bchecks/SSRF via URL Parameters.bcheck at main · KaustubhRai/bchecks · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
metadata:
    language: v2-beta
    name: "SSRF via URL Parameters"
    description: "Injects a Burp Collaborator URL into common URL-accepting parameters (url, target, dest, fetch, callback, etc.) and flags responses that differ from baseline. Check Burp Collaborator for DNS/HTTP interactions to confirm SSRF."
    author: "Kaustubh"

run for each:
    url_param =
        "url",
        "target",
        "dest",
        "destination",
        "redirect",
        "uri",
        "path",
        "fetch",
        "callback",
        "return",
        "next",
        "load",
        "open",
        "file",
        "src",
        "source",
        "href",
        "link",
        "img",
        "image",
        "proxy",
        "endpoint",
        "host",
        "website",
        "domain"

given request then
    send request called ssrf:
        appending queries:
            `{url_param}=https://{generate_collaborator_address()}`

    if {ssrf.response} differs from {base.response} then
        report issue and continue:
            severity: medium
            confidence: tentative
            detail: `Potential SSRF: injecting a collaborator URL into parameter '{url_param}' caused a different response. Check Burp Collaborator for DNS or HTTP interactions to confirm.`
            remediation: "Validate and allowlist all server-side URL fetch targets. Block requests to private IP ranges (RFC-1918), loopback, and internal DNS zones. Use an allowlist approach rather than a denylist."
    end if