48 lines
1.5 KiB
Markdown
48 lines
1.5 KiB
Markdown
|
|
## Bypassing SSRF Defenses
|
|
|
|
It is common to see applications containing SSRF behavior together with defenses aimed at preventing malicious exploitation. Often, these defenses can be circumvented.
|
|
|
|
Bypassing Blacklist-Based Input Filters
|
|
- Applications often block input containing hostnames (127.0.0.1) or URLs (/admin)
|
|
|
|
- Bypass in these ways:
|
|
- Use an alternative IP representation of 127.0.0.1 (21307066433)
|
|
- Register your own domain that resolves to 127.0.0.1 (spoofed.burpcollaborator.net)
|
|
- Obfuscate block strings using URL encoding or case variation
|
|
|
|
Bypassing Whitelist-Based Input Filters
|
|
```
|
|
- Embed creds in a URL before the hostname:
|
|
https://expected-host@evil
|
|
-host
|
|
```
|
|
|
|
- Use the # character to indicate a URL fragment:
|
|
```
|
|
https://evil-
|
|
host#expected-host
|
|
```
|
|
|
|
- Leverage DNS naming hierarchy to place required input into a fully-qualified DNS name you control:
|
|
```
|
|
https://expected-host.evil
|
|
-host
|
|
```
|
|
|
|
- URL-encode characters to confuse the URL-parsing code
|
|
|
|
- Combine these various techniques together
|
|
|
|
Bypassing with Open Redirection
|
|
- Suppose the following is true:
|
|
- User-submitted URL is strictly validated
|
|
- Application contains an open redirection vulnerability
|
|
- Construct a URL that meets the filter but redirects to a back-end target
|
|
```
|
|
POST /product/stock HTTP/1.0
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Content-Length: 118
|
|
stockApi=http://weliketoshop.net/product/nextProduct?currentProductId=6&path=http://1
|
|
92.168.0.68/admin
|
|
``` |