Back to Details

competition-ssrf-metadata-pivot

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Competition SSRF Metadata Pivot

竞赛SSRF元数据跳转

Use this skill only as a downstream specialization after 
$ctf-sandbox-orchestrator
is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to 
$ctf-sandbox-orchestrator
first.
Use this skill when the decisive path runs through server-side request capability, internal service reachability, or metadata-derived credentials.
Reply in Simplified Chinese unless the user explicitly requests English.
仅可在
$ctf-sandbox-orchestrator
已激活并完成沙箱假设、节点所有权确认、证据优先级设定后,作为下游专项技能使用。如果尚未完成上述前置操作,请先返回
$ctf-sandbox-orchestrator
当判定路径涉及服务端请求能力、内部服务可达性或元数据衍生凭证时,使用本技能。
除非用户明确要求使用英文,否则请用简体中文回复。

Quick Start

快速开始

  1. Separate the SSRF source, forwarding layer, reachable target, and accepted downstream credential edge.
  2. Record request method, URL construction, header behavior, redirects, DNS or host overrides, and response shaping before mutation.
  3. Map internal host, metadata endpoint, token extraction, and accepting service as one chain.
  4. Distinguish read-only reachability from credential-bearing access.
  5. Reproduce the smallest SSRF-to-accepted-access path.
  1. 拆分SSRF来源、转发层、可达目标、可授下游凭证边缘。
  2. 记录变更前的请求方法、URL构造、header行为、重定向、DNS或主机覆盖、响应塑形规则。
  3. 将内部主机、元数据端点、令牌提取、授权服务映射为一条完整链路。
  4. 区分只读可达性与带凭证访问的差异。
  5. 复现最小化SSRF到授权访问的路径。

Workflow

工作流

1. Map SSRF Reachability

1. 映射SSRF可达性

  • Record source primitive: URL parameter, webhook, image fetcher, importer, proxy endpoint, or backend callback.
  • Note normalization steps: scheme filtering, host allowlists, redirects, DNS resolution, path rewrite, and header injection.
  • Keep target host, protocol, and response behavior tied to the exact SSRF source.
  • 记录来源原语:URL参数、webhook、图片提取器、导入器、代理端点或后端回调。
  • 标注标准化步骤:协议过滤、主机白名单、重定向、DNS解析、路径重写和header注入。
  • 将目标主机、协议、响应行为与具体的SSRF来源绑定关联。

2. Trace Metadata And Credential Pivot

2. 追踪元数据与凭证跳转

  • Show whether metadata endpoints, internal control APIs, or workload identity services are reachable.
  • Record token fields, role scope, service account, expiration, and where the token is accepted.
  • Distinguish credential extraction success from accepted privilege at a downstream service.
  • 展示元数据端点、内部控制API或工作负载身份服务是否可达。
  • 记录令牌字段、角色范围、服务账户、过期时间以及令牌可被授权的位置。
  • 区分凭证提取成功与下游服务授权通过的差异。

3. Reduce To Decisive SSRF Chain

3. 简化为关键SSRF链路

  • Compress to: SSRF source -> internal or metadata target -> credential or sensitive response -> accepted replay or API access.
  • State whether the decisive edge is parser bypass, allowlist bypass, redirect abuse, header confusion, or metadata trust.
  • If the task becomes mostly cloud identity policy analysis, hand off to the tighter cloud metadata skill.
  • 压缩为:SSRF来源 -> 内部或元数据目标 -> 凭证或敏感响应 -> 可接受重放或API访问。
  • 说明关键边缘是解析器绕过、白名单绕过、重定向滥用、header混淆还是元数据信任问题。
  • 如果任务主要变为云身份策略分析,请转交至更适配的云元数据技能处理。

Read This Reference

参考资料

  • Load 
    references/ssrf-metadata-pivot.md
    for SSRF checklists, metadata pivots, and evidence packaging.
  • 加载
    references/ssrf-metadata-pivot.md
    获取SSRF检查清单、元数据跳转方法和证据打包规范。

What To Preserve

需要留存的内容

  • SSRF source point, URL construction rules, reachable hosts, and response deltas
  • Extracted token or credential fields, scope, and accepting service
  • One minimal SSRF-to-accepted-access replay path
  • SSRF来源点、URL构造规则、可达主机、响应差异
  • 提取的令牌或凭证字段、范围、授权服务
  • 一条最小化SSRF到授权访问的复现路径