Merge pull request #1153 from HackTricks-wiki/research_update_src_pentesting-web_ssrf-server-side-request-forgery_url-format-bypass_20250719_012840

Research Update Enhanced src/pentesting-web/ssrf-server-side...

Author: carlospolop

src/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md

@@ -217,10 +217,46 @@ The “left square bracket” character `[` in the userinfo segment can cause Sp
 
 image from [https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/](https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/)
 
+### IPv6 Zone Identifier (%25) Trick
+
+Modern URL parsers that support RFC 6874 allow *link-local* IPv6 addresses to include a **zone identifier** after a percent sign. Some security filters are not aware of this syntax and will only strip square-bracketed IPv6 literals, letting the following payload reach an internal interface:
+
+```text
+http://[fe80::1%25eth0]/          # %25 = encoded '%', interpreted as fe80::1%eth0
+http://[fe80::a9ff:fe00:1%25en0]/ # Another example (macOS style)
+```
+
+If the target application validates that the host is *not* `fe80::1` but stops parsing at the `%`, it may incorrectly treat the request as external. Always normalise the address **before** any security decision or strip the optional zone id entirely.
+
+### Recent Library Parsing CVEs (2022–2025)
+
+A number of mainstream frameworks have suffered from hostname-mismatch issues that can be exploited for SSRF once URL validation has been bypassed with the tricks listed above:
+
+| Year | CVE | Component | Bug synopsis | Minimal PoC |
+|------|-----|-----------|--------------|-------------|
+| 2024 | CVE-2024-22243 / ‑22262 | Spring `UriComponentsBuilder` | `[` is not allowed in the *userinfo* section, so `https://example.com\[@internal` is parsed as host `example.com` by Spring but as `internal` by browsers, enabling open-redirect & SSRF when host allow-lists are used. Upgrade to Spring 5.3.34 / 6.0.19 / 6.1.6+.  |
+| 2023 | CVE-2023-27592 | **urllib3** <1.26.15 | Backslash confusion allowed `http://example.com\\@169.254.169.254/` to bypass host filters that split on `@`. |
+| 2022 | CVE-2022-3602 | OpenSSL | Hostname verification skipped when the name is suffixed with a `.` (dotless ___domain confusion). |
+
+When you depend on third-party URL parsers, **compare the canonicalised host returned by the library you trust with the raw string supplied by the user** to detect these classes of issues.
+
+### Payload-generation helpers (2024+)
+
+Creating large custom word-lists by hand is cumbersome.  The open-source tool **SSRF-PayloadMaker** (Python 3) can now generate *80 k+* host-mangling combinations automatically, including mixed encodings, forced-HTTP downgrade and backslash variants:
+
+```bash
+# Generate every known bypass that transforms the allowed host example.com to attacker.com
+python3 ssrf_maker.py --allowed example.com --attacker attacker.com -A -o payloads.txt
+```
+
+The resulting list can be fed directly into Burp Intruder or `ffuf`. 
+
 ## References
 
 - [https://as745591.medium.com/albussec-penetration-list-08-server-side-request-forgery-ssrf-sample-90267f095d25](https://as745591.medium.com/albussec-penetration-list-08-server-side-request-forgery-ssrf-sample-90267f095d25)
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/README.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/README.md)
 - [https://portswigger.net/research/new-crazy-payloads-in-the-url-validation-bypass-cheat-sheet](https://portswigger.net/research/new-crazy-payloads-in-the-url-validation-bypass-cheat-sheet)
+- [https://nvd.nist.gov/vuln/detail/CVE-2024-22243](https://nvd.nist.gov/vuln/detail/CVE-2024-22243)
+- [https://github.com/hsynuzm/SSRF-PayloadMaker](https://github.com/hsynuzm/SSRF-PayloadMaker)
 
 {{#include ../../banners/hacktricks-training.md}}