Problem: Some servers filter SSRF attempts by checking the URL parameters in requests. For example, a server might block direct requests to internal IP addresses or certain protocols.
Bypass Idea: The server might not filter the redirected response from an external server, allowing the attacker to indirectly access restricted IPs or protocols.
How It Works:
The Python script creates a simple HTTP server that listens on a specified port.
When the server receives a GET request, it responds with a 302 redirect status, pointing to a URL passed as an argument.
This redirect can point to an internal IP address (e.g., 127.0.0.1) or use a protocol that might otherwise be blocked (e.g., gopher).
Usage:
Run the Script: Start the Python server with the desired port and the target URL for redirection:
python3 redirector.py 8000 http://127.0.0.1/
Trigger SSRF: Send an SSRF request to the vulnerable server with the URL of the Python server. The vulnerable server will follow the redirect, potentially bypassing the filter and accessing the internal resource.
The backslash-trick exploits a difference between the and . While RFC3986 is a general framework for URIs, WHATWG is specific to web URLs and is adopted by modern browsers. The key distinction lies in the WHATWG standard's recognition of the backslash (\) as equivalent to the forward slash (/), impacting how URLs are parsed, specifically marking the transition from the hostname to the path in a URL.
