mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-04 18:40:41 +00:00
References updated for SAML, SSI, SSRF
This commit is contained in:
parent
9ed40edfca
commit
df8d4d7f27
4 changed files with 130 additions and 128 deletions
|
@ -1,10 +1,11 @@
|
|||
# Request Smuggling
|
||||
!# Request Smuggling
|
||||
|
||||
> HTTP Request smuggling occurs when multiple "things" process a request, but differ on how they determine where the request starts/ends. This disagreement can be used to interfere with another user's request/response or to bypass security controls. It normally occurs due to prioritising different HTTP headers (Content-Length vs Transfer-Encoding), differences in handling malformed headers (eg whether to ignore headers with unexpected whitespace), due to downgrading requests from a newer protocol, or due to differences in when a partial request has timed out and should be discarded.
|
||||
|
||||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
* [Labs](#labs)
|
||||
* [CL.TE vulnerabilities](#cl.te-vulnerabilities)
|
||||
* [TE.CL vulnerabilities](#te.cl-vulnerabilities)
|
||||
* [TE.TE behavior: obfuscating the TE header](#te.te-behavior-obfuscating-the-te-header)
|
||||
|
@ -12,16 +13,25 @@
|
|||
|
||||
## Tools
|
||||
|
||||
* [HTTP Request Smuggler / BApp Store](https://portswigger.net/bappstore/aaaa60ef945341e8a450217a54a11646)
|
||||
* [Smuggler](https://github.com/defparam/smuggler)
|
||||
* [Simple HTTP Smuggler Generator CL.TE TE.CL](https://github.com/dhmosfunk/simple-http-smuggler-generator) > this tool does not offer automated exploitation. You have to identify the injection point and exploit it manually!
|
||||
* [bappstore/HTTP Request Smuggler](https://portswigger.net/bappstore/aaaa60ef945341e8a450217a54a11646) - An extension for Burp Suite designed to help you launch HTTP Request Smuggling attacks
|
||||
* [defparam/Smuggler](https://github.com/defparam/smuggler) - An HTTP Request Smuggling / Desync testing tool written in Python 3
|
||||
* [dhmosfunk/simple-http-smuggler-generator](https://github.com/dhmosfunk/simple-http-smuggler-generator) - This tool is developed for burp suite practitioner certificate exam and HTTP Request Smuggling labs.
|
||||
|
||||
|
||||
## Labs
|
||||
|
||||
* [PortSwigger - HTTP request smuggling, basic CL.TE vulnerability](https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te)
|
||||
* [PortSwigger - HTTP request smuggling, basic TE.CL vulnerability](https://portswigger.net/web-security/request-smuggling/lab-basic-te-cl)
|
||||
* [PortSwigger - HTTP request smuggling, obfuscating the TE header](https://portswigger.net/web-security/request-smuggling/lab-ofuscating-te-header)
|
||||
* [PortSwigger - Response queue poisoning via H2.TE request smuggling](https://portswigger.net/web-security/request-smuggling/advanced/response-queue-poisoning/lab-request-smuggling-h2-response-queue-poisoning-via-te-request-smuggling)
|
||||
* [PortSwigger - Client-side desync](https://portswigger.net/web-security/request-smuggling/browser/client-side-desync/lab-client-side-desync)
|
||||
|
||||
|
||||
## About CL.TE | TE.CL Vulnerabilities
|
||||
If you want to exploit HTTP Requests Smuggling manually you will face some problems especially in TE.CL vulnerability you have to calculate the chunk size for the second request(malicious request) as portswigger suggests `Manually fixing the length fields in request smuggling attacks can be tricky.`. For that reason you can use the [Simple HTTP Smuggler Generator CL.TE TE.CL](https://github.com/dhmosfunk/simple-http-smuggler-generator) and exploit the CL.TE TE.CL vulnerabilities manually and learn how this vulnerability works and how you can exploit it. This tool offers you only the second request with a valid chunk size(TE.CL) auto-generated but does not offer automated exploitation. You have to identify the injection point and exploit it manually!
|
||||
|
||||
|
||||
If you want to exploit HTTP Requests Smuggling manually you will face some problems especially in TE.CL vulnerability you have to calculate the chunk size for the second request(malicious request) as PortSwigger suggests `Manually fixing the length fields in request smuggling attacks can be tricky.`.
|
||||
|
||||
For that reason you can use the [Simple HTTP Smuggler Generator CL.TE TE.CL](https://github.com/dhmosfunk/simple-http-smuggler-generator) and exploit the CL.TE TE.CL vulnerabilities manually and learn how this vulnerability works and how you can exploit it.
