Lab 5: Advanced Protocol Bypass

Difficulty: High

Lab Overview

This lab demonstrates advanced SSRF vulnerabilities with multiple protocol support and bypass techniques. The application supports various protocols and encoding methods that can be exploited to bypass security controls.

Objective: Use advanced SSRF techniques to bypass filters and access internal services through various protocols and encoding methods.

Vulnerable PHP Code

// Handle advanced SSRF request
if (isset($_GET['url']) && !empty($_GET['url'])) {
    $url = $_GET['url'];
    
    // Apply bypass technique
    $url = applyBypass($url, $bypass_technique);
    
    // Vulnerable: No validation of URL or protocol
    try {
        $context_options = [
            'http' => [
                'timeout' => 10,
                'user_agent' => 'AdvancedSSRF/1.0',
                'follow_location' => true,
                'max_redirects' => 10
            ]
        ];
        
        // Support different protocols
        if ($protocol === 'gopher') {
            $context_options['http']['method'] = 'GET';
            $context_options['http']['header'] = "Content-Type: application/x-www-form-urlencoded\r\n";
        }
        
        $context = stream_context_create($context_options);
        $response = file_get_contents($url, false, $context);
        
        if ($response !== false) {
            // Display response content
        }
    } catch (Exception $e) {
        // Error handling
    }
}

// Example vulnerable usage:
// ?url=http://localhost:8080&protocol=http&bypass=none
// ?url=file:///etc/passwd&protocol=file&bypass=null_byte
// ?url=gopher://localhost:3306&protocol=gopher&bypass=double_encoding

Advanced SSRF Demo

Failed to make request: dict%c0%ae%c0%af%c0%aflocalhost%c0%ae11211

Target URL

Protocol

Bypass Technique

Quick Test URLs:

Vulnerability Details

Type: Advanced Server-Side Request Forgery (SSRF)
Severity: Critical
Parameter: url
Method: GET
Issue: Multiple protocol support with bypass techniques

Advanced Payloads

Try these advanced payloads:

http://localhost:8080 - Basic local service
file:///etc/passwd - Local file access
gopher://localhost:3306 - Database via Gopher
dict://localhost:11211 - Memcached via Dict
http://169.254.169.254/ - Cloud metadata

Bypass Techniques:

double_encoding - Double URL encoding
unicode_encoding - Unicode encoding
null_byte - Null byte injection
redirect - HTTP redirect bypass

Bypass Techniques

This lab supports various bypass techniques:

Double Encoding: %252f instead of %2f
Unicode Encoding: %c0%af instead of /
Null Byte: %00 to terminate strings
Redirect: Use HTTP redirects to bypass filters
DNS Rebind: Use DNS rebinding services
IP Encoding: Use decimal/hex IP representations
Port Scan: Scan internal ports

Supported Protocols

This lab supports various protocols:

HTTP/HTTPS: Standard web protocols
File: Local file system access
Gopher: Protocol for data retrieval
Dict: Dictionary protocol for databases
LDAP: Lightweight Directory Access Protocol

Quick Test URLs

Click these links to test advanced techniques:

Advanced Attack Scenarios

Protocol confusion and bypass attacks
Advanced encoding and obfuscation techniques
DNS rebinding and subdomain takeover
Port scanning and service enumeration
Cloud metadata and credentials exposure
Database access through alternative protocols
Local file system access
Bypassing WAF and security controls

Advanced Mitigation Strategies

Implement comprehensive URL validation and sanitization
Block all dangerous protocols (file://, gopher://, dict://)
Use whitelist-based URL validation
Implement proper error handling and logging
Use outbound proxies with strict restrictions
Implement request timeouts and size limits
Regular security testing and updates
Consider using a WAF (Web Application Firewall)
Implement network segmentation and access controls