SSRF

Encoding

Encode the IP address.

• You can encode single octets

Online converters:

• https://www.abuseipdb.com/tools/ip-address-converter 
• https://www.vultr.com/resources/ipv4-converter 

$ ping 2130706433
PING 2130706433 (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.047 ms
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.110 ms

$ ping 0251.254.169.254
PING 0251.254.169.254 (169.254.169.254): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1

Ref: X/@thedawgyg 

Redirects

• Multiple redirects

setup a simple php redirect script that will redirect the request back to the same end point multiple times before finally sending to the target IP/host

Ref: X/@thedawgyg 

TOCTOU

TOCTOU = Time of Check Time of Use

This requires the server to have a DNS check implemented for the supplied domain.

During check, have a DNS record, say an A record to 1.1.1.1 for an attacker controlled domain attack.example.com.

Then, after the server receives the first request for validation, quickly change the DNS record to an attacker controlled IP, or the target IP, like 127.0.0.1.

During use, the DNS record has changed to 2.2.2.2.

Ref: X/@thedawgyg 

Change HTTP version

Downgrading the HTTP version might help to bypass some filters.

• HTTP/1.1
• HTTP/1.0
• HTTP/0.9

Ref: X/@thedawgyg 

DNS Rebinding

Create a hostname pointing to 127.0.0.1 or another internal IP

• attacker.example.com -> 127.0.0.1

Here, example.com is on allowlist

Simplify the IP

• 127.0.0.1 -> 127.1

Check subdomain’s DNS records

Once, I had localhost.example.com that resolved to 127.0.0.1. This could’ve been abused for SSRF on that target.

Or, try for subdomain takeover, which is whole another vulnerability.