nuclei-templates/dast/vulnerabilities/ssrf/blind-ssrf.yaml

id: blind-ssrf

info:
  name: Blind SSRF OAST Detection
  author: pdteam
  severity: medium
  tags: ssrf,dast,oast,fuzz

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    payloads:
      ssrf:
        - "{{interactsh-url}}"
        - "{{FQDN}}.{{interactsh-url}}"
        - "{{RDN}}.{{interactsh-url}}"

    fuzzing:
      - part: query
        mode: single
        values:
          - "https?://" # Replace HTTP URLs with alternatives
        fuzz:
          - "https://{{ssrf}}"

      - part: query
        mode: single
        values:
          - "^[A-Za-z0-9-._]+:[0-9]+$" # Replace <host>:<port> with alternative
        fuzz:
          - "{{ssrf}}:80"

    stop-at-first-match: true
    matchers:
      - type: word
        part: interactsh_protocol  # Confirms the HTTP Interaction
        words:
          - "http"
Added fuzzing templates 2024-03-16 18:44:49 +00:00			`id: blind-ssrf`

			`info:`
			`name: Blind SSRF OAST Detection`
			`author: pdteam`
			`severity: medium`
			`tags: ssrf,dast,oast,fuzz`

			`http:`
			`- method: GET`
			`path:`
			`- "{{BaseURL}}"`

			`payloads:`
			`ssrf:`
			`- "{{interactsh-url}}"`
			`- "{{FQDN}}.{{interactsh-url}}"`
			`- "{{RDN}}.{{interactsh-url}}"`

			`fuzzing:`
			`- part: query`
			`mode: single`
			`values:`
			`- "https?://" # Replace HTTP URLs with alternatives`
			`fuzz:`
			`- "https://{{ssrf}}"`

			`- part: query`
			`mode: single`
			`values:`
			`- "^[A-Za-z0-9-._]+:[0-9]+$" # Replace <host>:<port> with alternative`
			`fuzz:`
			`- "{{ssrf}}:80"`

			`stop-at-first-match: true`
			`matchers:`
			`- type: word`
			`part: interactsh_protocol # Confirms the HTTP Interaction`
			`words:`
			`- "http"`