|
||||
|
||||
|
||||
## CL.TE vulnerabilities
|
||||
|
@ -54,7 +64,6 @@ Transfer-Encoding: chunked
|
|||
G
|
||||
```
|
||||
|
||||
Challenge: https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te
|
||||
|
||||
## TE.CL vulnerabilities
|
||||
|
||||
|
@ -94,7 +103,6 @@ x=1
|
|||
|
||||
:warning: To send this request using Burp Repeater, you will first need to go to the Repeater menu and ensure that the "Update Content-Length" option is unchecked.You need to include the trailing sequence \r\n\r\n following the final 0.
|
||||
|
||||
Challenge: https://portswigger.net/web-security/request-smuggling/lab-basic-te-cl
|
||||
|
||||
## TE.TE behavior: obfuscating the TE header
|
||||
|
||||
|
@ -112,7 +120,6 @@ Transfer-Encoding
|
|||
: chunked
|
||||
```
|
||||
|
||||
Challenge: https://portswigger.net/web-security/request-smuggling/lab-ofuscating-te-header
|
||||
|
||||
## HTTP/2 Request Smuggling
|
||||
|
||||
|
@ -125,7 +132,6 @@ HTTP/2 request smuggling can occur if a machine converts your HTTP/2 request to
|
|||
header ignored\r\n\r\nGET / HTTP/1.1\r\nHost: www.example.com
|
||||
```
|
||||
|
||||
Challenge: https://portswigger.net/web-security/request-smuggling/advanced/response-queue-poisoning/lab-request-smuggling-h2-response-queue-poisoning-via-te-request-smuggling
|
||||
|
||||
## Client-side desync
|
||||
|
||||
|
@ -171,11 +177,11 @@ tells the victim browser to send a POST request to www.example.com/redirect. Tha
|
|||
www.example.com now incorrectly processes the HEAD request in the POST's body, instead of the browser's GET request, and returns 404 not found with a content-length, before replying to the next misinterpreted third (`GET /x?x=<script>...`) request and finally the browser's actual GET request.
|
||||
Since the browser only sent one request, it accepts the response to the HEAD request as the response to its GET request and interprets the third and fourth responses as the body of the response, and thus executes the attacker's script.
|
||||
|
||||
Challenge: https://portswigger.net/web-security/request-smuggling/browser/client-side-desync/lab-client-side-desync
|
||||
|
||||
## References
|
||||
|
||||
* [PortSwigger - Request Smuggling Tutorial](https://portswigger.net/web-security/request-smuggling) and [PortSwigger - Request Smuggling Reborn](https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn)
|
||||
* [A Pentester's Guide to HTTP Request Smuggling - Busra Demir - 2020, October 16](https://www.cobalt.io/blog/a-pentesters-guide-to-http-request-smuggling)
|
||||
* [Advanced Request Smuggling - PortSwigger](https://portswigger.net/web-security/request-smuggling/advanced#http-2-request-smuggling)
|
||||
* [Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling - James Kettle - 10 August 2022](https://portswigger.net/research/browser-powered-desync-attacks)
|
||||
- [A Pentester's Guide to HTTP Request Smuggling - Busra Demir - October 16, 2020](https://www.cobalt.io/blog/a-pentesters-guide-to-http-request-smuggling)
|
||||
- [Advanced Request Smuggling - PortSwigger - October 26, 2021](https://portswigger.net/web-security/request-smuggling/advanced#http-2-request-smuggling)
|
||||
- [Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling - James Kettle (@albinowax) - August 10, 2022](https://portswigger.net/research/browser-powered-desync-attacks)
|
||||
- [HTTP Desync Attacks: Request Smuggling Reborn - James Kettle (@albinowax) - August 7, 2019](https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn)
|
||||
- [Request Smuggling Tutorial - PortSwigger - September 28, 2019](https://portswigger.net/web-security/request-smuggling)
|
|
@ -6,17 +6,20 @@
|
|||
|
||||
* [Tools](#tools)
|
||||
* [Authentication Bypass](#authentication-bypass)
|
||||
* [Invalid Signature](#invalid-signature)
|
||||
* [Signature Stripping](#signature-stripping)
|
||||
* [XML Signature Wrapping Attacks](#xml-signature-wrapping-attacks)
|
||||
* [XML Comment Handling](#xml-comment-handling)
|
||||
* [XML External Entity](#xml-external-entity)
|
||||
* [Extensible Stylesheet Language Transformation](#extensible-stylesheet-language-transformation)
|
||||
* [Invalid Signature](#invalid-signature)
|
||||
* [Signature Stripping](#signature-stripping)
|
||||
* [XML Signature Wrapping Attacks](#xml-signature-wrapping-attacks)
|
||||
* [XML Comment Handling](#xml-comment-handling)
|
||||
* [XML External Entity](#xml-external-entity)
|
||||
* [Extensible Stylesheet Language Transformation](#extensible-stylesheet-language-transformation)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## Tools
|
||||
|
||||
- [SAML Raider - Burp Extension](https://github.com/SAMLRaider/SAMLRaider)
|
||||
- [SAML Support - ZAP Addon](https://www.zaproxy.org/docs/desktop/addons/saml-support/)
|
||||
- [CompassSecurity/SAMLRaider](https://github.com/SAMLRaider/SAMLRaider) - SAML2 Burp Extension.
