See-SURF
A Python based scanner to find potential SSRF parameters in a web application.
Motivation
SSRF being one of the critical vulnerabilities out there in web, i see there was no tool which would automate finding potential vulnerable parameters. See-SURF can be added to your arsenal for recon while doing bug hunting/web security testing.
Screenshots
Tech/framework used
Built with
Python3
Features
-
Matches any GET URL Parameters containing keyword web/url (MORE TO BE ADDED).
Example google.com/url=https://yahoo.com
Also,
checks the parameter values for any URL or IP address passed.
Example: google.com/q=https://yahoo.com -
Matches any POST request INPUT params with "Name" attribute containing keyword web/url(MORE TO BE ADDED)
Also,
matches Values and Placeholder attribute containing a URL pattern.
Example: -
Multiple conditions to cut down false positives, as crawling pulls up a lot of stuff. Only same domain is crawled for now.
-
By Default, normal mode is On, with verbose switch you would see the same vulnerable param in different endpoints. Same parameter may not be sanitized at all places. But verbose mode generates a lot of noise.
Example:
https://google.com/abc/1/urlToConnect=https://yahoo.com
https://google.com/123/urlToConnect=https://yahoo.com -
Supply cookies for an authenticated scanning.
How to use?
This would run with default threads=10, no cookies/session and NO verbose mode
python3 see-surf.py -H https://www.google.com
Space separate Cookies can be supplied for an authenticated session crawling (Highly Recommended)
python3 see-surf.py -H https://www.google.com -c cookie_name1=value1 cookie_name2=value2
Supplying no. of threads and verbose mode (VERBOSE MODE IS NOT RECOMMENDED IF YOU DON'T WANT TO SPEND LONGER TIME BUT THE
POSSIBILITY OF BUG FINDING INCREASES)
python3 see-surf.py -H https://www.google.com -c cookie_name1=value1 cookie_name2=value2 -t 20 -v
By Default, normal mode is On, with verbose switch you would see the same potential vulnerable param in different endpoints.
(Same parameter may not be sanitized at all places. But verbose mode generates a lot of noise.)
Example:
https://google.com/abc/1/urlToConnect=https://yahoo.com
https://google.com/123/urlToConnect=https://yahoo.com
Installation
git clone https://github.com/In3tinct/See-SURF.git
cd See-SURF/
pip3 install BeautifulSoup4
pip3 install requests
Tests
A basic framework has been created. More tested would be added to reduce any false positives.
Contribute
- Report bugs.
- Suggestions for improvement.
- Suggestions for future extensions.
Credits
Template - https://gist.github.com/akashnimare/7b065c12d9750578de8e705fb4771d2f Stackoverflow and Entire Internet.
Future Extensions
- Include more places to look for potential params like Javascript files
- Finding potential params during redirection.
- More conditions to avoid false positives.
- Exploitation. (Hitting Bulls eye)
License
GNUV3 © [In3tinct]
Twitter - https://twitter.com/_In3tinct