{"id":13542135,"url":"https://github.com/teknogeek/ssrf-sheriff","last_synced_at":"2025-04-02T09:33:19.435Z","repository":{"id":45500559,"uuid":"215084746","full_name":"teknogeek/ssrf-sheriff","owner":"teknogeek","description":"A simple SSRF-testing sheriff written in Go","archived":false,"fork":false,"pushed_at":"2024-10-31T20:47:15.000Z","size":8,"stargazers_count":314,"open_issues_count":0,"forks_count":56,"subscribers_count":15,"default_branch":"master","last_synced_at":"2024-10-31T21:27:58.506Z","etag":null,"topics":["bugbounty","go","ssrf"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/teknogeek.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-10-14T15:52:41.000Z","updated_at":"2024-10-31T20:47:19.000Z","dependencies_parsed_at":"2024-06-20T10:36:51.240Z","dependency_job_id":null,"html_url":"https://github.com/teknogeek/ssrf-sheriff","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/teknogeek%2Fssrf-sheriff","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/teknogeek%2Fssrf-sheriff/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/teknogeek%2Fssrf-sheriff/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/teknogeek%2Fssrf-sheriff/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/teknogeek","download_url":"https://codeload.github.com/teknogeek/ssrf-sheriff/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246789159,"owners_count":20834240,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bugbounty","go","ssrf"],"created_at":"2024-08-01T10:01:01.821Z","updated_at":"2025-04-02T09:33:19.163Z","avatar_url":"https://github.com/teknogeek.png","language":"Go","funding_links":[],"categories":["Go","Exploitation","Weapons"],"sub_categories":["Server Side Request Forgery","Tools"],"readme":"# SSRF Sheriff\n\nThis is an SSRF testing sheriff written in Go. It was originally created for the [Uber H1-4420 2019 London Live Hacking Event](https://www.hackerone.com/blog/london-called-hackers-answered-recapping-h1-4420), but it is now being open-sourced for other organizations to implement and contribute back to.\n\n\n## Features\n\n- Respond to any HTTP method (`GET`, `POST`, `PUT`, `DELETE`, etc.)\n- Configurable secret token (see [base.example.yaml](config/base.example.yaml))\n- Content-specific responses\n  - With secret token in response body\n    - JSON\n    - XML\n    - HTML\n    - CSV\n    - TXT\n    - PNG\n    - JPEG\n  - Without token in response body\n    - GIF\n    - MP3\n    - MP4\n\n## Usage\n\n```bash\ngo get github.com/teknogeek/ssrf-sheriff\ncd $GOPATH/src/github.com/teknogeek/ssrf-sheriff\ncp config/base.example.yaml config/base.yaml\n\n# ... configure ...\n\ngo run main.go\n```\n\n### Example Requests:\n\n**Plaintext**\n```\n$ curl -sSD- http://127.0.0.1:8000/foobar\nHTTP/1.1 200 OK\nContent-Type: text/plain\nX-Secret-Token: SUP3R_S3cret_1337_K3y\nDate: Mon, 14 Oct 2019 16:37:36 GMT\nContent-Length: 21\n\nSUP3R_S3cret_1337_K3y\n```\n\n**XML**\n```\n$ curl -sSD- http://127.0.0.1:8000/foobar.xml\nHTTP/1.1 200 OK\nContent-Type: application/xml\nX-Secret-Token: SUP3R_S3cret_1337_K3y\nDate: Mon, 14 Oct 2019 16:37:41 GMT\nContent-Length: 81\n\n\u003cSerializableResponse\u003e\u003ctoken\u003eSUP3R_S3cret_1337_K3y\u003c/token\u003e\u003c/SerializableResponse\u003e\n```\n\n## TODO\n\n- Dynamically generate valid responses with the secret token visible for\n  - GIF\n  - MP3\n  - MP4\n- Secrets in HTTP response generated/created/signed per-request, instead of returning a single secret for all requests\n- TLS support\n\n## Credit\n\nInspired (and requested) by [Frans Rosén](https://twitter.com/fransrosen) during his [talk at BountyCon '19 Singapore](https://speakerdeck.com/fransrosen/live-hacking-like-a-mvh-a-walkthrough-on-methodology-and-strategies-to-win-big?slide=49)\n\n\n-----\n\nReleased under the [MIT License](LICENSE.txt).\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fteknogeek%2Fssrf-sheriff","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fteknogeek%2Fssrf-sheriff","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fteknogeek%2Fssrf-sheriff/lists"}