id: request-based-interaction

info:
  name: OOB Request Based Interaction
  author: pdteam
  severity: info
  description: The remote server fetched a spoofed DNS Name from the request.
  reference:
    - https://portswigger.net/research/cracking-the-lens-targeting-https-hidden-attack-surface
  metadata:
    max-request: 5
  tags: oast,ssrf,generic

http:
  - raw:
      - |+
        GET / HTTP/1.1
        Host: {{interactsh-url}}
        Cache-Control: no-transform
        Accept: */*

      - |+
        GET / HTTP/1.1
        Host: @{{interactsh-url}}
        Cache-Control: no-transform
        Accept: */*

      - |+
        GET http://{{interactsh-url}}/ HTTP/1.1
        Host: {{Hostname}}
        Cache-Control: no-transform
        Accept: */*

      - |+
        GET @{{interactsh-url}}/ HTTP/1.1
        Host: {{Hostname}}
        Cache-Control: no-transform
        Accept: */*

      - |+
        GET {{interactsh-url}}:80/ HTTP/1.1
        Host: {{Hostname}}
        Cache-Control: no-transform
        Accept: */*

    unsafe: true # Use Unsafe HTTP library for malformed HTTP requests.

    matchers-condition: or
    matchers:
      - type: word
        part: interactsh_protocol
        name: http
        words:
          - "http"

      - type: word
        part: interactsh_protocol
        name: dns
        words:
          - "dns"

# digest: 4a0a0047304502210096725136657e1731cba6a6fe3dbc2be6799a66384358dc5b7df06aedf48ba439022022cdb4f4ee3905a4bd7f7326b079f96f64501fafb16859d1def4410fc636a180:922c64590222798bb761d5b6d8e72950