Nagli Profile picture
Feb 3, 2023 7 tweets 3 min read Read on X
Recently, I faced numerous challenges where I needed to bypass limited SSRF or overcome regex mitigations to increase impact and make a case for a report.

Spinning up a server to host a redirection header is time consuming and not-so-fun to do.

There's an easy alternative 🧵
While exploring some options online I've came across replit.com, their product offers a pretty easy way to just spin up a server with whatever technologies you'd like, and control the files and source code of your application.

#NotSponsored
So, as easy as it gets - we will select a PHP Server to host our payload on, change the index.php file to have the following code snippet:

<?php
// PHP permanent URL redirection test
header("Location: http://internal.asset", true, 307);
exit();
?>
Then on the top right corner we'll have our constructed URL to test our payload on the target, should be something like *.repl.co

So in a matter of ~2 minutes - we have our own DNS name with a redirection payload that we can point directly to internal assets of our target, cool!
After testing our payload on our injection point,

We can observe the interactive console on the bottom right of the page, and debug the information to wether we managed to successfully increase our SSRF Impact and to determine that everything is set up correctly.
This is mostly useful for SSRF endpoints with heavy whitelisting / regex mitigations, if the SSRF will follow redirects, that could open a whole new aspect for numerous of chains to bypass those.

It helped me to successfully hit internal assets at the H1-407 Live Hacking Event.
TLDR:
Hosting a redirection machine for whitelisting bypass scenarios should take no longer than 2 minutes

1. Create repl.it server with any technology
2. Edit the source code
3. Use the constructed DNS Payload on your target
4. Debug
5. Win

#BugBountyTips

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Nagli

Nagli Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @galnagli

Aug 16, 2023
I've earned more than 5-figure bounties from sensitive links, sent via email, that were leaked without any user interaction. Surprisingly, the leaks came from the very security vendors that were supposed to protect the victims.

Curious how this happens? 👇

#BugBounty Image
Major organizations globally use various tools to enhance their email security.

Two common approaches are passive and active detection of potential malware within incoming emails. Image
One popular tool for "sandboxed" evaluation of a link's legitimacy is .

Security vendors around the world use it, often under the hood within their own very expensive products. urlscan.io
Image
Read 10 tweets
Mar 24, 2023
The team at @OpenAI just fixed a critical account takeover vulnerability I reported few hours ago affecting #ChatGPT.

It was possible to takeover someone's account, view their chat history, and access their billing information without them ever realizing it.

Breakdown below 👇
@OpenAI The vulnerability was "Web Cache Deception" and I'll explain in details how I managed to bypass the protections in place on chat.openai.com.

It's important to note that the issue is fixed, and I received a "Kudos" email from @OpenAI's team for my responsible disclosure.
While exploring the requests that handle ChatGPT's authentication flow I was looking for any anomaly that might expose user information.

The following GET request caught my attention:

https://chat.openai[.]com/api/auth/session
Read 19 tweets
May 31, 2021
In this thread i'll provide alternatives to overpaid BB stuff offered on twitter.

1. Sign up to digitalocean.com (not through my referral link - choose any you want just for 100$ budget)

2. Select the 48$/month box

3. Enjoy 2 month of strong VPS

1/n
#bugbountytips
Should you buy a "Comprehensive Bug Bounty course"? There are definitely some good courses out there.
that said I wouldn't get any course from a personal without a clear proof on BB/PWN reputation.
and if you want to start and do it the right way, jump on this book as a start.
Think of buying a subscription to an online recon framework with a nice GUI? there are a few providers out there, It can be a good start for new comers, but in no means it should cost more than ~20$ a month.

(and there are free alternatives)

github.com/yogeshojha/ren…
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(