Kali Linux

AutoSSRF : Smart Context-Based SSRF Vulnerabiltiy Scanner

AutoSSRF is your best ally for identifying SSRF vulnerabilities at scale. Different from other ssrf automation tools, this one comes with the two following original features :

  • Smart fuzzing on relevant SSRF GET parameters When fuzzing, autoSSRF only focuses on the common parameters related to SSRF (?url=, ?uri=, ..) and doesn’t interfere with everything else. This ensures that the original URL is still correctly understood by the tested web-application, something that might doesn’t happen with a tool which is blindly spraying query parameters.
  • Context-based dynamic payloads generation For the given URL : https://host.com/?fileURL=https://authorizedhost.com, autoSSRF would recognize authorizedhost.com as a potentially white-listed host for the web-application, and generate payloads dynamically based on that, attempting to bypass the white-listing validation. It would result to interesting payloads such as : http://authorizedhost.attacker.com, http://authorizedhost%252F@attacker.com, etc.

Furthermore, this tool guarantees almost no false-positives. The detection relies on the great ProjectDiscovery’s interactsh, allowing autoSSRF to confidently identify out-of-band DNS/HTTP interactions.

Usage

python3 autossrf.py -h

This displays help for the tool.

usage: autossrf.py [-h] [--file FILE] [--url URL] [--output] [--verbose]

options:
  -h, --help            show this help  message and exit
  --file FILE, -f FILE  file of all URLs to be tested against SSRF
  --url URL, -u URL     url to be tested against SSRF
  --output, -o          output file path
  --verbose, -v         activate verbose mode

Single URL target:

python3 autossrf.py -u https://www.host.com/?param1=X&param2=Y&param2=Z

Multiple URLs target with verbose:

python3 autossrf.py -f urls.txt -v

Installation

1 – Clone

git clone https://github.com/Th0h0/autossrf.git

2 – Install requirements

Python libraries :

cd autossrf 
pip install -r requirements.txt

Interactsh-Client :

go install -v github.com/projectdiscovery/interactsh/cmd/interactsh-client@latest
Click Here To Download
R K

Leave a Comment
Share
Published by
R K
Tags: AutoSSRFSSRFVulnerabiltiy Scanner
3 years ago

Recent Posts

Comments in Bash Scripts

What Are Bash Comments? In Bash scripting, comments are notes in your code that the…

14 hours ago

Shebang (#!) in Bash Script

When you write a Bash script in Linux, you want it to run correctly every…

1 day ago

Bash String Concatenation – Bash Scripting

Introduction If you’re new to Bash scripting, one of the first skills you’ll need is…

2 days ago

Learn Bash Scripting: How to Create and Run Shell Scripts for Beginners

What is Bash Scripting? Bash scripting allows you to save multiple Linux commands in a file and…

2 days ago

Bash if…else Statement – Bash Scripting

When it comes to automating tasks on Linux, Bash scripting is an essential skill for both beginners…

2 days ago

Bash Functions Explained: Syntax, Examples, and Best Practices

Learn how to create and use Bash functions with this complete tutorial. Includes syntax, arguments,…

5 days ago