1.0.2 • Published 2 years ago

ssrf v1.0.2

Weekly downloads
-
License
ISC
Repository
-
Last release
2 years ago

ssrf

NPM Version LICENSE

Server-Side Request Forgery (SSRF)

the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like http enabled databases or perform post requests towards internal services which are not intended to be exposed read more

Install

npm install ssrf

Usage

ssrf.options({
  blacklist:"/ssrf/list.txt", //Linux if windows pass 'C:\\Users\\host.txt'
  path:false
})
let DNS_rebinding = "https://c0okie.xyz/attacker.html" //my domain running on 127.0.0.1
let url = "http://evil.com" //Blacklist host
let ip = "http://13.54.97.2" //Blacklist IP

//Normal request
const fetch = async() =>{
  try {
    const gotssrf = await ssrf.url(ip) //return host or ip 
    axios.get(gotssrf)
    .then((data) => console.log(data.data))
    .catch(err => console.log(err))
  } catch (error) {
    console.log("Handle Error for Front End User")
  }
}
fetch()

ssrf.url()

ssrf.url return Promise so use await ssrf.url("http://example.com") in try-catch block

     
try{
        const result = await ssrf.url(url)
        //do stuff if success
}catch{
        //do stuff if fail
}

ssrf.options({})

options takes two argument

  • blacklist
  • path

blacklist

Blacklist parameter takes input of absolute path to a text file Ex:- /usr/list/blacklist.txt (Linux) C:\Users\host.txt (windows) By default it don't have any blacklist but if an user passes absolute path then it reads file and run a for loop everytime it hits middleware

File format
evil.com
example.com
87.26.7.9
98.72.6.2

path

Path parameter taker A Boolean value as (true or false) Where by default its True which means it will return /path and ?parameters attached to Host

Ex:- if a user send's http://example.com/path1?param=1 return http://example.com/path1?param=1

True

return absolute Url http://example.com/path1?param=1

False

return Hostname http://example.com or http://www.example.com

This module Prevents From reserverd character @ attack and DNS rebinding attack. to Learn more about DNS rebinding more

ssrfsecurity
ipaddr.js
@infinitebrahmanuniverse/nolb-ssr@everything-registry/sub-chunk-2816
1.0.2

2 years ago

1.0.1

2 years ago

1.0.0

2 years ago