|
||||
- [ZAP Addon/SAML Support](https://www.zaproxy.org/docs/desktop/addons/saml-support/) - Allows to detect, show, edit, and fuzz SAML requests.
|
||||
|
||||
|
||||
## Authentication Bypass
|
||||
|
||||
|
@ -67,21 +70,21 @@ Example of SAML assertion where `NameID=admin` without signature.
|
|||
|
||||
XML Signature Wrapping (XSW) attack, some implementations check for a valid signature and match it to a valid assertion, but do not check for multiple assertions, multiple signatures, or behave differently depending on the order of assertions.
|
||||
|
||||
- XSW1 – Applies to SAML Response messages. Add a cloned unsigned copy of the Response after the existing signature.
|
||||
- XSW2 – Applies to SAML Response messages. Add a cloned unsigned copy of the Response before the existing signature.
|
||||
- XSW3 – Applies to SAML Assertion messages. Add a cloned unsigned copy of the Assertion before the existing Assertion.
|
||||
- XSW4 – Applies to SAML Assertion messages. Add a cloned unsigned copy of the Assertion within the existing Assertion.
|
||||
- XSW5 – Applies to SAML Assertion messages. Change a value in the signed copy of the Assertion and adds a copy of the original Assertion with the signature removed at the end of the SAML message.
|
||||
- XSW6 – Applies to SAML Assertion messages. Change a value in the signed copy of the Assertion and adds a copy of the original Assertion with the signature removed after the original signature.
|
||||
- XSW7 – Applies to SAML Assertion messages. Add an “Extensions” block with a cloned unsigned assertion.
|
||||
- XSW8 – Applies to SAML Assertion messages. Add an “Object” block containing a copy of the original assertion with the signature removed.
|
||||
- **XSW1**: Applies to SAML Response messages. Add a cloned unsigned copy of the Response after the existing signature.
|
||||
- **XSW2**: Applies to SAML Response messages. Add a cloned unsigned copy of the Response before the existing signature.
|
||||
- **XSW3**: Applies to SAML Assertion messages. Add a cloned unsigned copy of the Assertion before the existing Assertion.
|
||||
- **XSW4**: Applies to SAML Assertion messages. Add a cloned unsigned copy of the Assertion within the existing Assertion.
|
||||
- **XSW5**: Applies to SAML Assertion messages. Change a value in the signed copy of the Assertion and adds a copy of the original Assertion with the signature removed at the end of the SAML message.
|
||||
- **XSW6**: Applies to SAML Assertion messages. Change a value in the signed copy of the Assertion and adds a copy of the original Assertion with the signature removed after the original signature.
|
||||
- **XSW7**: Applies to SAML Assertion messages. Add an “Extensions” block with a cloned unsigned assertion.
|
||||
- **XSW8**: Applies to SAML Assertion messages. Add an “Object” block containing a copy of the original assertion with the signature removed.
|
||||
|
||||
|
||||
In the following example, these terms are used.
|
||||
|
||||
- FA: Forged Assertion
|
||||
- LA: Legitimate Assertion
|
||||
- LAS: Signature of the Legitimate Assertion
|
||||
- **FA**: Forged Assertion
|
||||
- **LA**: Legitimate Assertion
|
||||
- **LAS**: Signature of the Legitimate Assertion
|
||||
|
||||
```xml
|
||||
<SAMLResponse>
|
||||
|
@ -186,15 +189,14 @@ Picture from [http://sso-attacks.org/XSLT_Attack](http://sso-attacks.org/XSLT_At
|
|||
|
||||
## References
|
||||
|
||||
- [SAML Burp Extension - ROLAND BISCHOFBERGER - JULY 24, 2015](https://blog.compass-security.com/2015/07/saml-burp-extension/)
|
||||
- [The road to your codebase is paved with forged assertions - @ilektrojohn - March 13, 2017](http://www.economyofmechanism.com/github-saml)
|
||||
- [SAML_Security_Cheat_Sheet.md - OWASP](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/SAML_Security_Cheat_Sheet.md)
|
||||
