Application Security Testing for the Server Side Request Forgery.
The article describes how to test the application to find Server Side Request Forgery vulnerabilities. The advice in this article is based on the following:
- OWASP Web Security Testing Guide
- OWASP Application Security Verification Standard
- Bug bounty reports
- Own experience.
Tools with basic usage & wordlist used for SSRF detection.
- SSRFmap— SSRF semi-automatic discovery and exploitation tool.
I am not using it due to problems with JSON parsing and the need to specify injection points manually. However, I decided to share it here in case it may be helpful to someone else and if the tool improves in the future.
- internal_ip_addr_disclosure.py — script for detecting internal IP leak.
I have described how to use above automatic scanners in another article:
BURP SUITE PRO EXTENSIONS
- Burp Bounty Pro — additional automatic scanning capabilities.