How to create a domain base listener for SSRF testing

#1

Hello mates,

We normally use listener like http://1.2.3.4:1337 on netcat if ip is 1.2.3.4 for testing SSRF but sometimes the parameter or field which take the listener address to attacked server requires only domain base URLs

Ex: example.com, www.example.com/ex.png

server filters all IP, decimal IP notation, sockets, URL based bypasses like

http://127.88.23.245:22/+&@google.com:80#+@google.com:80/

http://127.88.23.245:22/?@google.com:80/

http://127.88.23.245:22/#@www.google.com:80/

So the question is how to create a Domain based listner or any other solution for this.
please don’t ask buy a domain and set redirect to http://1.2.3.4:1337 :smile: :laughing:

Thank you.

#2

The easy one is to have a professional burpsuite license and use ‘burpsuite collaborator’ as this is in domain format and will capture the entire SSRF request in multiple formats (for example, SMTP, HTTP, etc.)

If you’re serious about getting more bucks though I’m afraid it is register a domain name (this is what I did). This gives you many advantages since you can now set specific scripts to test ‘gopher’ redirect SSRF and all the other tricks, especially when the SSRF vector doesn’t allow you to put in a custom URI but only a specific domain. You can also run into ‘SSL certificate errors’ with your SSRF that prevents the vulnerability from being exploited to maximum effect - having a matching domain name with an SSL cert prevents this. I have it hosted on DigitalOcean and it costs me 5$ a month for the server + the registration fee for the domain name (I think I paid like 7$ a year for that) - The SSL/TLS cert is free by using ‘Let’s Encrypt’. As SSRF vulnerabilities can potentially pay out a P2 your investment is paid off after a single non-duplicate submission, and I find these are an increasingly frequent vulnerability in today’s applications.

#3

Thank you ARKADA for giving detailed solution.
It is really helpful.