- [On Breaking SAML: Be Whoever You Want to Be - Juraj Somorovsky, Andreas Mayer, Jorg Schwenk, Marco Kampmann, and Meiko Jensen](https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final91-8-23-12.pdf)
|
||||
- [Making Headlines: SAML - March 19, 2018 - Torsten George](https://blog.centrify.com/saml/)
|
||||
- [Vulnerability Note VU#475445 - 2018-02-27 - Carnegie Mellon University](https://www.kb.cert.org/vuls/id/475445/)
|
||||
- [ORACLE WEBLOGIC - MULTIPLE SAML VULNERABILITIES (CVE-2018-2998/CVE-2018-2933) - Denis Andzakovic - Jul 18, 2018](https://pulsesecurity.co.nz/advisories/WebLogic-SAML-Vulnerabilities)
|
||||
- [Truncation of SAML Attributes in Shibboleth 2 - 2018-01-15 - redteam-pentesting.de](https://www.redteam-pentesting.de/de/advisories/rt-sa-2017-013/-truncation-of-saml-attributes-in-shibboleth-2)
|
||||
- [Attacking SSO: Common SAML Vulnerabilities and Ways to Find Them - March 7th, 2017 - Jem Jensen](https://blog.netspi.com/attacking-sso-common-saml-vulnerabilities-ways-find/)
|
||||
- [How to Hunt Bugs in SAML; a Methodology - Part I - @epi052](https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/)
|
||||
- [How to Hunt Bugs in SAML; a Methodology - Part II - @epi052](https://epi052.gitlab.io/notes-to-self/blog/2019-03-13-how-to-test-saml-a-methodology-part-two/)
|
||||
- [How to Hunt Bugs in SAML; a Methodology - Part III - @epi052](https://epi052.gitlab.io/notes-to-self/blog/2019-03-16-how-to-test-saml-a-methodology-part-three/)
|
||||
- [Attacking SSO: Common SAML Vulnerabilities and Ways to Find Them - Jem Jensen - March 7, 2017](https://blog.netspi.com/attacking-sso-common-saml-vulnerabilities-ways-find/)
|
||||
- [How to Hunt Bugs in SAML; a Methodology - Part I - Ben Risher (@epi052) - March 7, 2019](https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/)
|
||||
- [How to Hunt Bugs in SAML; a Methodology - Part II - Ben Risher (@epi052) - March 13, 2019](https://epi052.gitlab.io/notes-to-self/blog/2019-03-13-how-to-test-saml-a-methodology-part-two/)
|
||||
- [How to Hunt Bugs in SAML; a Methodology - Part III - Ben Risher (@epi052) - March 16, 2019](https://epi052.gitlab.io/notes-to-self/blog/2019-03-16-how-to-test-saml-a-methodology-part-three/)
|
||||
- [On Breaking SAML: Be Whoever You Want to Be - Juraj Somorovsky, Andreas Mayer, Jorg Schwenk, Marco Kampmann, and Meiko Jensen - August 23, 2012](https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final91-8-23-12.pdf)
|
||||
- [Oracle Weblogic - Multiple SAML Vulnerabilities (CVE-2018-2998/CVE-2018-2933) - Denis Andzakovic - July 18, 2018](https://pulsesecurity.co.nz/advisories/WebLogic-SAML-Vulnerabilities)
|
||||
- [SAML Burp Extension - Roland Bischofberger - July 24, 2015](https://blog.compass-security.com/2015/07/saml-burp-extension/)
|
||||
- [SAML Security Cheat Sheet - OWASP - February 2, 2019](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/SAML_Security_Cheat_Sheet.md)
|
||||
- [The road to your codebase is paved with forged assertions - Ioannis Kakavas (@ilektrojohn) - March 13, 2017](http://www.economyofmechanism.com/github-saml)
|
||||
- [Truncation of SAML Attributes in Shibboleth 2 - redteam-pentesting.de - January 15, 2018](https://www.redteam-pentesting.de/de/advisories/rt-sa-2017-013/-truncation-of-saml-attributes-in-shibboleth-2)
|
||||
- [Vulnerability Note VU#475445 - Garret Wassermann - February 27, 2018](https://www.kb.cert.org/vuls/id/475445/)
|
|
@ -22,4 +22,4 @@
|
|||
|
||||
## References
|
||||
|
||||
* [Server-Side Includes (SSI) Injection - OWASP](https://owasp.org/www-community/attacks/Server-Side_Includes_(SSI)_Injection)
|
||||
* [Server-Side Includes (SSI) Injection - Weilin Zhong, Nsrav - December 4, 2019](https://owasp.org/www-community/attacks/Server-Side_Includes_(SSI)_Injection)
|
|
@ -7,31 +7,31 @@
|
|||
* [Tools](#tools)
|
||||
* [Payloads with localhost](#payloads-with-localhost)
|
||||
* [Bypassing filters](#bypassing-filters)
|
||||
* [Bypass using HTTPS](#bypass-using-https)
|
||||
