3

I am pentesting an API which makes a backend call to https://example.org/ and appends any input you provide it (for example, if you provide test it will call https://example.org/test). I am trying to achieve SSRF in this scenario, so my goal is to change the domain. I know if it had been https://example.org without the trailing slash, I could have done @anothersite.com (https://example.org@anothersite.com) or just .anothersite.com (https://example.org.anothersite.com).

However, the trailing slash prevents this.

Are there any other special URL characters or techniques that can be used in this scenario to either change the domain to another site or get rid of the trailing slash?

UPDATE: The API itself is OData and internally it uses C#.

Bob
  • 79
  • 7

1 Answers1

6

Not possible. If there's a slash after the host, the host is set.

More precisely, no reasonable URL parser will let parts after a slash-terminated authority component (i.e. the host) of an absolute URL alter the effective host.

Although URL parser/validator implementations vary, and there are ambiguous cases where two parsers may determine different hosts for the same URL, yours is a clear enough case. E.g., if you go by the WHATWG URL Standard's URL parser spec, the trailing slash causes a state transition from the hostname state to the path start state with no way back.

Instead, you'd usually be looking for an open redirect on a whitelisted host in order to redirect to the SSRF target, e.g.: https://example.org/redirect?url=https://somehost.internal/. This can work if the application follows redirects without rechecking the destination.

Also, as always, you can try out generic tricks that don't target the URL parsing algorithm but other components/layers. E.g.: Does a carriage return (U+000D) cause re-parsing of the string, or does a backspace (U+0008) erase the last char? Does the server resolve a path segment starting with // as an absolute URL (e.g. https://example.org///somehost.internal/)? Can other special sequences force the string into a different charset (viz. UTF-16LE)? However, there is no reason to assume any of these ideas would be likely to work in your case. Without details about the environment, they are random guesses.

Arminius
  • 43,922
  • 13
  • 140
  • 136
  • What advantage does UTF-16LE have? (Sorry if that's a silly question.) – Bob Aug 03 '21 at 13:24
  • @Bob My bad, it was a quick thought I should have elaborated on or left out. The significance of UTF-16 is that the endianness can be indicated with a leading BOM (byte order mark) and is sometimes sniffed by detecting whether lots of even or odd bytes are `0x00`. E.g., the sequence `0x61 0x00 0x61 0x00 0x61 0x00` may convince some encoding detector that it's dealing with UTF-16LE. – Arminius Aug 03 '21 at 15:27
  • Unfortunately the API rejects the null byte for other reasons, but if I had been able to make it UTF-16LE, what could I use that for? – Bob Aug 04 '21 at 13:55
  • @Bob : E.g., `printf 'http://example.org/x@\x00a\x00.\x00o\x00r\x00g\x00/\x00b\x00' | iconv -f utf16` is `瑨灴⼺支慸灭敬漮杲砯@a.org/b`. This gets rid of the slashes and colon as UTF16 uses 16-bit code units. Some applications may now parse this as a URL with host `a.org` and path `/b`. – Arminius Aug 05 '21 at 23:23