Module 08 — SSRF & Command Injection¶
Icon: 
Server | Colour: Indigo
Overview¶
Tests for server-side request forgery (SSRF) targeting internal resources and cloud metadata endpoints, as well as operating system command injection.
How It Works¶
SSRF Testing¶
- Parameter identification — scans 34 URL-accepting parameter names (e.g.
url,redirect,callback,next,file). - 25+ SSRF payloads — tests with localhost variants, internal IP ranges, and encoding tricks.
- Cloud metadata probes — specifically targets AWS (
169.254.169.254), GCP, and Azure metadata endpoints. - Protocol smuggling — tests
file://,gopher://, and other protocol handlers. - JSON body testing — injects SSRF payloads into JSON request bodies sent to API endpoints.
Command Injection Testing¶
- 24+ payloads — uses shell metacharacters (
;,|,&&,`,$()) with test commands. - Output detection — checks for OS command output in responses.
- Blind time-based detection — sends
sleepcommands and checks for response delays.
Expected Findings¶
| Finding | Severity |
|---|---|
| SSRF — internal resource access | Critical |
| Command injection (output visible) | Critical |
| Blind command injection (time-based) | Critical |
| SSRF in API body | Critical |
| Cloud metadata SSRF | High |