A new era of SSRF - Exploiting URL Parser in Trending Programming Languages

by Orange Tsai
Sept. 12, 2017 2 comments www.blackhat.com Pen Testing & Audits auditing & assessment

We propose a new exploit technique that brings a whole-new attack surface to bypass SSRF (Server Side Request Forgery) protections. This is a very general attack approach, in which we used in combination with our own fuzzing tool to discover many 0days in built-in libraries of very widely-used programming languages, including Python, PHP, Perl, Ruby, Java, JavaScript, Wget and cURL. The root cause of the problem lies in the inconsistency of URL parsers and URL requesters.

https://www.blackhat.com/us-17/briefings.html#a-new-era-of-ssrf-exploiting-url-parser-in-trending...

Avatar
mrowton moderator 2 months ago

I think all blackhat breifings should include this many cats

Reply
Avatar
Steven Ulm 2 months ago

Good article. Very useful for people studying or working with SSRF!Still can't find those cats mrowton talks about though... :))

Reply