Bug Bounty tip Automating SSRF

First of all, I want to clarify that I am not fluent in English, so mistakes will happen during the reading :) If tou have some question call me in instagram

Hey, what’s up?
In this article i will share a little tip about how we can automate SSRF scan for bounties.
Ok Let’s go.

In BurpSuite we have a a great extension called “Auto-Repeter”. How does it’s work?
Basically you can define some patterns (regex), that if found the auto-repeater will create a new request replacing for what you want.

I don’t know if it’s clear, let’s explain with images.

In this window in Auto-Repeater we can set some regex to find urls. In this case i will use this regex.

https?:\/\/(www\.)?[-a-zA-Z0–9@:%._\+~#=]{1,256}\.[a-zA-Z0–9()]{1,6}\b([-a-zA-Z0–9()@:%_\+.~#?&//=]*)

Image for post
Image for post

This regex only match if in url has “https”. You can do your regex to be better :)

In replace field you can put your domain or burp collaborator’s url. Like this

Image for post
Image for post

In type field you can set what you prefer, in this case i will use “Request param value”

Image for post
Image for post

In this case all requests with url like parameter value the Auto-Repeater will create a new request changing this url to my burp collaborator’s url.

When i’m do a GET request with url in parameter value the Auto-repeater will create a new requests replacing the url param value

Image for post
Image for post

Here is the url changed automatically.

Conclusion

You can put this setting and navigate through the site, during navigation monitor all the requests that your domain has received

Written by

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store