* [Bypass localhost with [::]](#bypass-localhost-with-)
|
||||
* [Bypass localhost with a domain redirection](#bypass-localhost-with-a-domain-redirection)
|
||||
* [Bypass localhost with CIDR](#bypass-localhost-with-cidr)
|
||||
* [Bypass using a decimal IP location](#bypass-using-a-decimal-ip-location)
|
||||
* [Bypass using octal IP](#bypass-using-octal-ip)
|
||||
* [Bypass using IPv6/IPv4 Address Embedding](#bypass-using-ipv6ipv4-address-embedding)
|
||||
* [Bypass using malformed urls](#bypass-using-malformed-urls)
|
||||
* [Bypass using rare address](#bypass-using-rare-address)
|
||||
* [Bypass using URL encoding](#bypass-using-url-encoding)
|
||||
* [Bypass using bash variables](#bypass-using-bash-variables)
|
||||
* [Bypass using tricks combination](#bypass-using-tricks-combination)
|
||||
* [Bypass using enclosed alphanumerics](#bypass-using-enclosed-alphanumerics)
|
||||
* [Bypass filter_var() php function](#bypass-filter_var-php-function)
|
||||
* [Bypass against a weak parser](#bypass-against-a-weak-parser)
|
||||
* [Bypassing using jar protocol (java only)](#bypassing-using-jar-protocol-java-only)
|
||||
* [Bypass using HTTPS](#bypass-using-https)
|
||||
* [Bypass localhost with [::]](#bypass-localhost-with-)
|
||||
* [Bypass localhost with a domain redirection](#bypass-localhost-with-a-domain-redirection)
|
||||
* [Bypass localhost with CIDR](#bypass-localhost-with-cidr)
|
||||
* [Bypass using a decimal IP location](#bypass-using-a-decimal-ip-location)
|
||||
* [Bypass using octal IP](#bypass-using-octal-ip)
|
||||
* [Bypass using IPv6/IPv4 Address Embedding](#bypass-using-ipv6ipv4-address-embedding)
|
||||
* [Bypass using malformed urls](#bypass-using-malformed-urls)
|
||||
* [Bypass using rare address](#bypass-using-rare-address)
|
||||
* [Bypass using URL encoding](#bypass-using-url-encoding)
|
||||
* [Bypass using bash variables](#bypass-using-bash-variables)
|
||||
* [Bypass using tricks combination](#bypass-using-tricks-combination)
|
||||
* [Bypass using enclosed alphanumerics](#bypass-using-enclosed-alphanumerics)
|
||||
* [Bypass filter_var() php function](#bypass-filter_var-php-function)
|
||||
* [Bypass against a weak parser](#bypass-against-a-weak-parser)
|
||||
* [Bypassing using jar protocol (java only)](#bypassing-using-jar-protocol-java-only)
|
||||
* [SSRF exploitation via URL Scheme](#ssrf-exploitation-via-url-scheme)
|
||||
* [file://](#file)
|
||||
* [http://](#http)
|
||||
* [dict://](#dict)
|
||||
* [sftp://](#sftp)
|
||||
* [tftp://](#tftp)
|
||||
* [ldap://](#ldap)
|
||||
* [gopher://](#gopher)
|
||||
* [netdoc://](#netdoc)
|
||||
* [file://](#file)
|
||||
* [http://](#http)
|
||||
* [dict://](#dict)
|
||||
* [sftp://](#sftp)
|
||||
* [tftp://](#tftp)
|
||||
* [ldap://](#ldap)
|
||||
* [gopher://](#gopher)
|
||||
* [netdoc://](#netdoc)
|
||||
* [SSRF exploiting WSGI](#ssrf-exploiting-wsgi)
|
||||
* [SSRF exploiting Redis](#ssrf-exploiting-redis)
|
||||
* [SSRF exploiting PDF file](#ssrf-exploiting-pdf-file)
|
||||
|
@ -40,22 +40,22 @@
|
|||
* [SSRF to XSS](#ssrf-to-xss)
|
||||
* [SSRF from XSS](#ssrf-from-xss)
|
||||
* [SSRF URL for Cloud Instances](#ssrf-url-for-cloud-instances)
|
||||
* [SSRF URL for AWS Bucket](#ssrf-url-for-aws-bucket)
|
||||
* [SSRF URL for AWS ECS](#ssrf-url-for-aws-ecs)
|
||||
* [SSRF URL for AWS Elastic Beanstalk](#ssrf-url-for-aws-elastic-beanstalk)
|
||||
* [SSRF URL for AWS Lambda](#ssrf-url-for-aws-lambda)
|
||||
* [SSRF URL for Google Cloud](#ssrf-url-for-google-cloud)
|
||||
* [SSRF URL for Digital Ocean](#ssrf-url-for-digital-ocean)
|
||||
* [SSRF URL for Packetcloud](#ssrf-url-for-packetcloud)
|
||||
* [SSRF URL for Azure](#ssrf-url-for-azure)
|
||||
* [SSRF URL for OpenStack/RackSpace](#ssrf-url-for-openstackrackspace)
|
||||
* [SSRF URL for HP Helion](#ssrf-url-for-hp-helion)
|
||||
* [SSRF URL for Oracle Cloud](#ssrf-url-for-oracle-cloud)
|
||||
* [SSRF URL for Kubernetes ETCD](#ssrf-url-for-kubernetes-etcd)
