A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages

Explore a groundbreaking exploit technique that unveils a new attack surface for bypassing SSRF (Server Side Request Forgery) protections in this 47-minute Black Hat conference talk. Delve into the speaker's general attack approach, combined with a custom fuzzing tool, which led to the discovery of multiple 0-day vulnerabilities in built-in libraries of widely-used programming languages such as Python, PHP, Perl, Ruby, Java, JavaScript, Wget, and cURL. Learn about protocol smuggling in SSRF, URL parsing issues, and abusing URL parsers through detailed case studies. Gain insights into the fuzzer architecture, URL components according to RFC 3986, and specific vulnerabilities like NodeJS Unicode failure and GLibc NSS features. Understand how the IDNA standard can be exploited and discover potential mitigations for these attacks. Conclude with a summary of findings and explore further avenues for research in this cutting-edge area of cybersecurity.