Where can I learn about reverse proxy’s and path traversal SSRF?

I am tasked to record a lesson for my students about path traversal SSRF (Server-Side Request Forgery) my understanding is reverse proxy’s are heavily used on big websites which have a massive attack surface.

Some weird proxy’s process requests differently at times an attacker is able to traverse out of an API call and access internal apps routing through a reverse proxy.

I am wanting to learn the following things about the things above.

  1. How do I get access to private endpoints?
  2. What are some interesting payloads to try?
  3. How would I be able to achieve access to internal apps?

I hope anyone on here can help me 🙂

Cheers, Blake

Prevent directory traversal vulnerability in bash script

How can I prevent directory traversal attacks in a bash script, where arguments contain directory names?

Example:

$  STAGE=$  1 $  APP=$  2 deploy.sh dist/ /opt/apps/"$  STAGE"/"$  APP" 

The $ STAGE and $ APP variables are set from outside. An attacker could change this to an arbitrary path with "..".

I know the usual solution is to compare the directory string with the result of a function that returns the absolute path. But I couldn’t find a ready solution and don’t want to come up with my own.

How to Create file name with Slash in it for Path traversal attack?

Yes I’ve read forums that says Forward Slash (/) is invalid character in a file name since it being File Separator in Windows and *nix based machines. But Without creating such an exploit file, I think attacks like ZipSlip won’t be possible, Isn’t it?

Most Zip Slip attacks involve creating an File with a slash character and when languages like Java use File IO with ZipEntry name, writes to some directory other than intended. So how is this possible?

Ref : https://snyk.io/research/zip-slip-vulnerability

Is there an algorithm to minimize working set during a topological traversal?

I have a dependency graph of tasks, which forms a DAG. I’m looking for an algorithm to calculate the optimal topological traverse to minimize the “working set”. Specifically, I define the current working set as the set of nodes which have been visited, and which have at least one outgoing edge which is untraversed.

Even more useful would be an algorithm to calculate the optimal topological traversal which minimizes the number of cache evictions, given a fixed size cache for the working set.

Is there an algorithm to calculate this topological traversal? I can do it greedily from the topological ordering, but suspect that’s suboptimal.

Making graph acyclic by removing back edges in depth first and breadth traversal

I came across following points:

  1. Removing all back edges produced by DFS makes the graph acyclic.

  2. For a directed graph, the absence of back edges with respect to a BFS tree implies that the graph is acyclic.

There was no explanation given for first point. But explanation for second point was as follows:

It is true that the absence of back edges with respect to a DFS tree implies that the graph is acyclic. However, the same is not true for a BFS tree. There may be cross edges which go from one branch of the BFS tree to a lower level of another branch of the BFS tree. It is possible to construct a cycle using such cross edges (which decrease the level) and using forward edges (which increase the level).

However I am unable to get the explanation. I believe back edges are essential for forming cycles as can be seen in below image (black edges are breadth first tree edges, green is back edge, red is cross edge and dashed edges form cycle):

enter image description here

As we can see, removing back edge can lead to disconnecting cycle.

Q1. So how solution says we can form cycle only with the help of cross and tree edges?

Q2. If 2nd fact is indeed correct, then how the same does not apply to fact 1, that is why we cannot prepare cycle without back edges in depth first traversal.

Is there any intuitive way to see the validity of these statements and answer my questions?

Comparing shortest path distance and relation between two modes present in FIFO queue at the same time during breadth first traversal

I came across following problem:

Consider two vertices $ a$ and $ b$ that are simultaneously on the FIFO queue at same point during the execution of breadth first search from $ s$ in an undirected graph. Then which of the following is true:

  1. The number of edges on the shortest path between $ s$ and $ a$ is at most one more than the number of edges on the shortest path between $ s$ and $ b$ .
  2. The number of edges on the shortest path between $ s$ and $ a$ is at least one less than the number of edges on the shortest path between $ s$ and $ b$ .
  3. There is a path between $ a$ and $ b$ .
  4. $ a$ may lie on shortest path from $ s$ to $ b$ .

The solution just said first three may hold separately. But that really left me confused. Especially it did not say anything about point 4.

Here is what I guess is correct:

  1. The shortest path distance of two nodes simultaneously present in FIFO queue can differ at max by 1. That is one node may be closer to source by at max just 1 edge than the other or it may be present at the same distance from source as other node. So either point 1 is correct or point 2, but not both. Am I right with this?

  2. Also what is significance of “at most” and “at least” in point 1 and point 2? I feel the difference between shortest path distance if two nodes can be “at most” 1. I guess “at most one more” aligns with this, but “at least one less” does not. That is shortest path distance of node $ a$ cannot be lesser than that of node $ b$ by 2 or more.

  3. I feel point 3 will always be true as there will always be path from $ a$ to $ b$ going through $ s$

  4. I feel point 4 is always false, because we dequeue the node $ a$ and then enqueue all its neighbours, one of which is $ b$ . So such $ a$ and $ b$ cannot be in the queue at the same time.

Am I correct with these?

Constructing preorder traversal from postorder of a Binary Search Tree in O(n)

We are given postorder traversal of a Binary “SEARCH” Tree (in an array) and we want to find (print) its preorder traversal.

A very naive solution is to check from end until we find element less than root so we can find left and right subtree and call the function on them. This is $ O(n^2)$ . Another way is to generate the BST from its postorder and then generate the preorder from postorder. it is $ O$ $ ($ $ n log n$ $ )$ because for generating tree we need $ O(n log n)$ and for preorder traversal we need $ O(n)$ and $ O(n + n log n ) = O(n logn)$ .

I think we can do it better in $ O(n)$ because there is a lot known about the nature of the binary search tree and this extra information must help somehow. but I don’t know how to use information we know about BST and implement this problem in $ O(n)$ .

Breadth-first traversal: difference between generation and expansion

Romanian map

The question here is to find a path from A(rad) to B(ucharest). I’ll be using the initials of the cities in the picture instead of their full names.

Some ground-rules: we’re traversing in alphabetical order. And traversal must stop once the goal node has been generated, not expanded. This last part is where I feel like I’m not completely understanding what is being asked.

So the solution given is: Arad, Sibiu, Timisoara, Zerind, Fagaras, Bucharest.

What I think the solution is as follows: we’re at A so A has been “generated”. And then we expand A, giving us: A, S, T, Z. Since the goal node hasn’t been generated we start with S. Expanding S gives us F and R (no goal node yet) and then we expand T giving us L following which Z is expanded giving us O. So far we have A, S, T, Z, F, R, L, O. Now, going alphabetically, we go to F for expansion. This gives us B and this is where the traversal should stop.

So my solution is A, S, T, Z, F, R, L, O, B.

Can you tell me where I’m going wrong and why the given solution (as opposed to my solution) is correct?

Parallel deletion and traversal in a lock free linked list

I’m unsure about the safety of deletion in a linked list. I’ve seen the issue posed by a parallel insertion and deletion (resulting in the loss of the insertion) and proposed solutions to that problem. That makes perfect sense. However, nowhere have I seen it mentioned that an unlucky traversal in parallel with a deletion can cause problems. For example, if we have the linked list:

A -----> B -----> C* ------> D 

and one process (process 1) is traversing it, currently pointing at C (as indicated by the *), however before process 1 reads the next pointer of C, another process (process 2) deletes C and frees its memory. Then, when the process 1 attempts to read C’s next pointer, it will be reading uninitialized memory (which could be used to store an int for example), and thus could be pointed to an invalid location, and cause a segmentation fault by dereferencing that pointer.

How can this issue be avoided?