Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

SSRF (server side request forgery) can be used in order to make a request on the clients internal network. This link is an awesome cheatsheet with MANY bypasses for SSRF protections and how to go about attacking with SSRF. Below, are a few interesting things that I personally picked out.

There are MANY different ways to represent IP addresses besides the normal 4 sets that we normally see (127.0.0.1). For example, IPv6 (0:0:0:0:0:0:0:1), decimal (2130706433), octal (17700000001), binary (1111111000000000000000000000001), no ending zeros are required... so many ways to encode IPs!

Besides just HTTP, it can be used for protocol smuggling within the internal network. For instance, Gopher, LDAP, Nginx and other services have internal connections running internally that can lead to RCE, if you are not careful.

When does this vulnerability occur? Processing URLs in any capacity, is where you tend to see. In particular, format processing (Word Docs, XML, etc.), URL request with library parsing, direct socket access and etc.

Using redirections (setup your domain, then redirect to internal domain), can be extremely useful because this happens after verification steps!

What damage can actually be caused?

• Data exfiltration (non-blind)
• Calling internal, non-authenticated web services to change the state of something
• RCE via protocol smuggling
• On AWS, use call to steal role keys

Still a lot more, but these were my personal interesting takeaways from this.