SSRF-Sheriff

Try accessing: ssrf-sheriff.yandex.net

{ What is it? }
This is a service for testing SSRF-like vulnerabilities.

Bughunter can generate a special subdomain for testing and then analyze requests.

{ How do I use it? }
Create a personal domain for testing using the API:

https://ssrf-sheriff-logs.yandex.net/generate

Note:

  • You can create an unlimited number of domains for testing purposes;
  • The created domains will be available for 72 hours, after which they will be deleted;
  • These test hosts are accessible exclusively from Yandex's internal network;
  • Only standard HTTP methods (GET, HEAD, POST, PATCH, DELETE, OPTIONS, PUT) are supported.
{ How do I check it? }

There are several methods for detecting Server-Side Request Forgery (SSRF) vulnerabilities, suitable for both blind scenarios and scenarios where you can observe the server's responses.

  • Capture the Flag!
    If you are able to read the response, you can try to retrieve a special flag from the HTTP header
    "X-Yandex-Bugbounty-Flag"     or the response body.
    Include this flag in your report; it will assist us in validating the vulnerability.

    Flag example: YandexBB{eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0aW1lc3RhbXAiOiIyMDI0LTA5LTIzVDE0OjQ5OjMwLjg4NDcxMDkyMiswMzowMCJ9.signature}

  • Time Based

    For blind-ssrf verification, you can implement response time verification by passing the optional get parameter sleep=n causing an n-second delay before the response.

    Example: https://ssrf-sheriff.yandex.net/last/wmkcjfe?sleep=10

  • Logs Based

    The request logs are available on a separate external host at
     https://ssrf-sheriff-logs.yandex.net. This domain exposes two API methods:

    • /last/{subdomain}, where subdomain is your generated test subdomain.
      Example: https://ssrf-sheriff-logs.yandex.net/last/wmkcjfe
      This endpoint returns the last 100 log entries.

    • /log/{subdomain}, where subdomain is the subdomain part of your personal domain name.
      Example: https://ssrf-sheriff-logs.yandex.net/log/wmkcjfe
      This endpoint returns an infinitely loading page with events appearing in real time.

{ Good luck! }

The service is built upon the open-source project {ssrf-sheriff}

Tue Feb 18 2025 13:09:40 GMT+0300 (Moscow Standard Time)