Bug Testing Methodology Series:
๐๐๐๐ (๐๐๐ซ๐ฏ๐๐ซ ๐๐ข๐๐ ๐๐๐ช๐ฎ๐๐ฌ๐ญ ๐ ๐จ๐ซ๐ ๐๐ซ๐ฒ)
Learn how to test for #SSRF step by step on real #bugbounty programs
Thread๐งต๐
#cybersecurity #cybersecuritytips #infosec #hacking #bugbountytips #infosecurity
๐๐๐๐ (๐๐๐ซ๐ฏ๐๐ซ ๐๐ข๐๐ ๐๐๐ช๐ฎ๐๐ฌ๐ญ ๐ ๐จ๐ซ๐ ๐๐ซ๐ฒ)
Learn how to test for #SSRF step by step on real #bugbounty programs
Thread๐งต๐
#cybersecurity #cybersecuritytips #infosec #hacking #bugbountytips #infosecurity
Before we start, this thread won't teach how SSRF works, but rather a methodology to follow while actively testing for it.
To learn about how SSRF attacks work, have a read here โก๏ธ portswigger.net/web-security/sโฆ
To learn about how SSRF attacks work, have a read here โก๏ธ portswigger.net/web-security/sโฆ
1๏ธโฃ Finding an attack vector
This step simply implies using the web app THOROUGHLY and finding a place where you input a URL and the server fetches it.
Ex: profile pic from URL, URL Redirects, etc.
The best tip I can give you for this step is: CLICK EVERY SINGLE BUTTON YOU SEE
This step simply implies using the web app THOROUGHLY and finding a place where you input a URL and the server fetches it.
Ex: profile pic from URL, URL Redirects, etc.
The best tip I can give you for this step is: CLICK EVERY SINGLE BUTTON YOU SEE
If your target has Documentations, such as API Docs, make sure you go through them.
Not only for SSRF, but for other bugs such as IDORs, BAC, XSS, etc.
If you can't find any URL redirects/inputs, you can always FUZZ for parameters (use ffuf โก๏ธ github.com/ffuf/ffuf)
Not only for SSRF, but for other bugs such as IDORs, BAC, XSS, etc.
If you can't find any URL redirects/inputs, you can always FUZZ for parameters (use ffuf โก๏ธ github.com/ffuf/ffuf)
2๏ธโฃ Testing
Before trying to exploit SSRF, you might want to get a feel of how the target handles redirects and URL fetches.
Try to ping your Burp collaborator (if you're using Pro) or webhook.site
The point is to see how/if the server actually accesses the URL.
Before trying to exploit SSRF, you might want to get a feel of how the target handles redirects and URL fetches.
Try to ping your Burp collaborator (if you're using Pro) or webhook.site
The point is to see how/if the server actually accesses the URL.
Another alternative to Burp Collab is hosting your own redirect locally using XAMPP (apachefriends.org) & NGrok (ngrok.com) to help with understanding how they handle redirects.
XAMPP lets you run PHP code and NGrok provides you with a public IP address.
XAMPP lets you run PHP code and NGrok provides you with a public IP address.
Don't spend too much time on what I said above.
Pull up the below list and throw some SSRF payloads, however, don't just spray and pray without knowing what you're doing.
You may encounter a custom WAF/Filter , and you'll need to get creative.
TIP: try localtest.me
Pull up the below list and throw some SSRF payloads, however, don't just spray and pray without knowing what you're doing.
You may encounter a custom WAF/Filter , and you'll need to get creative.
TIP: try localtest.me
https://twitter.com/shrekysec/status/1575455478674595841
Try different encodings for / : localhost .com ,etc.
Use this tool โก๏ธ h.43z.one/ipconverter
If every SSRF payload fails, your last resort could be going for Open Redirects, although beware most programs have it set as Out Of Scope, so check out your target's policy first.
Use this tool โก๏ธ h.43z.one/ipconverter
If every SSRF payload fails, your last resort could be going for Open Redirects, although beware most programs have it set as Out Of Scope, so check out your target's policy first.
That's a wrap!
If you enjoyed this thread:
1. Follow me @shrekysec for more of these
2. RT the tweet below to share this thread with your audience
If you enjoyed this thread:
1. Follow me @shrekysec for more of these
2. RT the tweet below to share this thread with your audience
https://twitter.com/shrekysec/status/1585510022632587264
โข โข โข
Missing some Tweet in this thread? You can try to
force a refresh
ใ
