Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Header Based Generic OOB Interaction

By kannthu

Informative
Vidoc logoVidoc Module
#oast#ssrf#generic
Description

Header Based Generic OOB Interaction

What is the "Header Based Generic OOB Interaction?"

The "Header Based Generic OOB Interaction" module is designed to detect misconfigurations or vulnerabilities related to header-based out-of-band (OOB) interactions. It targets a specific software and provides informative insights into potential security issues. This module has an informative severity level and was authored by pdteam.

Impact

This module detects if the remote server fetched a spoofed URL from the request headers. This can potentially lead to security vulnerabilities or misconfigurations that may be exploited by attackers.

How the module works?

The "Header Based Generic OOB Interaction" module works by sending HTTP requests with specific headers and then matching the responses against predefined conditions. It uses two matching conditions: "http" and "dns". The module checks if the response contains the word "http" or "dns" in the "interactsh_protocol" part of the response. If either condition is met, the module considers it a match.

Here is an example of an HTTP request sent by the module:

GET /
Headers:
- From: root@{%InteractionURL%}
- X-Host: spoofed.{%InteractionURL%}
- Contact: root@{%InteractionURL%}
- Profile: http://{%InteractionURL%}/profile.xml
- Referer: http://{%InteractionURL%}/ref
- Client-Ip: spoofed.{%InteractionURL%}
- Forwarded: for=spoofed.{%InteractionURL%};by=spoofed.{%InteractionURL%};host=spoofed.{%InteractionURL%}
- X-Real-Ip: spoofed.{%InteractionURL%}
- User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@{%InteractionURL%}
- X-Client-Ip: spoofed.{%InteractionURL%}
- Cache-Control: no-transform
- X-Wap-Profile: http://{%InteractionURL%}/wap.xml
- True-Client-Ip: spoofed.{%InteractionURL%}
- X-Forwarded-For: spoofed.{%InteractionURL%}
- Cf-Connecting_ip: spoofed.{%InteractionURL%}
- X-Forwarded-Host: spoofed.{%InteractionURL%}
- X-Originating-Ip: spoofed.{%InteractionURL%}
- X-Forwarded-Server: spoofed.{%InteractionURL%}
- X-HTTP-Host-Override: spoofed.{%InteractionURL%}

The module considers a match if either the "http" or "dns" condition is met. It helps identify potential misconfigurations or vulnerabilities related to header-based OOB interactions.

For more information, you can refer to the Collaborator Everywhere GitHub repository.

Metadata: max-request: 1

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET
Headers

From: root@{%InteractionUR...

X-Host: spoofed.{%Interactio...

Contact: root@{%InteractionUR...

Profile: http://{%Interaction...

Referer: http://{%Interaction...

Client-Ip: spoofed.{%Interactio...

Forwarded: for=spoofed.{%Intera...

X-Real-Ip: spoofed.{%Interactio...

User-Agent: Mozilla/5.0 (Windows...

X-Client-Ip: spoofed.{%Interactio...

Cache-Control: no-transform

X-Wap-Profile: http://{%Interaction...

True-Client-Ip: spoofed.{%Interactio...

X-Forwarded-For: spoofed.{%Interactio...

Cf-Connecting_ip: spoofed.{%Interactio...

X-Forwarded-Host: spoofed.{%Interactio...

X-Originating-Ip: spoofed.{%Interactio...

X-Forwarded-Server: spoofed.{%Interactio...

X-HTTP-Host-Override: spoofed.{%Interactio...

Matching conditions
word: httpor
word: dns
Passive global matcher
No matching conditions.
On match action
Report vulnerability