Where do SSRF vulnerabilities often exist?
A
Share: Share webpage content through URL address
transcoding service
online translation
Image loading and downloading: load or download images via URL address
Picture, article collection function
Undocumented api implementations and other functions that call URLs Q
SSRF vulnerability bypass method?
A
Use @bypass to restrict whitelisted domain names
Using @, when the website is restricted to only access domain names of the http://www.xxx.com type, it can be bypassed by using the http basic authentication method, such as: http://[email protected]. com
Bypass restriction whitelist intranet IP
Bypass using short URLs
Using a special domain name, xip.io can point to any domain name (the principle is DNS resolution), that is, 127.0.0.1.xip.io, which can be resolved to 127.0.0.1
Use hexadecimal conversion, 127.0.0.1 octal: 0177.0.0.
1; Hexadecimal: 0x7f.0.0.1; Decimal: 2130706433
Using:, http://[::80/ will resolve to http://127.0.
0.1
Add the port number, http://127.0.0.1:8080
Use periods, such as 127.0.0.1 will be resolved to 127.0.0.1
Use 302 redirect
Bypass limit request http protocol
Use 302 redirect
use short address
O
The harm of SSRF vulnerability?
A
Perform port scanning on the external network, the internal network where the server is located, and locally, and send payloads to any port on any internal host to attack internal network services
DOS attack (request a large file, always keep the connection Keep-Alive Always)
Attack web applications on the intranet, such as direct SQL injection, XSS attacks, etc.
Use file, gopher, dict protocols to read local files, execute commands, etc.
Can ignore website CDN