SKILL: Server-Side Request Forgery (SSRF) — Expert Attack Playbook

AI LOAD INSTRUCTION

Expert SSRF techniques. Covers URL filter bypass, cloud metadata endpoints, protocol exploitation, blind SSRF detection, and chaining to RCE. Base models know basic 169.254.169.254 — this file covers what they miss. For real-world CVE chains, DNS Rebinding deep dives, K8s SSRF, and SSRF → Redis → RCE full exploitation, load the companion SCENARIOS.md . 0. QUICK START Extended Scenarios Also load SCENARIOS.md when you need: WebLogic SSRF (CVE-2014-4210) — uddiexplorer/SearchPublicRegistries.jsp + operator parameter + %0D%0A CRLF to inject Redis commands SSRF → internal Redis → write crontab reverse shell complete payload chain DNS Rebinding deep dive — TTL=0 trick, initial-legit→second-internal resolution, rbndr.us service Kubernetes SSRF (CVE-2020-8555) and bypass (CVE-2020-8562) via DNS rebinding SSRF through PDF/screenshot generators —