Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Web Scrappers are all over the internet working for search engines to discover content. However, a problem has came up some the JavaScript revolution: how does the search engine know the contents of the page if it is not static? In reality, the web scrappers will run the JavaScript in order to show the content to the Web Scrappers.

Some people have taken this to the next level though. Instead of allowing the Web Scrappers to be trusted with rendering the content in JavaScript, there is a way to dynamically render this content for yourself, then give it to the Web Scrapper. This control allows for Web Scrappers seeing exactly what the author wants it to see.

There are two common frameworks for this: Rendertron and Pre Render.

The first step is identifying if one of these engines is being used. This can be done by setting the User Agent header on a Curl request to be a bot. If the HTML sent back it pretty with NO script tags, then you have found something that is pre-rendering the content. Additionally, extra response headers are sent back to indicate the rendering are being used.

With Rendertron, there is a very nice page that allows for a trivial SSRF. Even with protections in place (disallows internal metadata requests to Cloud platforms), this mitigation can be bypassed by using your own webpage with iFrames that make requests to these endpoints.

Pre-render is harder to identify but can be used for similar SSRF techniques if exposed in the wild.

If these endpoints are protected, then looking for Open Redirects (within the rendering application) can allow for controlled requests to launch SSRF attacks to launch MORE SSRF attacks (lolz).

Overall, interesting use of technology. This shows every little piece of technology on the web can be exploited in some way.