-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Private IP protection Bypass in private-ip package #14
Comments
I have added one more case in the cases of runkit for the hex encoded payload so that it can be easily identified which implies that 127.0.0.1 = Dec(2130706433) = Hex(0x7f000001) |
Hi, @x3rz. Thanks for opening an issue here. |
Hey, @x3rz, I've created a PR that handles payload patterns you've provided. Would you be able to test it & confirm or suggest further improvements needed? Thanks! |
Hey, @frenchbread, Sorry for the late response, |
Hi @x3rz, what are the exact issues are you facing? Maybe I could help. steps to test PR #15
// _test.js
const is_ip_private = require('./')
const payloads = [
'ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff',
'2130706433',
'0x7f000001',
'100::ffff::',
'::ffff:0.0.255.255.255',
'::ffff:0.255.255.255.255',
]
payloads.forEach(payload => {
console.log(payload, is_ip_private(payload))
})
// output should look like this:
// ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff true
// 2130706433 true
// 0x7f000001 true
// 100::ffff:: undefined
// ::ffff:0.0.255.255.255 undefined
// ::ffff:0.255.255.255.255 undefined
|
Sorry for the late reply, I have tested all the issues and all tests are passed, as this only tells IP is private or not. |
@x3rz thanks for reply, I addition to I've checked out the link and I assume this is not really in scope of this module (at least for now). This PR already adds support for handling I'll leave this PR open. |
yes exactly what i said and the issue I reported should get patched as per my pov and you can keep this opened Regards x3rz |
Hello @frenchbread Regards, |
Hi @x3rz, Thanks for letting me know! |
Hello @frenchbread i am x3rz a researcher on huntr.dev as you wanted to discuss about this issue here
Yes it gives 'false' because they are resolved to private IP as the main objective of the package is telling that the IP is private or not. As you said about 127.000.000.1 so basically this resolves to localhost which is private IP and also for the other payloads especially like decimal encoded of localhost value i.e 2130706433 gives false but if you visit this from your browser you will see that this also resolves to localhost but for the hex-encoded payload for localhost package works just fine 0x7f000001 gives "true" for this one. And Yes you can resolve it to undefined and stop the further execution as similar to 'false' but as these all payloads resolve to localhost which could cause ssrf For more refrences you can check
This one which contains all the payloads that resolves to private IP addresses
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery#file
This one is just for reference that a blocklist could be implemented which could handel this issue pretty easily https://github.com/y-mehta/ssrf-req-filter/blob/master/test/blockUrls.txt
This one shows the possible bypasses and the logic behind them
https://vickieli.medium.com/bypassing-ssrf-protection-e111ae70727b
The text was updated successfully, but these errors were encountered: