2024-03-16 18:44:49 +00:00
|
|
|
id: blind-ssrf
|
|
|
|
|
|
|
|
info:
|
|
|
|
name: Blind SSRF OAST Detection
|
|
|
|
author: pdteam
|
|
|
|
severity: medium
|
2024-03-23 09:32:51 +00:00
|
|
|
tags: ssrf,dast,oast
|
2024-03-16 18:44:49 +00:00
|
|
|
|
|
|
|
http:
|
2024-03-31 19:55:42 +00:00
|
|
|
- pre-condition:
|
2024-03-26 07:21:56 +00:00
|
|
|
- type: dsl
|
|
|
|
dsl:
|
|
|
|
- 'method == "GET"'
|
2024-03-16 18:44:49 +00:00
|
|
|
|
|
|
|
payloads:
|
|
|
|
ssrf:
|
|
|
|
- "{{interactsh-url}}"
|
|
|
|
- "{{FQDN}}.{{interactsh-url}}"
|
|
|
|
- "{{RDN}}.{{interactsh-url}}"
|
|
|
|
|
|
|
|
fuzzing:
|
|
|
|
- part: query
|
|
|
|
mode: single
|
|
|
|
values:
|
|
|
|
- "https?://" # Replace HTTP URLs with alternatives
|
|
|
|
fuzz:
|
|
|
|
- "https://{{ssrf}}"
|
|
|
|
|
|
|
|
- part: query
|
|
|
|
mode: single
|
|
|
|
values:
|
|
|
|
- "^[A-Za-z0-9-._]+:[0-9]+$" # Replace <host>:<port> with alternative
|
|
|
|
fuzz:
|
|
|
|
- "{{ssrf}}:80"
|
|
|
|
|
|
|
|
stop-at-first-match: true
|
|
|
|
matchers:
|
|
|
|
- type: word
|
|
|
|
part: interactsh_protocol # Confirms the HTTP Interaction
|
|
|
|
words:
|
|
|
|
- "http"
|
2024-04-08 07:07:11 +00:00
|
|
|
# digest: 4a0a004730450221008e67c53d4368607db787a520c50ce1ae8c742483ea80c0e7d34ab8ef529d2c9902205c049079f166eae9a8e5c5c99b72a048bebaa05de3eb3828adb9d81fab3543aa:922c64590222798bb761d5b6d8e72950
|