# hacker requestshttp://website.thm/stock?server=api.website.thm/api/user&x=&id=123[-------------------------]# client request the serverhttp://api.website.thm/api/user?x=.website.thm/api/stock/item?id=123[----------------------------][-]# server returns the user data instead of stock information
We can control the server's subdomain to which the request is made (from server to api.website.thm/api/user).
The payload ending with &x= is used to stop the remaining path from being appended to the end of the URL and turns into parameter itself.
The attacker can force the webserver to request a server of the attacker's choice. By doing so, we can capture request headers that are sent to the attacker's specified domain. These headers could contain authentication credentials or API keys sent by website.thm (that would normally authenticate to api.website.thm).
All requests are accepted apart from resources specified in a list or matching a particular pattern.
A Web Application may employ a deny list to protect sensitive endpoints, IP addresses or domains from being accessed by the public while still allowing access to other locations.
A specific endpoint to restrict access is the localhost/127.0.0.1, which may contain server performance data or further sensitive information.
Attackers can bypass a Deny List by using alternative localhost references such as 0, 0.0.0.0, 0000, 127.1, 127.*.*.*, 2130706433, 017700000001 or subdomains that have a DNS record which resolves to 127.0.0.1 such as 127.0.0.1.nip.io.
Also, in a cloud environment, it would be beneficial to block access to the IP address 169.254.169.254, which contains metadata for the deployed cloud server, including possibly sensitive information. An attacker can bypass this by registering a subdomain on their own domain with a DNS record that points to the IP Address 169.254.169.254.
An allow list is where all requests get denied unless they appear on a list or match a particular pattern, eg. a rule that an URL used in a parameter must begin with https://website.thm.
An attacker could quickly circumvent this rule by creating a subdomain on an attacker's domain name, such as https://website.thm.attackers-domain.thm. The application logic would now allow this input and let an attacker control the internal HTTP request.
An open redirect is an endpoint on the server where the website visitor gets automatically redirected to another website address, e.g https://website.thm/link?url=https://tryhackme.com. This endpoint was created for statistics purposes.
But imagine there was a potential SSRF vulnerability with stringent rules which only allowed URLs beginning with https://website.thm/. An attacker could utilise the above feature to redirect the internal HTTP request to a domain of the attacker's choice.