Collaborate Disseminate
Say I’ve found a perfect SSRF vulnerability in a web application that lets me send web requests to any URL, any host, any port, any scheme. I can use the file:// scheme to get the contents of local files, such as file:///C:/Windows/win.ini… Continue reading Uploading/writing server files via SSRF?
Suppose I was able to bypass CSRF check. I was able to forge any GET request and make it look like it was issued by the user himself. Is the web application vulnerable to somehow to ‘Client-side’ Request Forgery attack ? How may I exploit… Continue reading What exploit possible when GET request are forged as internal?
There is a url abc.com/something vulnerable to open redirect to xyz.com (fixed)
I am catching requests at xyz.com to see contents of requests coming to it.
When I browse abc.com/something (being logged in to abc.com) from a browser, then … Continue reading What is the difference when a request is made to an open redirect vulnerable url though a browser and through the server using ssrf?
I am pentesting a web application. It makes a backend call to another application, and I am trying to hijack that call.
I have gained control over the URL path, query parameters, and fragment that is being sent (e.g. if the URL is https://… Continue reading Is there any way to get a unicode character that has a byte of 23?
I am pentesting an API which makes a backend call to https://example.org/ and appends any input you provide it (for example, if you provide test it will call https://example.org/test). I am trying to achieve SSRF in this scenario, so my go… Continue reading Hijacking URL that ends with a trailing slash
Amazon Simple Storage Service, or S3, is a popular service that many developers today rely on to quickly build applications. Over time, S3 has become a popular target for attackers, resulting in a large number of data leaks. Most of them, such as the … Continue reading Understanding and Preventing S3 Leaks
A webapp has an img tag that partially takes userinput like so:
<img src="/blah/blah/$USERINPUT.jpg">
where the first / is from the root of the domain.
Could there be a vulnerability here? Potentially using ../ and then at… Continue reading Possible SSRF in image tag that takes (partial) user input?
I am currently studying regarding SSRF. I noticed that an injection vector where SSRF might be present is always parameters that is related to url (Importing image using URL, others). I have encountered a couple of endpoints where request … Continue reading SSRF Through Image Url
Researchers went into detail about the discovery and disclosure of 19 security flaws they found in Mercedes-Benz vehicles, which have all been fixed. Continue reading Black Hat 2020: Mercedes-Benz E-Series Rife with 19 Bugs
I recently came across an application that was vulnerable to HTML injection on the invite function. When I insert <img src="image.jpg"> the image got rendered on the mail I received.
I decided to test for blind ssrf out of … Continue reading HTML Injection to blind SSRF testing retrieves only DNS Query