From cd2780d3f824712d63cfcddaa2955ca9adad6d1c Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Sat, 19 Jul 2025 01:31:27 +0000 Subject: [PATCH] Add content from: Research Update: Enhanced src/pentesting-web/ssrf-server-sid... --- .../url-format-bypass.md | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/src/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md b/src/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md index d2f1657b4b4..d200804c804 100644 --- a/src/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md +++ b/src/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md @@ -217,10 +217,46 @@ The “left square bracket” character `[` in the userinfo segment can cause Sp image from [https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/](https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/) +### IPv6 Zone Identifier (%25) Trick + +Modern URL parsers that support RFC 6874 allow *link-local* IPv6 addresses to include a **zone identifier** after a percent sign. Some security filters are not aware of this syntax and will only strip square-bracketed IPv6 literals, letting the following payload reach an internal interface: + +```text +http://[fe80::1%25eth0]/ # %25 = encoded '%', interpreted as fe80::1%eth0 +http://[fe80::a9ff:fe00:1%25en0]/ # Another example (macOS style) +``` + +If the target application validates that the host is *not* `fe80::1` but stops parsing at the `%`, it may incorrectly treat the request as external. Always normalise the address **before** any security decision or strip the optional zone id entirely. + +### Recent Library Parsing CVEs (2022–2025) + +A number of mainstream frameworks have suffered from hostname-mismatch issues that can be exploited for SSRF once URL validation has been bypassed with the tricks listed above: + +| Year | CVE | Component | Bug synopsis | Minimal PoC | +|------|-----|-----------|--------------|-------------| +| 2024 | CVE-2024-22243 / ‑22262 | Spring `UriComponentsBuilder` | `[` is not allowed in the *userinfo* section, so `https://example.com\[@internal` is parsed as host `example.com` by Spring but as `internal` by browsers, enabling open-redirect & SSRF when host allow-lists are used. Upgrade to Spring 5.3.34 / 6.0.19 / 6.1.6+. | +| 2023 | CVE-2023-27592 | **urllib3** <1.26.15 | Backslash confusion allowed `http://example.com\\@169.254.169.254/` to bypass host filters that split on `@`. | +| 2022 | CVE-2022-3602 | OpenSSL | Hostname verification skipped when the name is suffixed with a `.` (dotless domain confusion). | + +When you depend on third-party URL parsers, **compare the canonicalised host returned by the library you trust with the raw string supplied by the user** to detect these classes of issues. + +### Payload-generation helpers (2024+) + +Creating large custom word-lists by hand is cumbersome. The open-source tool **SSRF-PayloadMaker** (Python 3) can now generate *80 k+* host-mangling combinations automatically, including mixed encodings, forced-HTTP downgrade and backslash variants: + +```bash +# Generate every known bypass that transforms the allowed host example.com to attacker.com +python3 ssrf_maker.py --allowed example.com --attacker attacker.com -A -o payloads.txt +``` + +The resulting list can be fed directly into Burp Intruder or `ffuf`. + ## References - [https://as745591.medium.com/albussec-penetration-list-08-server-side-request-forgery-ssrf-sample-90267f095d25](https://as745591.medium.com/albussec-penetration-list-08-server-side-request-forgery-ssrf-sample-90267f095d25) - [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/README.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/README.md) - [https://portswigger.net/research/new-crazy-payloads-in-the-url-validation-bypass-cheat-sheet](https://portswigger.net/research/new-crazy-payloads-in-the-url-validation-bypass-cheat-sheet) +- [https://nvd.nist.gov/vuln/detail/CVE-2024-22243](https://nvd.nist.gov/vuln/detail/CVE-2024-22243) +- [https://github.com/hsynuzm/SSRF-PayloadMaker](https://github.com/hsynuzm/SSRF-PayloadMaker) {{#include ../../banners/hacktricks-training.md}}