id: request-based-interaction

info:
  name: OOB Request Based Interaction
  author: pdteam
  severity: info
  description: The remote server fetched a spoofed DNS Name from the request.
  reference:
    - https://portswigger.net/research/cracking-the-lens-targeting-https-hidden-attack-surface
  metadata:
    max-request: 5
  tags: oast,ssrf,generic,vuln

http:
  - raw:
      - |+
        GET / HTTP/1.1
        Host: {{interactsh-url}}
        Cache-Control: no-transform
        Accept: */*

      - |+
        GET / HTTP/1.1
        Host: @{{interactsh-url}}
        Cache-Control: no-transform
        Accept: */*

      - |+
        GET http://{{interactsh-url}}/ HTTP/1.1
        Host: {{Hostname}}
        Cache-Control: no-transform
        Accept: */*

      - |+
        GET @{{interactsh-url}}/ HTTP/1.1
        Host: {{Hostname}}
        Cache-Control: no-transform
        Accept: */*

      - |+
        GET {{interactsh-url}}:80/ HTTP/1.1
        Host: {{Hostname}}
        Cache-Control: no-transform
        Accept: */*

    unsafe: true # Use Unsafe HTTP library for malformed HTTP requests.

    matchers-condition: or
    matchers:
      - type: word
        part: interactsh_protocol
        name: http
        words:
          - "http"

      - type: word
        part: interactsh_protocol
        name: dns
        words:
          - "dns"
# digest: 4a0a00473045022100a5ed93e8042caab224be5b7b588e775772b7a9f3e11bfb1f6239bb824a7c498802201590bf96608b5552eb6535d4514bd32547b4333adb17157d37323de302592015:922c64590222798bb761d5b6d8e72950