f

Author: carlospolop

src/pentesting-web/ssrf-server-side-request-forgery/README.md

@@ -159,6 +159,17 @@ Some TLS stacks will auto-download missing intermediate CAs using the **Authorit
   The Java certpath debug output shows `CertStore URI:http://localhost:8080`, and `nc` captures the HTTP request with the controllable `User-Agent` from `-Dhttp.agent`, proving SSRF during certificate validation.
 - **DoS via file://**: setting AIA CA Issuers to `file:///dev/urandom` on Unix-like hosts makes Java treat it as a CertStore and read unbounded random bytes, keeping a CPU core busy and blocking subsequent connections even after the client disconnects.
 
+## SSRF via CSS Pre-Processors
+
+LESS is a popular CSS pre-processor that adds variables, mixins, functions and the powerful `@import` directive. During compilation the LESS engine will **fetch the resources referenced in `@import`** statements and embed ("inline") their contents into the resulting CSS when the `(inline)` option is used.
+
+Check how to exploit it in:
+
+{{#ref}}
+../xs-search/css-injection/less-code-injection.md
+{{#endref}}
+
+
 ## [Wget file upload](../file-upload/index.html#wget-file-upload-ssrf-trick)
 
 ## SSRF with Command Injection