Create ssrf.json

2025-12-23 22:27:46 -05:00 · 2025-01-13 12:54:36 +01:00
parent b957e462b7
commit b0ba2a8895
1 changed files with 83 additions and 0 deletions
--- a/rules/ssrf.json
+++ b/rules/ssrf.json
@@ -0,0 +1,83 @@
+[
+    {
+        "id": "ssrf-internal-ip",
+        "phase": 2,
+        "pattern": "(?:127\\.0\\.0\\.1|10\\.|172\\.(?:1[6-9]|2\\d|3[01])\\.|192\\.168\\.)",
+        "targets": ["URI","ARGS"],
+        "severity": "HIGH",
+        "action": "block",
+        "score": 7,
+        "description": "Block SSRF to Internal IPs."
+    },
+    {
+         "id": "ssrf-reserved-ip",
+        "phase": 2,
+        "pattern": "(?:0\\.|169\\.254\\.|224\\.|240\\.|255\\.)",
+         "targets": ["URI","ARGS"],
+        "severity": "MEDIUM",
+        "action": "block",
+         "score": 5,
+        "description": "Block SSRF to Reserved/Multicast IPs."
+    },
+    {
+        "id": "ssrf-protocol-whitelist",
+        "phase": 2,
+        "pattern": "^(?i)(?:http|https)://.*$",
+         "targets": ["URI", "ARGS"],
+        "severity": "MEDIUM",
+        "action": "log",
+        "score": 3,
+        "description": "Log URLs that do not follow the protocol whitelist (http/https)."
+    },
+      {
+         "id":"ssrf-file-protocol",
+         "phase": 2,
+         "pattern":"(?i)file:\\/\\/",
+         "targets": ["URI","ARGS"],
+        "severity": "HIGH",
+         "action":"block",
+       "score": 7,
+        "description": "Block file:// protocol to avoid LFI/RFI based SSRF"
+      },
+     {
+         "id":"ssrf-ftp-protocol",
+         "phase": 2,
+         "pattern":"(?i)ftp:\\/\\/",
+          "targets": ["URI","ARGS"],
+          "severity": "HIGH",
+           "action":"block",
+           "score": 7,
+          "description": "Block ftp:// protocol to avoid RFI based SSRF"
+     },
+     {
+        "id":"ssrf-gopher-protocol",
+        "phase": 2,
+        "pattern": "(?i)gopher:\\/\\/",
+        "targets": ["URI","ARGS"],
+        "severity":"HIGH",
+        "action":"block",
+         "score": 7,
+        "description":"Block gopher:// protocol to avoid SSRF"
+     },
+      {
+         "id":"ssrf-data-protocol",
+         "phase":2,
+         "pattern":"(?i)data:\\/\\/",
+         "targets": ["URI","ARGS"],
+         "severity":"HIGH",
+          "action":"block",
+         "score": 7,
+         "description":"Block data:// protocol to avoid SSRF"
+    },
+    {
+          "id": "ssrf-redirects",
+           "phase": 2,
+          "pattern": "(?i)(?:\\s*(?:Location|Redirect)\\s*:\\s*https?:\\/\\/[^\\s]+)",
+          "targets": ["HEADERS"],
+          "severity":"MEDIUM",
+         "action":"log",
+           "score": 4,
+          "description":"Log headers containing redirections to other websites, can be used for SSRF via headers."
+    }
+
+]