-
[2019] - SSRF - Server Side Request Forgery (Types and ways to exploit it) Part-1
-
[2019] - SSRF - Server Side Request Forgery (Types and ways to exploit it) Part-2
-
[2019] - SSRF - Server Side Request Forgery (Types and ways to exploit it) Part-3
- [2020] - 31k$ SSRF in Google Cloud Monitoring led to metadata exposure
- [2020] - Half-Blind SSRF found in kube/cloud-controller-manager can be upgraded to complete SSRF (fully crafted HTTP requests) in vendor managed k8s service
- [2020] - Full Read SSRF on Gitlab's Internal Grafana
- [2020] - Vulnerabilities in the Openfire Admin Console
- [2020] - How I made $31500 by submitting a bug to Facebook
- [2020] - My expense report resulted in a server-side request forgery (ssrf) on LYFT
- [2020] - [gitlab] SSRF into Shared Runner, by replacing dockerd with malicious server in Executor
- [2020] - Blind HTTP GET SSRF via website icon fetch (bypass of pull#812)
- [2020] - Blind SSRF on https://labs.data.gov/dashboard/Campaign/json_status/ Endpoint
- [2020] - Story of a 2.5k Bounty — SSRF on Zimbra Led to Dump All Credentials in Clear Text
- [2020] - Blind SSRF on https://labs.data.gov/dashboard/Campaign/json_status/ Endpoint
- [2020] - Gitlab - Server Side Request Forgery mitigation bypass
- [2019] - SSRF in Azure DevOps Services
- [2019] - Semrush - SSRF In Get Video Contents
- [2019] - SSRF in VCARD photo upload functionality
- [2019] - SSRF - Blacklist bypass for mail account addition
- [2019] - SSRF - RSS feed, blacklist bypass (301 re-direct)
- [2019] - SSRF - RSS feed, blacklist bypass (IP Formatting)
- [2019] - Slack - Bypass of the SSRF protection in Event Subscriptions parameter.
- [2019] - Slack - SSRF in api.slack.com, using slash commands and bypassing the protections.
- [2019] - Omise - SSRF in webhooks leads to AWS private keys disclosure
- [2019] - Unauthenticated blind SSRF in OAuth Jira authorization controller
- [2019] - SSRF in hatchful.shopify.com
- [2019] - SSRF in rompager-check
- [2019] - Gitlab - SSRF in CI after first run
- [2019] - Exploiting SSRF in AWS Elastic Beanstalk
- [2018] - Into the Borg – SSRF inside Google production network
- [2018] - Stored XSS, and SSRF in Google using the Dataset Publishing Language
- [2018] - Rockstar Games - LFI and SSRF via XXE in emblem editor
- [2018] - Just another tale of severe bugs on a private program.
- [2018] - Adminer Script Results to Pwning Server?, Private Bug Bounty Program
- [2018] - From blind XXE to root-level file read access
- [2018] - SSRF on duckduckgo.com/iu/
- [2018] - SSRF in proxy.duckduckgo.com
- [2018] - DNS pinning SSRF
- [2018] - Remote Command Execution in a internal server to get the flag file
- [2018] - SSRF in Cloudflare
- [2018] - Sending Emails from DNSDumpster - Server-Side Request Forgery to Internal SMTP Access
- [2018] - concrete5 - SSRF thru File Replace
- [2018] - Blind SSRF at https://chaturbate.com/notifications/update_push/
- [2018] - SSRF vulnerability in gitlab.com webhook
- [2018] - Blind SSRF on errors.hackerone.net due to Sentry misconfiguration
- [2018] - Piercing the Veil: Server Side Request Forgery to NIPRNet access
- [2018] - Piercing the Veil: Server Side Request Forgery to NIPRNet access
- [2018] - SSRF in Exchange leads to ROOT access in all instances - Shopify
- [2018] - SSRF in Jira - Escalation of an SSRF to Local File Read!
- [2018] - SSRF on *shopifycloud.com
- [2017] - From SSRF to Local File Disclosure
- [2017] - Discourse - SSRF in upload IMG through URL
- [2017] - $1.000 SSRF in Slack
- [2017] - A Nifty SSRF Bug Bounty Write Up
- [2017] - SVG Server Side Request Forgery (SSRF)
- [2017] - Rockstar Games - Blind SSRF in emblem editor (2)
- [2016] - SSRF and local file read in video to gif converter
- [2016] - SSRF in https://imgur.com/vidgif/url
- [2015] - Phabricator - SSRF vulnerability (access to metadata server on EC2 and OpenStack)
- [2015] - Dropbox - SSRF vulnerablity in app webhooks