Summary
autoSSRF is your best ally for identifying SSRF vulnerabilities at scale. Different from other ssrf automation tools, this one comes with the two following original features :- Smart fuzzing on relevant SSRF GET parametersWhen fuzzing, autoSSRF only focuses on the common parameters related to SSRF (?url=, ?uri=, …) and doesn’t interfere with everything else. This ensures that the original URL is still correctly understood by the tested web-application, something that might doesn’t happen with a tool which is blindly spraying query parameters.
- Context-based dynamic payloads generationFor the given URL :
You must be registered for see links, autoSSRF would recognizeYou must be registered for see linksas a potentially white-listed host for the web-application, and generate payloads dynamically based on that, attempting to bypass the white-listing validation. It would result to interesting payloads such as :You must be registered for see links,You must be registered for see links, etc.
You must be registered for see links
, allowing autoSSRF to confidently identify out-of-band DNS/HTTP interactions.Usage
python3 autossrf.py -hThis displays help for the tool.
usage: autossrf.py [-h] [–file FILE] [–url URL] [–output] [–verbose] options: -h, --help show this help message and exit --file FILE, -f FILE file of all URLs to be tested against SSRF --url URL, -u URL url to be tested against SSRF --output, -o output file path --verbose, -v activate verbose mode
Single URL target:
python3 autossrf.py -u
You must be registered for see links
Multiple URLs target with verbose:
python3 autossrf.py -f urls.txt -v
Installation
1 - Clonegit clone
You must be registered for see links
2 - Install requirements
Python libraries :
cd autossrf pip install -r requirements.txt
Interactsh-Client :
go install -v
You must be registered for see links
License
autoSSRF is distributed under
You must be registered for see links
.GitHub:
You must be registered for see images
You must be registered for see links