https://github.com/jobertabma/ground-control

A collection of scripts that run on my web server. Mainly for debugging SSRF, blind XSS, and XXE vulnerabilities.
https://github.com/jobertabma/ground-control

Last synced: about 1 month ago
JSON representation

A collection of scripts that run on my web server. Mainly for debugging SSRF, blind XSS, and XXE vulnerabilities.

• Host: GitHub
• URL: https://github.com/jobertabma/ground-control
• Owner: jobertabma
• Created: 2017-06-11T23:49:17.000Z (over 7 years ago)
• Default Branch: master
• Last Pushed: 2017-06-12T20:51:38.000Z (over 7 years ago)
• Last Synced: 2024-08-01T10:17:01.874Z (4 months ago)
• Language: Ruby
• Homepage:
• Size: 47.9 KB
• Stars: 526
• Watchers: 32
• Forks: 111
• Open Issues: 1
• Metadata Files:
  • Readme: readme.md

Awesome Lists containing this project

• awesome-bugbounty-tools - ground-control - A collection of scripts that run on my web server. Mainly for debugging SSRF, blind XSS, and XXE vulnerabilities. (Exploitation / XXE Injection)

README

        
# Ground control

This is a collection of most of my scripts that I use to debug Server Side Request Forgery (SSRF), blind XSS, and insecure XXE processing vulnerabilities. This is still a work in progress, as I'm still collecting all the scripts that I have lingering around. Before using these scripts, I used to rewrite these scripts most of the time or set up listeners with `netcat`. That wasn't scalable, so I started collecting the scripts in a repository, which can be closed easily every time it's needed it on a server.

## Requirements

Running this script requires Ruby 2.3, a valid SSL certificate for a domain you own, and a web server that allows to open port `80`, `443`, `8080`, and `8443`. Port `80` and `443` are used to serve simple web traffic. Port `8080` is an alternative HTTP port that can be useful when traffic on port `80` is blocked. Port `8443` is an alternative port for HTTPS traffic, with the difference that it serves a self-signed SSL certificate. I use this port to determine whether the server does SSL certificate validation. It does not warrant a security report by itself, but is often useful to mention when you're filing the SSRF vulnerability.

## Setting up

Clone this repository and install the required components by running `install.sh`. After that, run `start.sh` to start to listen on all ports. For now, `root` privileges are required because it listens on port `80` and `443`. A future version might solve this problem by switching to a different user context after startup.

## Functions

### Redirects

The `/redirect` endpoint is used to redirect a request to another server or endpoint. This may assist you when you need an external server to redirect back to an internal system. See below for examples.

```

curl -vv "http://server/redirect?url=http://169.254.169.254/latest/meta-data/"

```

### Ping Pong

Sometimes, you simply need a page that responds with a certain body and headers. The `/ping_pong` endpoint does exactly that. Here's a few examples.

```

curl -vv "http://server/ping_pong?body=%3ch1%3eHello%3c/h1%3e"

```

### Blind callbacks

To figure out of an inaccessible system is executing your HTML or XSS payload, add an item the `callback_tokens` in `config.json`. The structure is shown below. This callback contains information where you injected your payload. This will help you identify the root cause of the vulnerability if you receive a callback. Every unique combination of parameter, host, port, path, and method is supposed to have its own `callback_token`.

```

{

  "callback_tokens": {

    "ee34a1791ab345f789": {

      "host": "hackerone.com",

      "port": 443,

      "ssl": true,

      "path": "/webhooks",

      "parameter": "url",

      "method": "POST"

    }

  }

}

```

Depending on what type of vulnerability you want to test for, you have to construct a payload. See below for an example for HTML injections and XSS vulnerabilities. Then, submit the payload to the injection point. You'll see a log entry in `logs/access_log` when a request with that `callback_token` was triggered. Most of the time, I use `tail -f logs/access_log` to see if something triggered.

**HTML injection**

```



```

**Blind XSS**

```

```

**XXE**

```

]>

&sp;

```

### Starting another server

The server listens on port `80`, `443`, `8080`, and `8443` by default. However, if you want to start another server on a different port, run `ruby app/server.rb -p :port`. To use SSL, append `-cert :cert.pem`. This is especially useful when a potential SSRF vulnerability only allows to connect on certain ports. Say bye to all the Apache and nginx configuration hacking!