id: oob-header-based-interaction info: name: Header Based Generic OOB Interaction author: pdteam severity: info description: The remote server fetched a spoofed URL from the request headers. reference: - https://github.com/PortSwigger/collaborator-everywhere tags: oast,ssrf,generic http: - method: GET path: - "{{BaseURL}}" headers: User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@{{interactsh-url}} Referer: http://{{interactsh-url}}/ref Cf-Connecting_ip: spoofed.{{interactsh-url}} X-Real-Ip: spoofed.{{interactsh-url}} From: root@{{interactsh-url}} True-Client-Ip: spoofed.{{interactsh-url}} Client-Ip: spoofed.{{interactsh-url}} Forwarded: for=spoofed.{{interactsh-url}};by=spoofed.{{interactsh-url}};host=spoofed.{{interactsh-url}} X-Client-Ip: spoofed.{{interactsh-url}} X-Originating-Ip: spoofed.{{interactsh-url}} X-Wap-Profile: http://{{interactsh-url}}/wap.xml X-Forwarded-For: spoofed.{{interactsh-url}} Contact: root@{{interactsh-url}} X-Forwarded-Host: spoofed.{{interactsh-url}} X-Host: spoofed.{{interactsh-url}} X-Forwarded-Server: spoofed.{{interactsh-url}} X-HTTP-Host-Override: spoofed.{{interactsh-url}} Profile: http://{{interactsh-url}}/profile.xml Cache-Control: no-transform matchers-condition: or matchers: - type: word part: interactsh_protocol name: http words: - "http" - type: word part: interactsh_protocol name: dns words: - "dns"