2024-03-16 18:44:49 +00:00
|
|
|
id: blind-ssrf
|
|
|
|
|
|
|
|
|
|
info:
|
|
|
|
|
name: Blind SSRF OAST Detection
|
2024-07-17 20:34:41 +00:00
|
|
|
author: pdteam,AmirHossein Raeisi
|
2024-03-16 18:44:49 +00:00
|
|
|
severity: medium
|
2024-06-07 10:04:29 +00:00
|
|
|
metadata:
|
|
|
|
|
max-request: 3
|
2024-03-23 09:32:51 +00:00
|
|
|
tags: ssrf,dast,oast
|
2024-03-16 18:44:49 +00:00
|
|
|
|
|
|
|
|
http:
|
2024-03-31 19:55:42 +00:00
|
|
|
- pre-condition:
|
2024-03-26 07:21:56 +00:00
|
|
|
- type: dsl
|
|
|
|
|
dsl:
|
|
|
|
|
- 'method == "GET"'
|
2024-03-16 18:44:49 +00:00
|
|
|
|
|
|
|
|
payloads:
|
|
|
|
|
ssrf:
|
|
|
|
|
- "{{interactsh-url}}"
|
|
|
|
|
- "{{FQDN}}.{{interactsh-url}}"
|
|
|
|
|
- "{{RDN}}.{{interactsh-url}}"
|
2024-07-17 20:34:41 +00:00
|
|
|
- "{{FQDN}}@{{interactsh-url}}"
|
2024-07-17 21:00:07 +00:00
|
|
|
- "{{RDN}}@{{interactsh-url}}"
|
2024-03-16 18:44:49 +00:00
|
|
|
|
|
|
|
|
fuzzing:
|
|
|
|
|
- part: query
|
|
|
|
|
mode: single
|
|
|
|
|
values:
|
|
|
|
|
- "https?://" # Replace HTTP URLs with alternatives
|
|
|
|
|
fuzz:
|
|
|
|
|
- "https://{{ssrf}}"
|
|
|
|
|
|
|
|
|
|
- part: query
|
|
|
|
|
mode: single
|
|
|
|
|
values:
|
|
|
|
|
- "^[A-Za-z0-9-._]+:[0-9]+$" # Replace <host>:<port> with alternative
|
|
|
|
|
fuzz:
|
|
|
|
|
- "{{ssrf}}:80"
|
|
|
|
|
|
|
|
|
|
stop-at-first-match: true
|
|
|
|
|
matchers:
|
|
|
|
|
- type: word
|
|
|
|
|
part: interactsh_protocol # Confirms the HTTP Interaction
|
|
|
|
|
words:
|
|
|
|
|
- "http"
|
2024-07-22 07:47:49 +00:00
|
|
|
# digest: 4a0a0047304502207dd98fdf4b66bd8e09960f133e03a0e539cbd3a4749f1de33bc45ca104a07d90022100e35cf6744d140265a35163217357e7983b162f6cbbe6f96ffb73df5eb24bc570:922c64590222798bb761d5b6d8e72950
|
