Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages

Black Hat via YouTube

Overview

Explore a groundbreaking exploit technique that unveils a new attack surface for bypassing SSRF (Server Side Request Forgery) protections in this 47-minute Black Hat conference talk. Delve into the speaker's general attack approach, combined with a custom fuzzing tool, which led to the discovery of multiple 0-day vulnerabilities in built-in libraries of widely-used programming languages such as Python, PHP, Perl, Ruby, Java, JavaScript, Wget, and cURL. Learn about protocol smuggling in SSRF, URL parsing issues, and abusing URL parsers through detailed case studies. Gain insights into the fuzzer architecture, URL components according to RFC 3986, and specific vulnerabilities like NodeJS Unicode failure and GLibc NSS features. Understand how the IDNA standard can be exploited and discover potential mitigations for these attacks. Conclude with a summary of findings and explore further avenues for research in this cutting-edge area of cybersecurity.

Syllabus

Intro
Agenda
What is SSRF?
Protocol Smuggling in SSRF
Quick Fun Example
Fuzzer Architecture
URL Parsing issues
URL Components(RFC 3986)
Big Picture
NodeJS Unicode Failure
GLibc NSS Features
Abusing IDNA Standard
Abusing URL Parsers - Case Study
Protocol Smuggling - Case Study
Mitigations
Summary
Further works

Taught by

Black Hat

Reviews

Start your review of A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.