AutoSSRF – Smart Context-based SSRF Vulnerability Scanner

#1 Y3llowl4bs Hackers - Blog - Information Gathering - AutoSSRF – Smart Context-based SSRF Vulnerability Scanner
AutoSSRF - Smart Context-based SSRF Vulnerability Scanner
(Last Updated On: November 17, 2022)

autoSSRF is your best ally for identifying SSRF vulnerability scanner at scale.

Different from other ssrf automation tools, this one comes with the two following original features :

Smart fuzzing on relevant SSRF GET parameters

When fuzzing, autoSSRF only focuses on the common parameters related to SSRF (?url=, ?uri=, ..) and doesn’t interfere with everything else. This ensures that the original URL is still correctly understood by the tested web-application, something that might doesn’t happen with a tool which is blindly spraying query parameters.

Context-based dynamic payloads generation

For the given URL : https://host.com/?fileURL=https://authorizedhost.com, autoSSRF would recognize authorizedhost.com as a potentially white-listed host for the web-application, and generate payloads dynamically based on that, attempting to bypass the white-listing validation.

It would result to interesting payloads such as : http://authorizedhost.attacker.com, http://authorizedhost%[email protected], etc.

Furthermore, this tool guarantees almost no false-positives. The detection relies on the great ProjectDiscovery’s interactsh, allowing autoSSRF to confidently identify out-of-band DNS/HTTP interactions.

Usage

python3 autossrf.py -h

This displays help for the tool.

usage: autossrf.py [-h] [--file FILE] [--url URL] [--output] [--verbose]

options:

-h, --help show this help message and exit
--file FILE, -f FILE file of all URLs to be tested against SSRF
--url URL, -u URL url to be tested against SSRF
--output, -o output file path
--verbose, -v activate verbose mode

Single URL target:

python3 autossrf.py -u https://www.host.com/?param1=X&param2=Y&param2=Z

Multiple URLs target with verbose:

python3 autossrf.py -f urls.txt -v

Installation

1 – Clone

git clone https://github.com/Th0h0/autossrf.git

2 – Install requirements

Python libraries :

cd autossrf 
pip install -r requirements.txt

Interactsh-Client :

go install -v github.com/projectdiscovery/interactsh/cmd/[email protected]

Download AutoSSRF

Also SEE –

Server Side Request Forgery SSRF Types And Ways To Exploit it (Part-1)

SSRF – Server Side Request Forgery Types And Ways To Exploit It (Part-2)

SSRF King- Burp Suit Plugin To Automates SSRF Detection

Tags :
Share :

administrator

Related Post

Subdomain takeover
bug-bounty, Cybersecurity, ethical-hacking, penetration-testing, Vulnerability

Subdomain takeover on open.itu.edu via Shopify

October 8, 2023
A Deep Dive into Zero Click To Account Takeover
bug-bounty, bugs, Security, Vulnerability, writeup

A Deep Dive into Zero Click To Account

October 3, 2023
bug-bounty, hunting, InfoSec, Security, Vulnerability

One-Click Account Takeover via Host Header Poisoning in

March 29, 2023
Wireshark 3.6.1 Version Released - HackersOnlineClub
Network, OSINT, Penetration Testing, Scanner, Security, Software, Web Security, Wireshark

Wireshark 3.6.1 Version Released – HackersOnlineClub

November 29, 2022
Kali Linux 2022.2 Released - Added 10 New Software
Kali Linux, Linux, Network, Operating System, Penetration Testing, Scanner, Security, Software

Kali Linux 2022.2 Released – Added 10 New

November 29, 2022

Leave a Reply

Your email address will not be published. Required fields are marked *

fb logo
recover dogecoin from a scam
recover ethereum from a scammer
hire a hacker to hack iphone
hire a hacker to hack snapchat
hire a hacker to hack a windows computer
error: Content is protected !!