SSRF – Page 4 – WindowsTechs.com

What measures can be taken to prevent Server Side Request Forgery (SSRF) in a JAX-RS Application running on Apache Tomcat?

Posted on April 20, 2020 by I. Raleigh

If I have a an application server that uses an implementation of JAX-RS, and is running as *.war file on an Apache Tomcat server, is there anything special that needs to be done or configured to prevent SSRF attacks?

My naive understandin… Continue reading What measures can be taken to prevent Server Side Request Forgery (SSRF) in a JAX-RS Application running on Apache Tomcat?→

Appending user input to a url

Posted on March 6, 2020 by Command Master

Is the following code vulnerable to redirection to another site – is there a way to append something to a trusted url to make it go to an unstrusted location?

get(‘/assets/share?code=’+user_input)

Continue reading Appending user input to a url→

Why does Portswigger’s solution to the lab "SSRF with whitelist-based input filter" work?

Posted on March 3, 2020 by Kevin1923851823

The URL with the exercise is: https://portswigger.net/web-security/ssrf/lab-ssrf-with-whitelist-filter

The solution is:
http://localhost:80%2523@stock.weliketoshop.net/admin/delete?username=carlos

A little simplified (no port specified):… Continue reading Why does Portswigger’s solution to the lab "SSRF with whitelist-based input filter" work?→

SSRF Blacklist bypass using DNS Rebinding for Java Servers

Posted on February 11, 2020 by Ehack2

I was able to bypass SSRF blacklist filter in a PHP server using DNS rebinding.However, when I tried the same for Java servers, I wasn’t able to do it. The reason being, in Java servers the JVM maintains a DNS cache which stays for 10 seco… Continue reading SSRF Blacklist bypass using DNS Rebinding for Java Servers→

SSRF to RCE or get it to print the out of file://?

Posted on November 26, 2019 by Patel

Some site I am testing that retrieves data from some url, I could backconnect using ldaps://ip:port/

I tried wrappers like ldap://, dict:// but only ldaps seem to work.

Also expect:// seem disabled, same as sftp://

The sit… Continue reading SSRF to RCE or get it to print the out of file://?→

Is it safe to let users enter a URL in my app that queries an external REST api?

Posted on November 26, 2019 by Adam Johnston

Is it safe to let users enter in a URL in a field in my application where the backend of the application will go fetch the data for them via the URL they provided?

To clarify, the idea was to allow users to enter a URL insid… Continue reading Is it safe to let users enter a URL in my app that queries an external REST api?→

Burp: Out Of band resource load

Posted on October 16, 2019 by mk_

I scanned a web app using Burp and it reported this vulnerability. When I click on the issue it show this request and response:

Request:

GET / HTTP/1.1

Host: xxxxx.burpcollaborator.net

Pragma: no-cache

Cache-Control: no… Continue reading Burp: Out Of band resource load→

Secure AWS instance metadata against potential SSRF

Posted on August 10, 2019 by Raimonds Liepiņš

I am running a Windows instance on AWS.

The instance has an IIS service running on it.

The IIS service has a user associated to it and it has no need to access the AWS instance metadata.

I was reading up on
https://aws…. Continue reading Secure AWS instance metadata against potential SSRF→

What We Can Learn from the Capital One Hack

Posted on August 2, 2019 by BrianKrebs

On Monday, a former Amazon employee was arrested and charged with stealing more than 100 million consumer applications for credit from Capital One. Since then, many have speculated the breach was perhaps the result of a previously unknown “zero-day” flaw, or an “insider” attack in which the accused took advantage of access surreptitiously obtained from her former employer. But new information indicates the methods she deployed have been well understood for years. Continue reading What We Can Learn from the Capital One Hack→

How to exploit SVG xlink-based SSRF

Posted on May 29, 2019 by Jack

First, let me summarize how the SSRF works:

1) You setup an SVG image with a reference to your server via xlink. Here’s an example that works:

<?xml version=”1.0″ encoding=”UTF-8″ standalone=”no”?><svg xmlns:svg=”http://www.w3.o… Continue reading How to exploit SVG xlink-based SSRF→