1.5 KiB
1.5 KiB
Bypassing SSRF Defenses
It is common to see applications containing SSRF behavior together with defenses aimed at preventing malicious exploitation. Often, these defenses can be circumvented.
Bypassing Blacklist-Based Input Filters
-
Applications often block input containing hostnames (127.0.0.1) or URLs (/admin)
-
Bypass in these ways:
- Use an alternative IP representation of 127.0.0.1 (21307066433)
- Register your own domain that resolves to 127.0.0.1 (spoofed.burpcollaborator.net)
- Obfuscate block strings using URL encoding or case variation
Bypassing Whitelist-Based Input Filters
- Embed creds in a URL before the hostname:
https://expected-host@evil
-host
- Use the # character to indicate a URL fragment:
https://evil-
host#expected-host
- Leverage DNS naming hierarchy to place required input into a fully-qualified DNS name you control:
https://expected-host.evil
-host
-
URL-encode characters to confuse the URL-parsing code
-
Combine these various techniques together
Bypassing with Open Redirection
- Suppose the following is true:
- User-submitted URL is strictly validated
- Application contains an open redirection vulnerability
- Construct a URL that meets the filter but redirects to a back-end target
POST /product/stock HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 118
stockApi=http://weliketoshop.net/product/nextProduct?currentProductId=6&path=http://1
92.168.0.68/admin