Skip to content

Add --ssrf-probe mutator (OWASP A10:2021 SSRF)#31

Merged
bugsyhewitt merged 1 commit into
mainfrom
worker-r34-possession
May 30, 2026
Merged

Add --ssrf-probe mutator (OWASP A10:2021 SSRF)#31
bugsyhewitt merged 1 commit into
mainfrom
worker-r34-possession

Conversation

@bugsyhewitt

Copy link
Copy Markdown
Owner

Summary

Adds a new opt-in mutator --ssrf-probe that rewrites URL-bearing
request parameters to Server-Side Request Forgery payloads, weaponising
the server's outbound HTTP client to reach internal network resources
or exfiltrate cloud-instance IAM credentials (OWASP A10:2021 SSRF; the
2019 Capital One / AWS IMDS breach shape).

Why

The post-v0.1 directions called for new mutator coverage. SSRF is OWASP
top-ten material, complements the existing parameter-rewriting and
path-mutation family without overlapping it, and follows the same
opt-in / off-by-default contract every other active probe in the suite
uses. PathTraversal and OpenRedirect-style mutators were not yet
shipped; SSRF was prioritised by the Worker brief.

What

  • New mutator internal/mutate/ssrf_probe.go (SSRFProbe) emitting
    variants across three surfaces (query, urlencoded body, top-level
    JSON string field) × seven techniques (aws-imds-v1, azure-imds,
    gcp-metadata, internal-ip-loopback, internal-ip-private, protocol-
    file, protocol-gopher), gated by parameter-name match (substring,
    case-insensitive, against a sorted token list) OR value-shape
    match (existing absolute http(s) URL).
  • Comprehensive tests internal/mutate/ssrf_probe_test.go covering
    off-by-default, nil-safety, surface eligibility (query/body/JSON),
    technique coverage, determinism, sort order, baseline immutability,
    disjointness from sibling mutators, and helper invariants.
  • scan CLI flag --ssrf-probe, registry wiring in buildRegistry,
    flag reset.
  • README section documenting the technique table, eligibility rules,
    and gating rationale.
  • CHANGELOG entry under [Unreleased].

Variant generation is pure, deterministic, and credential-preserving
(Identity == nil) — same contract as every sibling off-by-default
mutator. Findings are class ssrf (ASVS V12.6).

Test plan

  • go test ./... green
  • go vet ./... clean
  • go build ./... clean
  • 21 new test cases pass (go test ./internal/mutate -run SSRFProbe -v)
  • Existing 33 buildRegistry(...) call-sites updated for new arg
  • --ssrf-probe absent from DefaultRegistry (off-by-default contract)
  • Manual: possession scan --help | grep ssrf-probe after merge
  • Manual: dry-run against a HAR with a ?url=... query to spot-check variant count

Rewrites URL-bearing query/body/JSON parameters to seven disjoint SSRF
payloads (AWS IMDSv1, GCP metadata, Azure IMDS, loopback, RFC1918,
file://, gopher://) so the caller weaponises the server's outbound
fetch helper to reach internal-network resources or exfiltrate cloud
IAM credentials (2019 Capital One breach shape). Eligible parameters
are matched by name (substring against url/uri/redirect/callback/
webhook/target/dest/endpoint/next/return/src/host/image/fetch) or by
value shape (an existing absolute http(s) URL). Off by default.
@bugsyhewitt bugsyhewitt merged commit b482b8f into main May 30, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant