rules/ssrf.data

# Sources:
# - https://gist.githubusercontent.com/jhaddix/78cece26c91c6263653f31ba453e273b/raw/a4869d58a5ce337d1465c2d1b29777b9eecd371f/cloud_metadata.txt
# - https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
# - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery
# - https://github.com/assetnote/blind-ssrf-chains

## AWS
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories
#
# To fully protect, use IMDSv2 (see https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/)

http://instance-data/latest/
http://169.254.169.254/latest/

# Common evasion techniques:
http://2852039166/latest/
http://025177524776/latest/
http://0251.0376.0251.0376/latest/
http://0xA9.0xFE.0xA9.0xFE/latest/
http://0xA9FEA9FE/latest/
http://0251.254.169.254/latest/
http://[::ffff:a9fe:a9fe]/latest/
http://[0:0:0:0:0:ffff:a9fe:a9fe]/latest/
http://[0:0:0:0:0:ffff:169.254.169.254]/latest/
http://169.254.169.254.nip.io/latest/
http://nicob.net/redir-http-169.254.169.254:80-

# http://127.0.0.1
http://2130706433/
# http://192.168.0.1
http://3232235521/
# http://192.168.1.1
http://3232235777/
# http://169.254.169.254
http://2852039166/
# IPv6 base
http://[::]:

# localhost bypass
http://localtest.me
http://127.0.0.1.nip.io
http://127.127.127.127
http://127.0.1.3
http://127.0.0.0
http://127.0.0.1
http://0.0.0.0
http://localhost
http://0177.0.0.1/
http://[::1]
http://[0000::1]
http://[::ffff:127.0.0.1]
http://[0:0:0:0:0:ffff:127.0.0.1]
http://0/
http://127.1
http://127.0.1

# AWS ECS
http://169.254.170.2/v2

## Google Cloud
#  https://cloud.google.com/compute/docs/metadata/overview
#  - Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True"

http://169.254.169.254/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/
http://metadata/computeMetadata/v1/
# Common evasion techniques:
http://2852039166/computeMetadata/v1/
http://025177524776/computeMetadata/v1/
http://0251.0376.0251.0376/computeMetadata/v1/
http://[::ffff:a9fe:a9fe]/computeMetadata/v1/
http://[0:0:0:0:0:ffff:a9fe:a9fe]/computeMetadata/v1/
http://[0:0:0:0:0:ffff:169.254.169.254]/computeMetadata/v1/
http://169.254.169.254.nip.io/computeMetadata/v1/
http://0xA9.0xFE.0xA9.0xFE/computeMetadata/v1/
http://0xA9FEA9FE/computeMetadata/v1/
http://0251.254.169.254/computeMetadata/v1/

# Google gopher SSRF
gopher://metadata.google.internal

# Google allows recursive pulls
http://metadata.google.internal/computeMetadata/v1/instance/disks/?recursive=true

## Google
#  Beta does NOT require a header atm
http://metadata.google.internal/computeMetadata/v1beta1/

## Digital Ocean
# https://developers.digitalocean.com/documentation/metadata/

http://169.254.169.254/metadata/v1.json
# This other prefix will be used from Azure: http://169.254.169.254/metadata/v1/

## Packetcloud

https://metadata.packet.net/userdata

## Azure
#
# To be effective, these also have to:
#
# - contain the header Metadata: true
# - not contain an X-Forwarded-For header

http://169.254.169.254/metadata/v1/
http://169.254.169.254/metadata/instance?api-version=2017-04-02
http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text
# Common evasion techniques:
http://2852039166/metadata/v1/
http://025177524776/metadata/v1/
http://0251.0376.0251.0376/metadata/v1/
http://[::ffff:a9fe:a9fe]/metadata/v1/
http://[0:0:0:0:0:ffff:a9fe:a9fe]/metadata/v1/
http://[0:0:0:0:0:ffff:169.254.169.254]/metadata/v1/
http://169.254.169.254.nip.io/metadata/v1/
http://0xA9.0xFE.0xA9.0xFE/metadata/v1/
http://0xA9FEA9FE/metadata/v1/
http://0251.254.169.254/metadata/v1/

## OpenStack/RackSpace
http://169.254.169.254/openstack

## HP Helion
# (header required? unknown)
http://169.254.169.254/2009-04-04/meta-data/

## Oracle Cloud
http://192.0.0.192/latest/

## Alibaba
http://100.100.100.200/latest/meta-data/

# Rancher metadata
http://rancher-metadata/

# Local Docker
http://127.0.0.1:2375
http://2130706433:2375/
http://[::]:2375/
http://[0000::1]:2375/
http://[0:0:0:0:0:ffff:127.0.0.1]:2375/
http://2130706433:2375/
http://017700000001:2375/
http://0x7f000001:2375/
http://0xc0a80014:2375/
# Kubernetes etcd
http://127.0.0.1:2379

# Enclosed alphanumerics
http://169。254。169。254
http://169｡254｡169｡254
http://⑯⑨。②⑤④。⑯⑨｡②⑤④
http://⓪ⓧⓐ⑨｡⓪ⓧⓕⓔ｡⓪ⓧⓐ⑨｡⓪ⓧⓕⓔ
http://⓪ⓧⓐ⑨ⓕⓔⓐ⑨ⓕⓔ
http://②⑧⑤②⓪③⑨①⑥⑥
http://④②⑤｡⑤①⓪｡④②⑤｡⑤①⓪
http://⓪②⑤①。⓪③⑦⑥。⓪②⑤①。⓪③⑦⑥
http://⓪⓪②⑤①｡⓪⓪⓪③⑦⑥｡⓪⓪⓪⓪②⑤①｡⓪⓪⓪⓪⓪③⑦⑥
http://[::①⑥⑨｡②⑤④｡⑯⑨｡②⑤④]
http://[::ⓕⓕⓕⓕ:①⑥⑨。②⑤④。⑯⑨。②⑤④]
http://⓪ⓧⓐ⑨。⓪③⑦⑥。④③⑤①⑧
http://⓪ⓧⓐ⑨｡⑯⑥⑧⑨⑥⑥②
http://⓪⓪②⑤①。⑯⑥⑧⑨⑥⑥②
http://⓪⓪②⑤①｡⓪ⓧⓕⓔ｡④③⑤①⑧

# Java only blind ssrf
jar:http://127.0.0.1!/
jar:https://127.0.0.1!/
jar:ftp://127.0.0.1!/

# Other PL1 protocols
gopher://127.0.0.1
gopher://localhost

# AWS Lambda
http://localhost:9001/2018-06-01/runtime/