I found this interesting SSRF trick in a tweet.
This is a challenge for SSRF and the PHP code like this.
The code checks
url parameter whether scheme and host& path are correct or not, through
As shown in below, we can not change red parts of url.
We need to trigger SSRF by changing only 3 characters. So… How??
As far as I know, some letters after the
@ character is treated as a hostname. And
But I didn’t expected like that.
So I want to check out in my local.
I just opened http server port 80 and made a request with weird payload.
Comments powered by Disqus.