HTTP Webhook to test SSRF Vulnerabilities

Hey it's Benno and welcome to this series dedicated to automation related to offensive security used mainly, in my case, while doing Bug Bounty. In this series, I will explore some workflows I created on n8n while doing some bug bounty which aim to make my life easier, and perhaps yours along the way.

In this first part, I will show you how I created a workflow, that allowed me to set up an HTTP webhook, which is very useful, or even necessary while investigating certain SSRF vulnerabilities. To do so, I'll briefly cover what an SSRF is and what already exists for creating webhooks. Then, I'll detail my n8n workflow and put it to work!

I will not detail the installation of n8n. It can be self-hosted (node.js or Docker) or there is also a cloud version (paid). The important thing is that, if you host it yourself, it is mostly free ◡̈

Note on AI: I will, on purpose, not include any AI in the workflow I present. I feel like there is already enough content related to AI & Bug Bounty and it does a bit of a disservice to the domain. But feel free to integrate some AI in your workflows, smartly ;)

What's an SSRF and why do we need a webhook?

In short, SSRF or Server-Side Request Forgery is a vulnerability that tricks a server into making requests on your behalf. It can be to external or internal resources, cloud metadata endpoints, Database HTTP interfaces, Internal REST interfaces, etc. An impactful SSRF allows you to reach endpoints that you normally can't.

To detect one, you need the target server to make a request to something you control and can monitor. That's where a webhook comes in: a simple endpoint that logs incoming requests.

What already exists to create a webhook?

Here's a list of existing tools to create hooks. Not an exhaustive list, but those below are all doing the work:

So why didn't I use one of those? Here is my wishlist:

  • free (more or less)
  • able to easily add some automation around it (notification, enrichment, …)
  • webhook is a unique URL that does not change over time
  • not hosted on my computer, because I appreciate being able to turn it off sometimes (or do I?)
  • on n8n, because it's pretty cool

None of the existing tools seemed to tick every box on my wishlist (surprising). So, let's see the actual workflow.

The n8n Workflow

None
Webhook n8n workflow

It works as follows:

  1. Trigger: Webhook triggering the workflow: https://n8n_domain/webhook-test/ssrf-callback
  2. Parse & Enrich using the data from the request to the webhook, mainly the headers and the HTTP query. In my workflow I use the query ?program=Test, so that I can recognize where the webhook triggered from.
  3. Enrich with a WHOIS and IP-Geolocation on the source IP.
  4. Merge data and Enrichments
  5. Send a notification to a Telegram group (via a Telegram Bot)

One of the limitations of this workflow would be that it focuses on HTTP webhooks, whereas some SMB hooks or others might be necessary in some scenarios.

In Practice

As a POC, I created a small vulnerable demo app, which is basically a website with a form connected backend that tries to fetch whatever is in it, nothing fancy:

None
Vulnerable Demo App

We can now enter our webhook URLs and click on Fetch Preview https://n8n_domain/webhook-test/ssrf-callback?program=TestCompany

We can then observe that the workflow executed and we successfully received the notification in the Telegram group:

None

The message contains the Program as well as all the enrichments defined in the workflow; awesome!

Final Word

This workflow probably won't replace Burp Collaborator in a full professional setup, but it checks every box on my personal wishlist: free, persistent, automated, and extensible.

In the next articles, I will explore some additional n8n workflows that I find quite neat & useful.

If you have questions or want to share your own n8n workflows for bug bounty, feel free to reach out & happy hunting!

Benno