Bypassing SSRF Defenses

It is common to see applications containing SSRF behavior together with defenses aimed at preventing malicious exploitation. Often, these defenses can be circumvented.

Bypassing Blacklist-Based Input Filters

• Applications often block input containing hostnames (127.0.0.1) or URLs (/admin)

• Bypass in these ways:

  • Use an alternative IP representation of 127.0.0.1, such as 2130706433, 017700000001, or 127.1.
  • Register your own domain that resolves to 127.0.0.1 (spoofed.burpcollaborator.net)
  • Obfuscate block strings using URL encoding or case variation in characters
  • Provide a URL that you control, which redirects to the target URL. Try using different redirect codes, as well as different protocols for the target URL. For example, switching from an http: to https: URL during the redirect has been shown to bypass some anti-SSRF filters.

Bypassing Whitelist-Based Input Filters

- Embed creds in a URL before the hostname:
https://expected-host@evil
https://localhost:80@domain-whitelisted.com/folder-we-want

• Use the # character to indicate a URL fragment:

https://evil-host#expected-host

• Leverage DNS naming hierarchy to place required input into a fully-qualified DNS name you control:

https://expected-host.evil

• URL-encode characters to confuse the URL-parsing code

• Combine these various techniques together

Bypassing with Open Redirection

• Suppose the following is true:
  • User-submitted URL is strictly validated
  • Application contains an open redirection vulnerability
• Construct a URL that meets the filter but redirects to a back-end target

POST /product/stock HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 118
stockApi=http://weliketoshop.net/product/nextProduct?currentProductId=6&path=http://1
92.168.0.68/admin