Skip to content

FAQ

Jump to bottom
Brendan Coles edited this page Dec 24, 2017 · 13 revisions

Frequently asked questions:

  • Is SSRF using XXE supported?
  • Is SSRF using request smuggling / CRLF injection supported?
  • Is SSRF using unsafe redirects supported?
  • Are persistent HTTP connections supported?
  • Is HTTP CONNECT tunneling supported?
  • Is proxychains supported?
  • Is SSL Tunneling supported?
  • Are client HTTPS requests supported?
  • Are any protocols other than HTTP(S) supported?
  • Are SSRF requiring multiple requests supported?
  • Are upstream proxies supported?
  • Is it possible to chain multiple SSRF together?

Is SSRF using XXE supported?

Yes, check out the XXE example on the Configuration Examples page.

Is SSRF using request smuggling / CRLF injection supported?

No, request smuggling / HTTP request splitting / CRLF injection is not supported.

Is SSRF using unsafe HTTP redirects supported?

No, exploitation of SSRF via unsafe HTTP redirects is not supported.

Are persistent HTTP connections supported?

No, HTTP Keep-Alive / Connection: keep-alive is not supported. Every client request requires a new TCP connection.

Is HTTP CONNECT tunneling supported?

The HTTP CONNECT verb is supported. SSRF Proxy will attempt to connect to the destination server via the configured SSRF and, if successful, will send the subsequent client HTTP request.

Note that only one HTTP request is permitted for every CONNECT request. As such, using SSRF Proxy as a CONNECT proxy will result in two requests to the SSRF server for every client request.

SSL tunneling is not supported.

Is proxychains supported?

Yes. Check out the proxychains example on the Supported Tools page.

The HTTP CONNECT verb is supported. SSRF Proxy will attempt to connect to the destination server via the configured SSRF and, if successful, will send the subsequent client HTTP request.

Note that only one HTTP request is permitted for every CONNECT request. As such, using SSRF Proxy as a CONNECT proxy will result in two requests to the SSRF server for every client request.

SSL tunneling is not supported.

Is SSL Tunneling supported?

No.

Are client HTTPS requests supported?

Yes, HTTPS requests are supported by the SSRFProxy::HTTP#send_uri() method in the Ruby library.

The SSRF Proxy server is not a HTTPS proxy and does not support SSL tunneling, however a workaround exists.

When the ssl rule is specified SSRF Proxy will change the URL scheme to https for all client requests. This effectively allows communications with third-party servers using HTTPS. Note that changing the rules requires restarting the proxy.

Are any protocols other than HTTP(S) supported?

No.

Are SSRF requiring multiple HTTP requests supported?

No.

Are upstream proxies supported?

Yes. HTTP, HTTPS and SOCKS proxies are supported.

Is it possible to chain multiple SSRF together?

Yes, SSRF Proxy can be specified as an upstream HTTP proxy to another instance of SSRF Proxy with --proxy from the command line.

Using the Ruby library, this could be achieved by making use of SSRFProxy::HTTP with the proxy option. It is not possible to use a SSRFProxy::HTTP object directly as a proxy in Net::HTTP::Proxy.

Clone this wiki locally