A somewhat curated list of links to various topics in application security.
| Link | Excerpt |
|---|---|
| Story of a really cool SSRF bug. | Hello all! My name is Vedant, also known as Vegeta(on twitter). I’m a cybersecurity enthusiast and a bug bounty hunter. This is my first write-up of 2021. This write-up is about a SSRF vulnerability that allowed me to access the AWS metadata of the target company. So let’s get started, |
| $10000 Facebook SSRF — Bug Bounty | This is a write-up about a SSRF vulnerability I found on Facebook. The vulnerability could have allowed a malicious user to send internal requests to the Facebook corporate network. |
| A Glossary of Blind SSRF Chains | What is Server Side Request Forgery (SSRF)? Server Side Request Forgery occurs when you can coerce a server to make arbitrary requests on your behalf. As the requests are being made by the server, it may be possible to access internal resources due to where the server is positioned in the network. |
| Exploiting an SSRF: Trials and Tribulations | I mostly wanted to share this post not because it’s a novel and unique attack, but to show the thought process of attacking this particular functionality, and understanding how the system works to identify what would and would not work. |
| SSRF - Server Side Request Forgery (Types and ways to exploit it) Part-1 | What is SSRF? Server Side Request Forgery (SSRF) refers to an attack where in an attacker is able to send a crafted request from a vulnerable web application. |
| The journey of Web Cache + Firewall Bypass to SSRF to AWS credentials compromise! | Hi Guys,Back with an interesting hack that I was eagerly waiting to get the writeup to publish. This hack is about a chain of vulnerabilities which includes multiple bypasses in a various different layer which finally lead to access of AWS credentials in India’s biggest stock broker company. |
| Bypassing SSRF Protection | Ok. So you’ve found a feature on a web application that fetches external resources. You’re able to pull content from all sorts of external sites and there doesn’t seem to be any restrictions on the file type that you can request… The application displays everything right back at you. |
| How i found an SSRF in Yahoo! Guesthouse (Recon Wins) | As i said before sharing is caring, here i am describing one of my findings that was closed 2 weeks ago in yahoo Guesthouse https://gh.bouncer.login.yahoo.com/ and i am describing in details, how recon helped me finding a vulnerable endpoint where i achieved the SSRF. |
| Vimeo SSRF with code execution potential. | Recently i discovered a semi responded SSRF on Vimeo with code execution possibility. This blog post explains how i found & exploited it. So lets get started. Vimeo provides an API console for their API called API Playground, The requests made using this web app is done from server side. |
| [bugbounty] A Simple SSRF | I was working on a private program which i cannot disclose First of all, its web assets have several subdomains. After I tested it for a while, I plan to look at the mac client. The mac client has an chat interface where i found a SSRF. |
| SSRF in the Wild | This is an analysis of publicly disclosed SSRF vulnerabilities. I will go into where these vulnerabilities were found, the criticality of these bugs, and the fixes implemented by the vendor after the report. |
| PDFReacter SSRF to ROOT Level Local File Read which led to RCE | What is PDFReacter? - PDFReacter is a parser which parses HTML content from HTML to PDF. While testing an application i have identified that an application is using the PDFReacter parser. |
| AWS takeover through SSRF in JavaScript | Here is the story of a bug I found in a private bug bounty program on Hackerone. It took me exactly 12h30 -no break- to find it, exploit and report. |
| Redirecting | |
| Server Side Request Forgery (SSRF) Testing | Well this story is just for fun testing SSRF not a bounty write up. I found a random web that vulnerable to SSRF but in order to exploit it i should convert my input to base64. Here is the site http://playfreedownloadgames.com:2483/proxy. |
| How i converted SSRF TO XSS in jira. | Before i start Acunetix does Subdomain scans so just set the time out to 20 and you will get a really big list with banners and response headers. (it does the half of the work for you.) |
| How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! | Hi, it’s been a long time since my last blog post. In the past few months, I spent lots of time preparing for the talk of Black Hat USA 2017 and DEF CON 25. Being a Black Hat and DEFCON speaker is part of my life goal ever. This is also my first English talk in such formal conferences. |
