# Server-side request forgery (SSRF) > In computer security, server-side request forgery (SSRF) is a type of exploit where an attacker abuses the functionality of a server causing it to access or manipulate information in the realm of that server that would otherwise not be directly accessible to the attacker. > > \-- [*Wikipedia*](https://en.wikipedia.org/wiki/Server-side_request_forgery) * [PortSwigger - Web Security Academy - Server-side request forgery (SSRF)](https://portswigger.net/web-security/ssrf) ## SSRF attacks against the server itself When a web app passes a url (e.g. to a product) in a request, you may be able to arbitrarily change that url, and therefore make the server request that resource.\ As the request is issed by the server itself, you may be able to access resources that are unreachable from outside. ```http POST /some/url HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 35 someParam=http://192.168.0.42/admin ``` ## Bypass filter ### Blocklists * Using alternate ip representation of 127.0.0.1, like 2130706433 (decimal) or 017700000001 (octal). * Registering own domain that resolves to 127.0.0.1 * Using (double) URL encoding or case variations. ### Allowlists * Using embedded credentials: `https://expected-host@evil-host` * Using fragments: `https://evil-host#expected-host` * Leverage DNS naming hierarchy, using a domain that you control: `https://expected-host.evil-host` * Combinations of all those techniques ### Via open redirect vulnerability If you find an open redirect vulnerability, you may be able to bypass filters using that. ```http POST /some/url HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 1337 someParam=/some/url?path=http://192.168.0.42/admin ``` ## Blind SSRF Blind SSRF can be detected most reliable using out-of-band (OAST) techniques, e.g. using Burp Collaborator. E.g. passing a url via `Referer` header, that is then being requested by the server. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://d4rk1337.gitbook.io/the-pentesters-cheat-sheet/exploitation/web/server-side-request-forgery.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.