Collaborate Disseminate
I am pentesting an API which makes a backend call to https://example.org/ and appends any input you provide it (for example, if you provide test it will call https://example.org/test). I am trying to achieve SSRF in this scenario, so my go… Continue reading Hijacking URL that ends with a trailing slash
Amazon Simple Storage Service, or S3, is a popular service that many developers today rely on to quickly build applications. Over time, S3 has become a popular target for attackers, resulting in a large number of data leaks. Most of them, such as the … Continue reading Understanding and Preventing S3 Leaks
A webapp has an img tag that partially takes userinput like so:
<img src="/blah/blah/$USERINPUT.jpg">
where the first / is from the root of the domain.
Could there be a vulnerability here? Potentially using ../ and then at… Continue reading Possible SSRF in image tag that takes (partial) user input?
I am currently studying regarding SSRF. I noticed that an injection vector where SSRF might be present is always parameters that is related to url (Importing image using URL, others). I have encountered a couple of endpoints where request … Continue reading SSRF Through Image Url
Researchers went into detail about the discovery and disclosure of 19 security flaws they found in Mercedes-Benz vehicles, which have all been fixed. Continue reading Black Hat 2020: Mercedes-Benz E-Series Rife with 19 Bugs
I recently came across an application that was vulnerable to HTML injection on the invite function. When I insert <img src="image.jpg"> the image got rendered on the mail I received.
I decided to test for blind ssrf out of … Continue reading HTML Injection to blind SSRF testing retrieves only DNS Query
If I have a an application server that uses an implementation of JAX-RS, and is running as *.war file on an Apache Tomcat server, is there anything special that needs to be done or configured to prevent SSRF attacks?
My naive understandin… Continue reading What measures can be taken to prevent Server Side Request Forgery (SSRF) in a JAX-RS Application running on Apache Tomcat?
Is the following code vulnerable to redirection to another site – is there a way to append something to a trusted url to make it go to an unstrusted location?
get(‘/assets/share?code=’+user_input)
The URL with the exercise is: https://portswigger.net/web-security/ssrf/lab-ssrf-with-whitelist-filter
The solution is:
http://localhost:80%2523@stock.weliketoshop.net/admin/delete?username=carlos
A little simplified (no port specified):… Continue reading Why does Portswigger’s solution to the lab "SSRF with whitelist-based input filter" work?
I was able to bypass SSRF blacklist filter in a PHP server using DNS rebinding.However, when I tried the same for Java servers, I wasn’t able to do it. The reason being, in Java servers the JVM maintains a DNS cache which stays for 10 seco… Continue reading SSRF Blacklist bypass using DNS Rebinding for Java Servers