search

PortSwigger / url-cheatsheet-data

This is the data that powers the PortSwigger URL validation bypass cheat sheet.
https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet
18 stars 2 forks source link

IPv4 formats #15

Open e1abrador opened 3 days ago

e1abrador commented 3 days ago

Hi,

On my Burp extension "Encode IP" i showed different IPv4 notations, here are some examples:

Class B Encoding: 127.0.1
Class A Encoding: 127.1
Hex Encoding: 0x7f.0x0.0x0.0x1
Hex w/o dots: 0x7f000001
Hex Encoding v1: 0x7f.0x000001
Hex Encoding v2: 0x7f.0x0.0x0001
Octal Encode: 0177.00.00.01
Octal Encode with 0s: 000000000177.000000000000.000000000000.000000000001
Mixed Encoding: 127.0x0.000000000000.0x1

Actually, it's possible to ping these different notations in the CMD and they are valid:

C:\>ping 127.0.1

Haciendo ping a 127.0.0.1 con 32 bytes de datos:
Respuesta desde 127.0.0.1: bytes=32 tiempo<1m TTL=128
Respuesta desde 127.0.0.1: bytes=32 tiempo<1m TTL=128
Respuesta desde 127.0.0.1: bytes=32 tiempo<1m TTL=128
Respuesta desde 127.0.0.1: bytes=32 tiempo<1m TTL=128

Estadísticas de ping para 127.0.0.1:
    Paquetes: enviados = 4, recibidos = 4, perdidos = 0
    (0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
    Mínimo = 0ms, Máximo = 0ms, Media = 0ms

But it is also possible to generate different combinations using a different encoding on each IPv4 octet, something like this:

C:\>ping 0x7f.0.000000000001

Haciendo ping a 127.0.0.1 con 32 bytes de datos:
Respuesta desde 127.0.0.1: bytes=32 tiempo<1m TTL=128
Respuesta desde 127.0.0.1: bytes=32 tiempo<1m TTL=128
Respuesta desde 127.0.0.1: bytes=32 tiempo<1m TTL=128
Respuesta desde 127.0.0.1: bytes=32 tiempo<1m TTL=128

Estadísticas de ping para 127.0.0.1:
    Paquetes: enviados = 4, recibidos = 4, perdidos = 0
    (0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
    Mínimo = 0ms, Máximo = 0ms, Media = 0ms

0x7f.0.000000000001 is a combination of the Class B Encoding, Hex Encoding v1 and Octal Encode with 0s. This open a big possibility of bypass backend blacklists/regexes. My idea is not to show all these possibilities on the web page because there are a lot, the idea would be implementing an option to download different combination possibilities in a raw text file or something similar, so the user can work with them.

d0ge commented 19 hours ago

Hello @e1abrador, Thank you very much for your contribution to the URL Validation Bypass Cheat Sheet. I'll think about your suggestion how to improve IPv4 notations. Not sure, I can implement all possible combinations, because of the performance issue. However, some of then can be added, for example Class A Encoding.

e1abrador commented 19 hours ago

Hi,

I understand the performance issue, an alternative on that, you could create like a "calculator" that each time the user click the regenerate button, the encoded IPv4 address will change to a random one, using a different encoding for each octet.