Add --ssrf-probe mutator (OWASP A10:2021 SSRF)#31
Merged
Conversation
Rewrites URL-bearing query/body/JSON parameters to seven disjoint SSRF payloads (AWS IMDSv1, GCP metadata, Azure IMDS, loopback, RFC1918, file://, gopher://) so the caller weaponises the server's outbound fetch helper to reach internal-network resources or exfiltrate cloud IAM credentials (2019 Capital One breach shape). Eligible parameters are matched by name (substring against url/uri/redirect/callback/ webhook/target/dest/endpoint/next/return/src/host/image/fetch) or by value shape (an existing absolute http(s) URL). Off by default.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a new opt-in mutator
--ssrf-probethat rewrites URL-bearingrequest parameters to Server-Side Request Forgery payloads, weaponising
the server's outbound HTTP client to reach internal network resources
or exfiltrate cloud-instance IAM credentials (OWASP A10:2021 SSRF; the
2019 Capital One / AWS IMDS breach shape).
Why
The post-v0.1 directions called for new mutator coverage. SSRF is OWASP
top-ten material, complements the existing parameter-rewriting and
path-mutation family without overlapping it, and follows the same
opt-in / off-by-default contract every other active probe in the suite
uses. PathTraversal and OpenRedirect-style mutators were not yet
shipped; SSRF was prioritised by the Worker brief.
What
internal/mutate/ssrf_probe.go(SSRFProbe) emittingvariants across three surfaces (query, urlencoded body, top-level
JSON string field) × seven techniques (aws-imds-v1, azure-imds,
gcp-metadata, internal-ip-loopback, internal-ip-private, protocol-
file, protocol-gopher), gated by parameter-name match (substring,
case-insensitive, against a sorted token list) OR value-shape
match (existing absolute http(s) URL).
internal/mutate/ssrf_probe_test.gocoveringoff-by-default, nil-safety, surface eligibility (query/body/JSON),
technique coverage, determinism, sort order, baseline immutability,
disjointness from sibling mutators, and helper invariants.
scanCLI flag--ssrf-probe, registry wiring inbuildRegistry,flag reset.
and gating rationale.
[Unreleased].Variant generation is pure, deterministic, and credential-preserving
(
Identity == nil) — same contract as every sibling off-by-defaultmutator. Findings are class
ssrf(ASVS V12.6).Test plan
go test ./...greengo vet ./...cleango build ./...cleango test ./internal/mutate -run SSRFProbe -v)buildRegistry(...)call-sites updated for new arg--ssrf-probeabsent fromDefaultRegistry(off-by-default contract)possession scan --help | grep ssrf-probeafter merge?url=...query to spot-check variant count