements (fetching external resources), most SSRF protection mechanisms come in the form of a blacklist. If you are faced with a blacklist, there are numerous ways of tricking the server:

Fooling it with redirects

Make the server request a URL that you control that redirects to the blacklisted address. For example, you can host a file with the following content on your web server:

<?php header(“location:"); ?>

Tricking it with DNS

Modify the A/AAAA record of a domain you control and make it point to internal addresses of the victim’s network. For example, let’s say is a subdomain that you own. You can create custom hostname to IP address mapping and make resolve to Now when the target server requests, it would think that your domain is located at and request data from that address!

Using IPv6 addresses

Try using IPv6 addresses instead of IPv4. The protection mechanisms implemented for IPv4 might not have been implemented for IPv6.

Switching out the encoding

There are many different ways of encoding a URL or an address that doesn’t change how a server interprets its location, but might let it slip under the radar of a blacklist. These include hex encoding, octal encoding, dword encoding, URL encoding, and mixed encoding. translates to 0x7f.0x0.0x0.0x1 translates to 0177.0.0.01 translates to 0177.0.0.0x1


This is just a small portion of bypasses that an attacker could have in their arsenal, and I’m pretty sure that there are many more creative ways out there to defeat protection and achieve SSRF.

Happy Hacking!

Next time, we’ll talk about some interesting cases of SSRFs found in the wild.

Hi there, thanks for reading. Please help make this a better resource for new hackers: feel free to point out any mistakes or let me know if there is anything I should add!

Disclaimer: Trying this on systems where you don’t have permission to test is illegal. If you’ve found a vulnerability, please disclose it responsibly to the vendor. Help make our Internet a safer place :)

Professional investigator of nerdy stuff. Hacks and secures. Creates god awful infographics.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store