appsec.fyi

A somewhat curated list of links to various topics in application security.

Server-Side Request Forgery (SSRF)

LinkExcerpt
Top 25 Vulnerability Parameters based on frequencyFor basic researches, top 25 vulnerable parameters based on frequency of use with reference to various articles. These parameters can be used for automation tools or manual recon.
A Glossary of Blind SSRF ChainsWhat is Server Side Request Forgery (SSRF)? Server Side Request Forgery occurs when you can coerce a server to make arbitrary requests on your behalf. As the requests are being made by the server, it may be possible to access internal resources due to where the server is positioned in the network.
A Pentester’s Guide to Server Side Request Forgery (SSRF)What is SSRF? In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL, which the code running on the server will read or submit data.
Exploiting an SSRF: Trials and TribulationsI mostly wanted to share this post not because it’s a novel and unique attack, but to show the thought process of attacking this particular functionality, and understanding how the system works to identify what would and would not work.
Bypassing SSRF ProtectionOk. So you’ve found a feature on a web application that fetches external resources. You’re able to pull content from all sorts of external sites and there doesn’t seem to be any restrictions on the file type that you can request… The application displays everything right back at you.
SSRF - Server Side Request Forgery (Types and ways to exploit it) Part-1What is SSRF? Server Side Request Forgery (SSRF) refers to an attack where in an attacker is able to send a crafted request from a vulnerable web application.
How i found an SSRF in Yahoo! Guesthouse (Recon Wins)As i said before sharing is caring, here i am describing one of my findings that was closed 2 weeks ago in yahoo Guesthouse https://gh.bouncer.login.yahoo.com/ and i am describing in details, how recon helped me finding a vulnerable endpoint where i achieved the SSRF.
Vimeo SSRF with code execution potential.Recently I discovered a semi responded SSRF on Vimeo with code execution possibility. This blog post explains how I found & exploited it. So let's get started. Vimeo provides an API console for their API called API Playground, The requests made using this web app is done from server-side.
SSRF (Server Side Request Forgery) testing resourcesStatus codes: 300, 301, 302, 303, 305, 307, 308
Multiple HTTP Redirects to Bypass SSRF ProtectionsI needed to utilize many known SSRF techniques at once to successfully exploit many endpoints in the same company. After discovering away, I applied it to all functionalities that use attacker-controlled URLs and found 2 blind and 1 full read SSRFs.
SSRF vulnerabilities and where to find themServer-Side Request Forgery (SSRF) occurs when an application accepts a URL (or partial URL) from the user, then accesses that URL from the server. It’s important to note that SSRF is only a vulnerability if there is some security impact.
What is Server-Side Request Forgery (SSRF)?Server-side request forgery (SSRF) vulnerabilities let an attacker send crafted requests from the back-end server of a vulnerable web application. Criminals usually use SSRF attacks to target internal systems that are behind firewalls and are not accessible from the external network.
This one trick will exploit URL parsers to perform SSRFIn this write up, I will be detailing my thought process and solution to the Hack the Box (HTB) web challenge: Weather App. I learned main pieces of how to do such an exploit from the presentation: A New Era of SSRF — Exploiting URL Parser in Trending Programming Languages! by Orange Tsai.
Story of a really cool SSRF bug.Hello all! My name is Vedant, also known as Vegeta(on twitter). I’m a cybersecurity enthusiast and a bug bounty hunter. This is my first write-up of 2021. This write-up is about a SSRF vulnerability that allowed me to access the AWS metadata of the target company. So let’s get started,
$10000 Facebook SSRF — Bug BountyThis is a write-up about a SSRF vulnerability I found on Facebook. The vulnerability could have allowed a malicious user to send internal requests to the Facebook corporate network.
The journey of Web Cache + Firewall Bypass to SSRF to AWS credentials compromise!Hi Guys,Back with an interesting hack that I was eagerly waiting to get the writeup to publish. This hack is about a chain of vulnerabilities which includes multiple bypasses in a various different layer which finally lead to access of AWS credentials in India’s biggest stock broker company.
Vimeo SSRF with code execution potential.Recently i discovered a semi responded SSRF on Vimeo with code execution possibility. This blog post explains how i found & exploited it. So lets get started. Vimeo provides an API console for their API called API Playground, The requests made using this web app is done from server side.
[bugbounty] A Simple SSRF
SSRF in the WildThis is an analysis of publicly disclosed SSRF vulnerabilities. I will go into where these vulnerabilities were found, the criticality of these bugs, and the fixes implemented by the vendor after the report.
From SSRF To RCE in PDFReacterWhat is PDFReacter? - PDFReacter is a parser which parses HTML content from HTML to PDF. While testing an application I have identified that an application is using the PDFReacter parser.
AWS takeover through SSRF in JavaScriptHere is the story of a bug I found in a private bug bounty program on Hackerone. It took me exactly 12h30 -no break- to find it, exploit and report.
Into the Borg – SSRF inside Google production networkIn March 2018, I reported an XSS in Google Caja, a tool to securely embed arbitrary html/javascript in a webpage. In May 2018, after the XSS was fixed, I realised that Google Sites was using an unpatched version of Google Caja, so I looked if it was vulnerable to the XSS.
Server Side Request Forgery (SSRF) TestingWell this story is just for fun testing SSRF not a bounty write up. I found a random web that vulnerable to SSRF but in order to exploit it i should convert my input to base64. Here is the site http://playfreedownloadgames.com:2483/proxy.
How i converted SSRF TO XSS in jira.Before i start Acunetix does Subdomain scans so just set the time out to 20 and you will get a really big list with banners and response headers. (it does the half of the work for you.) Now, i een through lots of subdomains and i was specifically looking for any jira environment , and i found one.
How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE!Hi, it’s been a long time since my last blog post. In the past few months, I spent lots of time preparing for the talk of Black Hat USA 2017 and DEF CON 25. Being a Black Hat and DEFCON speaker is part of my life goal ever. This is also my first English talk in such formal conferences.