SSRF Test Servers
Note: Verizon Media is now known as Yahoo.
They're finally here!!!! (but only in http format for now, ssl is coming soon)
If you think you've got an SSRF attack against our network, please use these two groups of servers to prove it to us. There's a whole bunch of different file formats on these servers and they're all identical. To prove your SSRF, please send your attacks in a way that attempt to read or write content to/from one of these servers in each network segment (Prod + Corp). The difference between each host within each category is just their geolocation, which in most circumstances does not matter what you target.
Files to target take the filename format of <extension>_###.<extension>. For example: txt_001.txt and zip_001.zip. We've put up a bunch of different file formats that can be targeted for your testing needs.
File types available include: avi, bmp, css, csv, doc, docx, dtd, ics, jar, json, md, mkv, mov, mp3, mp4, odp, ods, odt, ogg, pdf, php, rss, svg, tiff, txt, wav, wmv, xls, xlsx, xml, xsl, zip
We’ve also set the 404 error page to show you that you’ve hit the bananastand and not just some other unknown host: <html>...404 no bananas for you!...</html>
When testing, it would be super helpful if (along with the file you pull down) you try to fetch http://<hostname>/hackerone-<username> so that we can identify your activity in the logs more easily.
When submitting a report (in addition to all the usual details) please make sure to:
- Attach a copy of the file you fetched.
- Include the timestamp you fetched the file.
- Note the SSRF server that you fetched the file from.
The Fine Print
If you can’t hit these servers but can hit something else inside our network you must provide a working POC and understand that we will individually evaluate impact of the host you tested with.
We reserve the right to award a $0 bounty for any SSRF (or similar) reports that are not able to touch these servers.
Also, we will periodically review the logs on these servers and may reach out to hackers that have hit the server but not submitted a report. If this happens, you will be eligible for a maximum award of 10% for the report.