Summary

Kerstan shares a method for automatically discovering SSRF vulnerabilities in Hackerone programs using AutoRepeater and DNS log platforms.

Abstract

In a detailed guide, Kerstan describes the process of leveraging AutoRepeater, a Burp Suite extension, to automatically detect Server-Side Request Forgery (SSRF) vulnerabilities within Hackerone programs. The method involves downloading and installing AutoRepeater, setting up a DNS log platform like Burp's Collaborator or ceye.io, and configuring regular expressions to match both encoded and unencoded URLs. By replacing URLs with dnslog addresses and monitoring for interactions on the DNS log platform, one can identify potential SSRF vulnerabilities. Kerstan emphasizes the importance of thorough testing of all endpoints that handle URLs and encourages persistence in exploiting blind SSRFs to potentially earn higher bounties.

Opinions

Finding blind SSRFs can be straightforward, but maximizing bounty rewards requires additional effort to exploit the vulnerability further.
Persistence is key when trying to gain more access through SSRF, as it can lead to more significant findings and, consequently, higher bounties.
The author suggests that any endpoint that processes URLs should be tested for SSRF vulnerabilities.
Sharing knowledge and tools, such as AutoRepeater, is valuable for the hacker community and can be beneficial for those looking to improve their skills in vulnerability discovery.
The author values community engagement and appreciation, requesting claps and follows if the content is found helpful.
Kerstan promotes an AI service, ZAI.chat, as a cost-effective alternative to ChatGPT Plus (GPT-4), indicating a preference for this tool in his workflow.

How I Automatically Discovered SSRF in Hackerone Program

Hi guys, I am Kerstan. Today, I will share you how I automatically discoverd SSRF on hackerone Program.

Finding a blind SSRF is relatively easy, but to earn more bounty, you need to exploit it and gain more access. It requires relentless effort. Try harder, bro!

If this writing has been helpful to you, please consider giving it a clap and following. Thanks bro.

So, let’s get started.

1. Download & Install

First, you need to download AutoRepeater from the following address. Once downloaded, go to the Extender interface of Burp and import AutoRepeater.jar.

https://github.com/nccgroup/AutoRepeater

2. Automatically Discovered SSRF

You need to do two preparatory steps:

You need a dnslog platform where you can view the logs, such as Burp’s Collaborator or ceye.io. You can also use other platforms.
You need to prepare the following two regular expressions.

(?i)^(https|http|file)://.*
(?i)^(https|http|file)%3A%2F%2F.*

Let’s explain the two regular expressions briefly:

The first regular expression ensures that unencoded URLs can be matched correctly.

The second regular expression ensures that encoded URLs can be matched correctly.

They are used to match URLs and replace them with dnslog addresses, and then automatically send the requests.

So, all we need to do is check if there is any data on the DNS log platform or test all the endpoints that carry URLs to determine if there is an SSRF vulnerability.

In my experience, any place that carries SSRF has the potential for an SSRF. It is recommended to test all of them.

Now, let’s configure the rules for AutoRepeater.

Once you have configured everything as mentioned above, you just need to click here to start waiting for dnslog data. You can browse any page or test any endpoint you need in your browser.

If you find records similar to the following on your DNS log platform, Congratulations, you are about to obtain an SSRF.

3. Blind SSRF

When you discover a blind SSRF, you should test it using all available methods, such as fuzzing parameters, and never give up, bro.

If you want to learn about the approach to discovering SSRF, you can check out my previous writing.

https://readmedium.com/how-i-discovered-ssrf-on-hackerone-program-42b73c1aa716