|
||||
* [SSRF URL for Alibaba](#ssrf-url-for-alibaba)
|
||||
* [SSRF URL for Hetzner Cloud](#ssrf-url-for-hetzner-cloud)
|
||||
* [SSRF URL for Docker](#ssrf-url-for-docker)
|
||||
* [SSRF URL for Rancher](#ssrf-url-for-rancher)
|
||||
* [SSRF URL for AWS Bucket](#ssrf-url-for-aws-bucket)
|
||||
* [SSRF URL for AWS ECS](#ssrf-url-for-aws-ecs)
|
||||
* [SSRF URL for AWS Elastic Beanstalk](#ssrf-url-for-aws-elastic-beanstalk)
|
||||
* [SSRF URL for AWS Lambda](#ssrf-url-for-aws-lambda)
|
||||
* [SSRF URL for Google Cloud](#ssrf-url-for-google-cloud)
|
||||
* [SSRF URL for Digital Ocean](#ssrf-url-for-digital-ocean)
|
||||
* [SSRF URL for Packetcloud](#ssrf-url-for-packetcloud)
|
||||
* [SSRF URL for Azure](#ssrf-url-for-azure)
|
||||
* [SSRF URL for OpenStack/RackSpace](#ssrf-url-for-openstackrackspace)
|
||||
* [SSRF URL for HP Helion](#ssrf-url-for-hp-helion)
|
||||
* [SSRF URL for Oracle Cloud](#ssrf-url-for-oracle-cloud)
|
||||
* [SSRF URL for Kubernetes ETCD](#ssrf-url-for-kubernetes-etcd)
|
||||
* [SSRF URL for Alibaba](#ssrf-url-for-alibaba)
|
||||
* [SSRF URL for Hetzner Cloud](#ssrf-url-for-hetzner-cloud)
|
||||
* [SSRF URL for Docker](#ssrf-url-for-docker)
|
||||
* [SSRF URL for Rancher](#ssrf-url-for-rancher)
|
||||
|
||||
## Tools
|
||||
|
||||
|
@ -894,48 +894,42 @@ More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-se
|
|||
|
||||
## Labs
|
||||
|
||||
* [Basic SSRF against the local server](https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-localhost)
|
||||
* [Basic SSRF against another back-end system](https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-backend-system)
|
||||
* [SSRF with blacklist-based input filter](https://portswigger.net/web-security/ssrf/lab-ssrf-with-blacklist-filter)
|
||||
* [SSRF with whitelist-based input filter](https://portswigger.net/web-security/ssrf/lab-ssrf-with-whitelist-filter)
|
||||
* [SSRF with filter bypass via open redirection vulnerability](https://portswigger.net/web-security/ssrf/lab-ssrf-filter-bypass-via-open-redirection)
|
||||
* [PortSwigger - Basic SSRF against the local server](https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-localhost)
|
||||
* [PortSwigger - Basic SSRF against another back-end system](https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-backend-system)
|
||||
* [PortSwigger - SSRF with blacklist-based input filter](https://portswigger.net/web-security/ssrf/lab-ssrf-with-blacklist-filter)
|
||||
* [PortSwigger - SSRF with whitelist-based input filter](https://portswigger.net/web-security/ssrf/lab-ssrf-with-whitelist-filter)
|
||||
* [PortSwigger - SSRF with filter bypass via open redirection vulnerability](https://portswigger.net/web-security/ssrf/lab-ssrf-filter-bypass-via-open-redirection)
|
||||
|
||||
|
||||
## References
|
||||
|
||||
- [AppSecEU15-Server_side_browsing_considered_harmful.pdf](https://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf)
|
||||
- [Extracting AWS metadata via SSRF in Google Acquisition - tghawkins - 2017-12-13](https://hawkinsecurity.com/2017/12/13/extracting-aws-metadata-via-ssrf-in-google-acquisition/)
|
||||
- [ESEA Server-Side Request Forgery and Querying AWS Meta Data](http://buer.haus/2016/04/18/esea-server-side-request-forgery-and-querying-aws-meta-data/) by Brett Buerhaus
|
||||
- [SSRF and local file read in video to gif converter](https://hackerone.com/reports/115857)
|
||||
- [SSRF in https://imgur.com/vidgif/url](https://hackerone.com/reports/115748)
|
||||
- [SSRF in proxy.duckduckgo.com](https://hackerone.com/reports/358119)
|
||||
- [Blind SSRF on errors.hackerone.net](https://hackerone.com/reports/374737)
|
||||
- [SSRF on *shopifycloud.com](https://hackerone.com/reports/382612)
|
||||
- [Hackerone - How To: Server-Side Request Forgery (SSRF)](https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF)
|
||||
