Server-side Request Forgery Detector
SetupSetting up the application is pretty easy. The following things will be needed:
- Mailgun API key
- Google Recaptcha site/private keys
- Blinkie API key (create this yourself and set in core/Dockerfile as well as blinkie/Dockerfile)
- Session secret (any >24 character random string)
For the actual website these variables were set at runtime, as it is not secure to store these in files. These were fed in at runtime using RancherOS which is a great container management platform (among other things). RancherOS also helped secure the databases, that is why there is no DB auth set up in this instance.
Local useFor local use add an entry into the /etc/hosts file for '127.0.0.1 a.blinkie.xyz' and register 'a' as the subdomain. Then http://a.blinkie.xyz:3001 can be used to trigger a request. The 3001 can be left off if a proper Nginx file is setup.
RunningInstall docker-compose then run
docker-compose build; docker-compose up;. The
upcommand may have to be run twice, as docker-compose sometimes launches the NodeJS app before Mongo is done initializing. In that case run
docker-compose down; docker-compose up;
The SSRF Detector website will be hosted on http://localhost:3000 and the Blinkie server will be run on http://localhost:3001. Note: the Blinkie server needs to be accessed by a domain name, otherwise it will not know which subdomain to report for.