You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/pentesting-web/ssrf-server-side-request-forgery/README.md
+36Lines changed: 36 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -322,6 +322,42 @@ The difference between a blind SSRF and a not blind one is that in the blind you
322
322
323
323
**Checking the time** of the responses from the server it might be **possible to know if a resource exists or not** (maybe it takes more time accessing an existing resource than accessing one that doesn't exist)
324
324
325
+
### From blid to full abusing status codes
326
+
327
+
According to this [**blog post**](https://slcyber.io/assetnote-security-research-center/novel-ssrf-technique-involving-http-redirect-loops/), some blind SSRF might happen because even if the targeted URL responds with a 200 status code (like AWS metadata), this dat is not properly formatted and therefore the app might refuse to show it.
328
+
329
+
However, it as found that sending some redirecs responses from 305 to 309 in the SSRF it might possible to makethen application **follow these redirects while entering an error mode** that no longer will check the format of the data and might just print it.
330
+
331
+
The python server used to exploit this is th following:
- Then it receives 305 → 306 → 307 → 308 → 309 → 310.
351
+
- After the 5th strange code the PoC finally returns 302 → 169.254.169.254 → 200 OK.
352
+
353
+
**What happens inside the target:**
354
+
- libcurl itself does follow 305–310; it just normalises unknown codes to “follow.”
355
+
- After N weird redirects (≥ 5 here) the application’s own wrapper decides “something is off” and switches to an error mode meant for debugging.
356
+
- In that mode it dumps the entire redirect chain plus final body back to the outside caller.
357
+
- Result: attacker sees every header + the metadata JSON, mission accomplished.
358
+
359
+
Note that this is interesting to leak status codes that you couldn't leak before (like a 200). However, if somehow you could also select the status code of the response (imagine that you can decide that the AWS metadata responds with a 500 status code), **there might be some status codes that directly leak the content of the response.**
360
+
325
361
## Cloud SSRF Exploitation
326
362
327
363
If you find a SSRF vulnerability in a machine running inside a cloud environment you might be able to obtain interesting information about the cloud environment and even credentials:
0 commit comments