Appending user input to a url
Is the following code vulnerable to redirection to another site – is there a way to append something to a trusted url to make it go to an unstrusted location?
get(‘/assets/share?code=’+user_input)
Category Archives: SSRF
Why does Portswigger’s solution to the lab "SSRF with whitelist-based input filter" work?
The URL with the exercise is: https://portswigger.net/web-security/ssrf/lab-ssrf-with-whitelist-filter
The solution is:
http://localhost:80%2523@stock.weliketoshop.net/admin/delete?username=carlos
A little simplified (no port specified):… Continue reading Why does Portswigger’s solution to the lab "SSRF with whitelist-based input filter" work?
SSRF Blacklist bypass using DNS Rebinding for Java Servers
I was able to bypass SSRF blacklist filter in a PHP server using DNS rebinding.However, when I tried the same for Java servers, I wasn’t able to do it. The reason being, in Java servers the JVM maintains a DNS cache which stays for 10 seco… Continue reading SSRF Blacklist bypass using DNS Rebinding for Java Servers
SSRF to RCE or get it to print the out of file://?
Some site I am testing that retrieves data from some url, I could backconnect using ldaps://ip:port/
I tried wrappers like ldap://, dict:// but only ldaps seem to work.
Also expect:// seem disabled, same as sftp://
The sit… Continue reading SSRF to RCE or get it to print the out of file://?
Is it safe to let users enter a URL in my app that queries an external REST api?
Is it safe to let users enter in a URL in a field in my application where the backend of the application will go fetch the data for them via the URL they provided?
To clarify, the idea was to allow users to enter a URL insid… Continue reading Is it safe to let users enter a URL in my app that queries an external REST api?
Burp: Out Of band resource load
I scanned a web app using Burp and it reported this vulnerability. When I click on the issue it show this request and response:
Request:
GET / HTTP/1.1
Host: xxxxx.burpcollaborator.net
Pragma: no-cache
Cache-Control: no… Continue reading Burp: Out Of band resource load
Secure AWS instance metadata against potential SSRF
I am running a Windows instance on AWS.
The instance has an IIS service running on it.
The IIS service has a user associated to it and it has no need to access the AWS instance metadata.
I was reading up on
https://aws…. Continue reading Secure AWS instance metadata against potential SSRF
What We Can Learn from the Capital One Hack
On Monday, a former Amazon employee was arrested and charged with stealing more than 100 million consumer applications for credit from Capital One. Since then, many have speculated the breach was perhaps the result of a previously unknown “zero-day” flaw, or an “insider” attack in which the accused took advantage of access surreptitiously obtained from her former employer. But new information indicates the methods she deployed have been well understood for years. Continue reading What We Can Learn from the Capital One Hack
How to exploit SVG xlink-based SSRF
First, let me summarize how the SSRF works:
1) You setup an SVG image with a reference to your server via xlink. Here’s an example that works:
<?xml version=”1.0″ encoding=”UTF-8″ standalone=”no”?><svg xmlns:svg=”http://www.w3.o… Continue reading How to exploit SVG xlink-based SSRF
Flow of a host header injection attack?
I am new to this field and would like to know how the flow happens in a host header injection attacks.
I believe it’s as below:
Client generates the request.
Attacker manipulates the request and changes the host header (to… Continue reading Flow of a host header injection attack?