Shulou(Shulou.com)05/31 Report--

The knowledge of this article "what is the SSRF protection mechanism" is not quite understood by most people, so the editor summarizes the following contents, detailed contents, clear steps, and has a certain reference value. I hope you can gain something after reading this article. Let's take a look at this "what is the SSRF protection mechanism" article.

The ability to find an external resource that is available in a Web application. You can read content from a variety of external sites, and there are no restrictions on the types of files you can request, and the application will display everything immediately. This phenomenon tells you that it's time to try to see if there is a SSRF vulnerability. So you start typing: 127.0.0.1. But only a second later, the server returned an unexpected response:

Error. Requests to this address are not allowed. Please try again.

So what do we do now?

SSRF protection mechanism

Companies are really aware of the risk of SSRF attacks. So most people have implemented some form of SSRF protection in their Web applications. There are basically two kinds of SSRF protection mechanisms: blacklist and whitelist.

Blacklist means that if the input received is an address listed on the blacklist, these addresses are not allowed and the processing of the request is blocked. Most SSRF uses blacklists to protect against probing private network IP address segments.

Whitelist, on the other hand, means that the server is only allowed to receive requests that process URL contained in the predetermined whitelist and cause other request processing to fail.

Bypass the whitelist

Whitelists are usually more difficult to bypass because by default whitelists are stricter than blacklists. However, if there is an open redirect vulnerability in the domain in the whitelist, there may be a SSRF vulnerability.

If you can find a redirect vulnerability that can be exploited, you can request a redirect to a domain in the whitelist of the internal IP address range.

If you do not use whitelists correctly (for example, using poorly designed regular expressions), you can also bypass them by using subdomains or directories as whitelisted domain names (for example, victime.com.attacker.com or attacker.com/victim.com).

Bypass the blacklist

However, due to the needs of the application itself (obtaining external resources), most SSRF protection mechanisms appear in the form of blacklists. If you encounter a blacklist, there are many ways to deceive the server:

Take advantage of redirection vulnerability to cheat

Make the server request that the URL you control be redirected to the blacklist address. For example, you can host files with the following contents on a Web server that you can control:

Assume that this file is located in http://attakcer.com/redirect.php so that when your target server requests http://attakcer.com/redirect.php, the target server is actually redirected to http://127.0.0.1, which is a restricted internal address.

Using DNS to cheat

Modify the A record or AAAA record of the controllable domain to point to the internal address of the victim network. For example, suppose http://attacker.com is a subdomain name that you can control. You can create a custom hostname-to-IP address mapping so that http://subdomain.attacker.com resolves to 127.0.0.1. Now when the target server requests http://attacker.com, it will assume that your domain is at 127.0.0.1 and request data from the changed address.

Use IPv6 address

Try using IPv6 addresses instead of IPv4 addresses, as the server may not have implemented a protection mechanism for IPv4 for the IPv6 implementation.

Switching coding

There are many different encoded URL or addresses that allow the server to resolve properly, but you can bypass the blacklist restrictions. These codes include hexadecimal coding, octal coding, double word coding, URL coding and hybrid coding.

Hexadecimal coding

Hexadecimal coding is represented by a 16-based character representation (characters from 0 to F), rather than 10-based (characters from 0 to 9). Indicates that the server can understand the hex-encoded IP address. To convert a decimal IP address to a hexadecimal IP address, you need to calculate each segment, for example

127.0.0.1-> 0x7f.0x0.0x0.0x1

Start with 0x to indicate that this is a hex-encoded number.

Octal coding

Octal coding is a form of representation of characters based on 8. Similar to hex coding, you can convert IP addresses to octal IP addresses. For example

127.0.0.1-> 0177.0.0.01

In this case, the number that begins with 0 is basically the number in octal format.

Double character coding

Dword stands for two characters and is a 32-bit integer. The IP address is basically 32 bits, divided into four octets and written in decimal. For example, 127.0.0.1 is actually 011111.00000000.00000001. So when we convert 011111110000000000000000000000000000000001 to a decimal number, we get the IP address in two-character form.

So what if 127.0.0.1 is converted to a two-character form? That is, 127 / 256 ³+ 0 / 256 ²+ 0 / 2 / 256 + 1 / 2 / 256, and the calculated result is 2130706433. This means that if the input is http://2130706433 instead of http://127.0.0.1, it can still be parsed normally.

URL coding

Each individual character in URL can be represented by its specified hexadecimal number if they are preceded by a% sign. For example, the word "localhost" can be represented by its URL code, "% 6c%6f%63%61%6c%68%6f%73%74". Therefore, when the server blocks requests for internal hostnames, such as "localhost", try using the URL-encoded equivalent command.

Hybrid coding

This is mash-up time! You can also use a combination of coding techniques to try to deceive the server: maybe this will work?

127.0.0.1-> 0177.0.0.0x1 is the content of this article on "what is the SSRF protection mechanism". I believe everyone has a certain understanding. I hope the content shared by the editor will be helpful to you. If you want to learn more about the relevant knowledge, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.