Hi, during my work as a pentester, we have developed internal tooling for different types of tests. We thought it would be helpful to release a web version of our SSRF payload generator which has come in handy many times.

It is particularly useful for testing PDF generators when HTML tags may be inserted in the final document. We're aiming for a similar feel to PortSwigger's XSS cheat sheet. The generator includes various payload types for different SSRF scenarios with multiple encoding options.

It works by combining different features like schemes (dict:, dns:, file:, gopher:, etc...) with templates (<img src="{u}">, <meta http-equiv="refresh" content="0;url={u}">, etc...), and more stuff like local files, static hosts. The result is a large amount of payloads to test.

Enter your target URL for callbacks, "Generate Payloads" then copy everything to the clipboard and paste into Burp. Note that there are a number of predefined hosts as well like 127.0.0.1.

No tracking or ads on the site, everything is client-side.

Best Regards!

Edit: holy s**t the embed image is large