Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generic SSRF Slack Notification Missing Important Information #2119

Open
random-robbie opened this issue Dec 29, 2024 · 2 comments
Open

Generic SSRF Slack Notification Missing Important Information #2119

random-robbie opened this issue Dec 29, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@random-robbie
Copy link

Describe the bug

The slack notifications for the generic ssrf never tell you the parameter that was triggered the hit.

description: 'Out-of-band interaction: [Generic SSRF (GET)] [HTTP] Read Response:
  False'
host: [dev-api.chargeforward.bmwusa.com](http://dev-api.xxxx.com/)
severity: HIGH
url: https://dev-api.xxxx.com/

Expected behavior

description: 'Out-of-band interaction: [Generic SSRF (GET)] [HTTP] Read Response:
  False'
host: [dev-api.chargeforward.bmwusa.com](http://dev-api.xxxx.com/)
severity: HIGH
Parameter: url
url: https://dev-api.xxxx.com/

BBOT Command
Example: bbot -m httpx,generic_ssrf -t evilcorp.com

OS, BBOT Installation Method + Version

 ______  _____   ____ _______
 |  ___ \|  __ \ / __ \__   __|
 | |___) | |__) | |  | | | |
 |  ___ <|  __ <| |  | | | |
 | |___) | |__) | |__| | | |
 |______/|_____/ \____/  |_|
 BIGHUGE BLS OSINT TOOL v2.2.0

www.blacklanternsecurity.com/bbot

v2.2.0

pipx
@random-robbie random-robbie added the bug Something isn't working label Dec 29, 2024
@random-robbie
Copy link
Author

random-robbie commented Dec 29, 2024
edited
Loading

I did the following to change on my generic_ssrf and was able to determine the parameter in the end that triggered it.

    async def interactsh_callback(self, r):
        full_id = r.get("full-id", None)
        dns_request = r.get("dns-request", "")
        
        # Debug logging to see what we're receiving
        self.debug(f"Interactsh callback received: {r}")
        self.debug(f"Full DNS request: {dns_request}")
        
        if full_id:
            if "." in full_id:
                match = self.interactsh_subdomain_tags.get(full_id.split(".")[0])
                if not match:
                    return
                matched_event = match[0]
                matched_technique = match[1]
                matched_severity = match[2]
                matched_read_response = str(match[3])

                # Check if any SSRF parameter is in the DNS request
                triggered_param = None
                for param in ssrf_params:
                    if param.lower() in str(r).lower():  # Check entire response object
                        triggered_param = param
                        self.debug(f"Found triggering parameter: {param}")
                        break

                description = f"Out-of-band interaction: [{matched_technique}]"
                if triggered_param:
                    description += f" [Parameter: {triggered_param}]"
                description += f" [{r.get('protocol').upper()}] Read Response: {matched_read_response}"

                self.debug(f"Emitting event with description: {description}")  # Debug the final description

                await self.emit_event(
                    {
                        "severity": matched_severity,
                        "host": str(matched_event.host),
                        "url": matched_event.data,
                        "description": description,
                    },
                    "VULNERABILITY",
                    matched_event,
                    context=f"{{module}} scanned {matched_event.data} and detected {{event.type}}: {matched_technique}",
                )
            else:
                # this is likely caused by something trying to resolve the base domain first and can be ignored
                self.debug("skipping result because subdomain tag was missing")

Output

[VULNERABILITY]     	{"description": "Out-of-band interaction: [Generic SSRF (GET)] [Parameter: To] [DNS] Read Response: False", "host": "dev-api.xxxx.com", "severity": "HIGH", "url": "https://dev-api.xxxx.com/"}	generic_ssrf	(cloud-amazon, high, in-scope)
[VULNERABILITY]     	{"description": "Out-of-band interaction: [Generic SSRF (GET)] [Parameter: To] [DNS] Read Response: False", "host": "dev-api.xxxx.com", "severity": "HIGH", "url": "https://dev-api.xxxx.com/"}	generic_ssrf	(cloud-amazon, high, in-scope)
[VULNERABILITY]     	{"description": "Out-of-band interaction: [Generic SSRF (GET)] [Parameter: HTML] [HTTP] Read Response: False", "host": "dev-api.xxxx.com", "severity": "HIGH", "url": "https://dev-api.xxxx.com/"}	generic_ssrf	(cloud-amazon, high, in-scope)

@TheTechromancer
Copy link
Collaborator

@random-robbie thanks for reporting. The param name should definitely be in the description. Can you submit that change as a PR?

@liquidsec

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@random-robbie @TheTechromancer