CTR DOCs DEEP DIVE
← Back to Sections

The Gopher Protocol

Gopher is a protocol that predates the Web. While unused for its original purpose today, it has a dangerous relevance in exploiting Server-Side Request Forgery (SSRF) vulnerabilities.

1991: Gopher is created at the University of Minnesota.
Late 1990s: The Web makes Gopher obsolete for public use.
2010s - Present: Gopher is "rediscovered" by security researchers as a powerful tool for SSRF exploitation.

Why Gopher is Dangerous in SSRF Attacks

An SSRF vulnerability allows an attacker to trick a server into making an arbitrary network request. The danger of Gopher lies in its simplicity. Unlike HTTP, a `gopher://` URL allows an attacker to specify the exact raw bytes to be sent to a target IP and port. This turns a simple "URL fetching" vulnerability into a tool for speaking any plain-text protocol, such as Redis, SMTP, or internal admin panels.

Example Attack Scenario

An attacker provides the following URL to an application vulnerable to SSRF:

gopher://127.0.0.1:6379/_*1%0d%0a$8%0d%0aFLUSHALL%0d%0a

If the server's library supports Gopher, it will connect to the local Redis database (port 6379) and send the raw command to wipe all data.

Defensive Measures: The most effective defense is a protocol allowlist. When your application fetches URLs, explicitly allow only `http` and `https`. Deny all other protocols by default. Network segmentation, which firewalls web servers from internal services, is also a critical defense-in-depth measure.

Resources and Further Reading