Share this page!

Maybe Scrolly?
Nagli Profile picture
Twitter logo
Feb 3 7 tweets 3 min read
Recently, I faced numerous challenges where I needed to bypass limited SSRF or overcome regex mitigations to increase impact and make a case for a report.

Spinning up a server to host a redirection header is time consuming and not-so-fun to do.

There's an easy alternative 🧵
While exploring some options online I've came across replit.com, their product offers a pretty easy way to just spin up a server with whatever technologies you'd like, and control the files and source code of your application.

#NotSponsored
So, as easy as it gets - we will select a PHP Server to host our payload on, change the index.php file to have the following code snippet:

<?php
// PHP permanent URL redirection test
header("Location: http://internal.asset", true, 307);
exit();
?>
Then on the top right corner we'll have our constructed URL to test our payload on the target, should be something like *.repl.co

So in a matter of ~2 minutes - we have our own DNS name with a redirection payload that we can point directly to internal assets of our target, cool!
After testing our payload on our injection point,

We can observe the interactive console on the bottom right of the page, and debug the information to wether we managed to successfully increase our SSRF Impact and to determine that everything is set up correctly.
This is mostly useful for SSRF endpoints with heavy whitelisting / regex mitigations, if the SSRF will follow redirects, that could open a whole new aspect for numerous of chains to bypass those.

It helped me to successfully hit internal assets at the H1-407 Live Hacking Event.
TLDR:
Hosting a redirection machine for whitelisting bypass scenarios should take no longer than 2 minutes

1. Create repl.it server with any technology
2. Edit the source code
3. Use the constructed DNS Payload on your target
4. Debug
5. Win

#BugBountyTips

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Nagli

Nagli Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @naglinagli

Nagli Profile picture
May 31, 2021
In this thread i'll provide alternatives to overpaid BB stuff offered on twitter.

1. Sign up to digitalocean.com (not through my referral link - choose any you want just for 100$ budget)

2. Select the 48$/month box

3. Enjoy 2 month of strong VPS

1/n
 #bugbountytips
Should you buy a "Comprehensive Bug Bounty course"? There are definitely some good courses out there.
that said I wouldn't get any course from a personal without a clear proof on BB/PWN reputation.
and if you want to start and do it the right way, jump on this book as a start.
Think of buying a subscription to an online recon framework with a nice GUI? there are a few providers out there, It can be a good start for new comers, but in no means it should cost more than ~20$ a month.

(and there are free alternatives)

github.com/yogeshojha/ren…
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(