- [Awesome URL abuse for SSRF by @orange_8361 #BHUSA](https://twitter.com/albinowax/status/890725759861403648)
|
||||
- [How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! Orange Tsai](http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html)
|
||||
- [#HITBGSEC 2017 SG Conf D1 - A New Era Of SSRF - Exploiting Url Parsers - Orange Tsai](https://www.youtube.com/watch?v=D1S-G8rJrEk)
|
||||
- [SSRF Tips - xl7dev](http://blog.safebuff.com/2016/07/03/SSRF-Tips/)
|
||||
- [SSRF in https://imgur.com/vidgif/url](https://hackerone.com/reports/115748)
|
||||
- [Les Server Side Request Forgery : Comment contourner un pare-feu - @Geluchat](https://www.dailysecurity.fr/server-side-request-forgery/)
|
||||
- [AppSecEU15 Server side browsing considered harmful - @Agarri](http://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf)
|
||||
- [Enclosed alphanumerics - @EdOverflow](https://twitter.com/EdOverflow)
|
||||
- [Hacking the Hackers: Leveraging an SSRF in HackerTarget - @sxcurity](http://www.sxcurity.pro/2017/12/17/hackertarget/)
|
||||
- [PHP SSRF @secjuice](https://medium.com/secjuice/php-ssrf-techniques-9d422cb28d51)
|
||||
- [How I convert SSRF to xss in a ssrf vulnerable Jira](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158)
|
||||
- [Piercing the Veil: Server Side Request Forgery to NIPRNet access](https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a)
|
||||
- [Hacker101 SSRF](https://www.youtube.com/watch?v=66ni2BTIjS8)
|
||||
- [SSRF脆弱性を利用したGCE/GKEインスタンスへの攻撃例](https://blog.ssrf.in/post/example-of-attack-on-gce-and-gke-instance-using-ssrf-vulnerability/)
|
||||
- [SSRF - Server Side Request Forgery (Types and ways to exploit it) Part-1 - SaN ThosH - 10 Jan 2019](https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-1-29d034c27978)
|
||||
- [SSRF Protocol Smuggling in Plaintext Credential Handlers : LDAP - @0xrst](https://www.silentrobots.com/ssrf-protocol-smuggling-in-plaintext-credential-handlers-ldap/)
|
||||
- [X-CTF Finals 2016 - John Slick (Web 25) - YEO QUAN YANG @quanyang](https://quanyang.github.io/x-ctf-finals-2016-john-slick-web-25/)
|
||||
- [Exploiting SSRF in AWS Elastic Beanstalk - February 1, 2019 - @notsosecure](https://notsosecure.com/exploiting-ssrf-aws-elastic-beanstalk)
|
||||
- [PortSwigger - Web Security Academy Server-side request forgery (SSRF)](https://portswigger.net/web-security/ssrf)
|
||||
- [SVG SSRF Cheatsheet - Allan Wirth (@allanlw) - 12/06/2019](https://github.com/allanlw/svg-cheatsheet)
|
||||
- [SSRF’s up! Real World Server-Side Request Forgery (SSRF) - shorebreaksecurity - 2019](https://www.shorebreaksecurity.com/blog/ssrfs-up-real-world-server-side-request-forgery-ssrf/)
|
||||
- [challenge 1: COME OUT, COME OUT, WHEREVER YOU ARE!](https://www.kieranclaessens.be/cscbe-web-2018.html)
|
||||
- [Attacking Url's in JAVA](https://blog.pwnl0rd.me/post/lfi-netdoc-file-java/)
|
||||
- [SSRF: Don't encode entire IP](https://twitter.com/thedawgyg/status/1224547692967342080)
|
||||
- [Pong [EN]| FCSC 2024 - vozec - April 12, 2024](https://vozec.fr/writeups/pong-fcsc2024-en/)
|
||||
- [Pong [EN]| FCSC 2024 - mizu.re - Apr 13, 2024](https://mizu.re/post/pong)
|
||||
- [SSRFmap - Introducing the AXFR module - Swissky - June 13, 2024](https://swisskyrepo.github.io/SSRFmap-axfr/)
|
||||
- [A New Era Of SSRF - Exploiting URL Parsers - Orange Tsai - September 27, 2017](https://www.youtube.com/watch?v=D1S-G8rJrEk)
|
||||
- [Blind SSRF on errors.hackerone.net - chaosbolt - June 30, 2018](https://hackerone.com/reports/374737)
|
||||
- [ESEA Server-Side Request Forgery and Querying AWS Meta Data - Brett Buerhaus - April 18, 2016](http://buer.haus/2016/04/18/esea-server-side-request-forgery-and-querying-aws-meta-data/)
|
||||
- [Exploiting SSRF in AWS Elastic Beanstalk - Sunil Yadav - February 1, 2019](https://notsosecure.com/exploiting-ssrf-aws-elastic-beanstalk)
|
||||
