appsec.fyi

A somewhat curated list of links to various topics in application security.

Server-Side Request Forgery (SSRF)

LinkExcerpt
A Glossary of Blind SSRF ChainsWhat is Server Side Request Forgery (SSRF)? Server Side Request Forgery occurs when you can coerce a server to make arbitrary requests on your behalf. As the requests are being made by the server, it may be possible to access internal resources due to where the server is positioned in the network.
Story of a really cool SSRF bug.Hello all! My name is Vedant, also known as Vegeta(on twitter). I’m a cybersecurity enthusiast and a bug bounty hunter. This is my first write-up of 2021. This write-up is about a SSRF vulnerability that allowed me to access the AWS metadata of the target company. So let’s get started,
$10000 Facebook SSRF — Bug BountyThis is a write-up about a SSRF vulnerability I found on Facebook. The vulnerability could have allowed a malicious user to send internal requests to the Facebook corporate network.
Exploiting an SSRF: Trials and TribulationsI mostly wanted to share this post not because it’s a novel and unique attack, but to show the thought process of attacking this particular functionality, and understanding how the system works to identify what would and would not work.
SSRF - Server Side Request Forgery (Types and ways to exploit it) Part-1What is SSRF? Server Side Request Forgery (SSRF) refers to an attack where in an attacker is able to send a crafted request from a vulnerable web application.
The journey of Web Cache + Firewall Bypass to SSRF to AWS credentials compromise!Hi Guys,Back with an interesting hack that I was eagerly waiting to get the writeup to publish. This hack is about a chain of vulnerabilities which includes multiple bypasses in a various different layer which finally lead to access of AWS credentials in India’s biggest stock broker company.
Bypassing SSRF ProtectionOk. So you’ve found a feature on a web application that fetches external resources. You’re able to pull content from all sorts of external sites and there doesn’t seem to be any restrictions on the file type that you can request… The application displays everything right back at you.
How i found an SSRF in Yahoo! Guesthouse (Recon Wins)As i said before sharing is caring, here i am describing one of my findings that was closed 2 weeks ago in yahoo Guesthouse https://gh.bouncer.login.yahoo.com/ and i am describing in details, how recon helped me finding a vulnerable endpoint where i achieved the SSRF.
Vimeo SSRF with code execution potential.Recently i discovered a semi responded SSRF on Vimeo with code execution possibility. This blog post explains how i found & exploited it. So lets get started. Vimeo provides an API console for their API called API Playground, The requests made using this web app is done from server side.
[bugbounty] A Simple SSRFI was working on a private program which i cannot disclose First of all, its web assets have several subdomains. After I tested it for a while, I plan to look at the mac client. The mac client has an chat interface where i found a SSRF.
SSRF in the WildThis is an analysis of publicly disclosed SSRF vulnerabilities. I will go into where these vulnerabilities were found, the criticality of these bugs, and the fixes implemented by the vendor after the report.
From SSRF To RCE in PDFReacterWhat is PDFReacter? - PDFReacter is a parser which parses HTML content from HTML to PDF. While testing an application I have identified that an application is using the PDFReacter parser.
AWS takeover through SSRF in JavaScriptHere is the story of a bug I found in a private bug bounty program on Hackerone. It took me exactly 12h30 -no break- to find it, exploit and report.
Into the Borg – SSRF inside Google production networkIn March 2018, I reported an XSS in Google Caja, a tool to securely embed arbitrary html/javascript in a webpage. In May 2018, after the XSS was fixed, I realised that Google Sites was using an unpatched version of Google Caja, so I looked if it was vulnerable to the XSS.
Server Side Request Forgery (SSRF) TestingWell this story is just for fun testing SSRF not a bounty write up. I found a random web that vulnerable to SSRF but in order to exploit it i should convert my input to base64. Here is the site http://playfreedownloadgames.com:2483/proxy.
How i converted SSRF TO XSS in jira.Before i start Acunetix does Subdomain scans so just set the time out to 20 and you will get a really big list with banners and response headers. (it does the half of the work for you.) Now, i een through lots of subdomains and i was specifically looking for any jira environment , and i found one.
How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE!Hi, it’s been a long time since my last blog post. In the past few months, I spent lots of time preparing for the talk of Black Hat USA 2017 and DEF CON 25. Being a Black Hat and DEFCON speaker is part of my life goal ever. This is also my first English talk in such formal conferences.