- [Extracting AWS metadata via SSRF in Google Acquisition - tghawkins - December 13, 2017](https://web.archive.org/web/20180210093624/https://hawkinsecurity.com/2017/12/13/extracting-aws-metadata-via-ssrf-in-google-acquisition/)
|
||||
- [Hacker101 SSRF - Cody Brocious - October 29, 2018](https://www.youtube.com/watch?v=66ni2BTIjS8)
|
||||
- [Hackerone - How To: Server-Side Request Forgery (SSRF) - Jobert Abma - June 14, 2017](https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF)
|
||||
- [Hacking the Hackers: Leveraging an SSRF in HackerTarget - @sxcurity - December 17, 2017](http://web.archive.org/web/20171220083457/http://www.sxcurity.pro/2017/12/17/hackertarget/)
|
||||
- [How I Chained 4 Vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! - Orange Tsai - July 28, 2017](http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html)
|
||||
- [How I Converted SSRF to XSS in Jira - Ashish Kunwar - June 1, 2018](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158)
|
||||
- [Les Server Side Request Forgery : Comment contourner un pare-feu - Geluchat - September 16, 2017](https://www.dailysecurity.fr/server-side-request-forgery/)
|
||||
- [PHP SSRF - @secjuice - theMiddle - March 1, 2018](https://medium.com/secjuice/php-ssrf-techniques-9d422cb28d51)
|
||||
- [Piercing the Veil: Server Side Request Forgery to NIPRNet Access - Alyssa Herrera - April 9, 2018](https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a)
|
||||
- [Pong [EN] | FCSC 2024 - Arthur Deloffre (@Vozec1) - April 12, 2024](https://vozec.fr/writeups/pong-fcsc2024-en/)
|
||||
- [Pong [EN] | FCSC 2024 - Kévin - Mizu (@kevin_mizu) - April 13, 2024](https://mizu.re/post/pong)
|
||||
- [Server-side Browsing Considered Harmful - Nicolas Grégoire (Agarri) - May 21, 2015](https://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf)
|
||||
- [SSRF - Server-Side Request Forgery (Types and Ways to Exploit It) Part-1 - SaN ThosH (madrobot) - January 10, 2019](https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-1-29d034c27978)
|
||||
- [SSRF and Local File Read in Video to GIF Converter - sl1m - February 11, 2016](https://hackerone.com/reports/115857)
|
||||
- [SSRF in https://imgur.com/vidgif/url - Eugene Farfel (aesteral) - February 10, 2016](https://hackerone.com/reports/115748)
|
||||
- [SSRF in proxy.duckduckgo.com - Patrik Fábián (fpatrik) - May 27, 2018](https://hackerone.com/reports/358119)
|
||||
- [SSRF on *shopifycloud.com - Rojan Rijal (rijalrojan) - July 17, 2018](https://hackerone.com/reports/382612)
|
||||
- [SSRF Protocol Smuggling in Plaintext Credential Handlers: LDAP - Willis Vandevanter (@0xrst) - February 5, 2019](https://www.silentrobots.com/ssrf-protocol-smuggling-in-plaintext-credential-handlers-ldap/)
|
||||
- [SSRF Tips - xl7dev - July 3, 2016](http://web.archive.org/web/20170407053309/http://blog.safebuff.com/2016/07/03/SSRF-Tips/)
|
||||
- [SSRF's Up! Real World Server-Side Request Forgery (SSRF) - Alberto Wilson and Guillermo Gabarrin - January 25, 2019](https://www.shorebreaksecurity.com/blog/ssrfs-up-real-world-server-side-request-forgery-ssrf/)
|
||||
- [SSRFmap - Introducing the AXFR Module - Swissky - June 13, 2024](https://swisskyrepo.github.io/SSRFmap-axfr/)
|
||||
- [SSRF脆弱性を利用したGCE/GKEインスタンスへの攻撃例 - mrtc0 - September 5, 2018](https://blog.ssrf.in/post/example-of-attack-on-gce-and-gke-instance-using-ssrf-vulnerability/)
|
||||
- [SVG SSRF Cheatsheet - Allan Wirth (@allanlw) - June 12, 2019](https://github.com/allanlw/svg-cheatsheet)
|
||||
- [URL Eccentricities in Java - sammy (@PwnL0rd) - November 2, 2020](http://web.archive.org/web/20201107113541/https://blog.pwnl0rd.me/post/lfi-netdoc-file-java/)
|
||||
- [Web Security Academy Server-Side Request Forgery (SSRF) - PortSwigger - July 10, 2019](https://portswigger.net/web-security/ssrf)
|
||||
- [X-CTF Finals 2016 - John Slick (Web 25) - YEO QUAN YANG (@quanyang) - June 22, 2016](https://quanyang.github.io/x-ctf-finals-2016-john-slick-web-25/)
|
Loading…
Reference in a new issue