https://github.com/In3tinct/See-SURF

Python based scanner to find potential SSRF parameters
https://github.com/In3tinct/See-SURF

Last synced: 3 months ago
JSON representation

Python based scanner to find potential SSRF parameters

• Host: GitHub
• URL: https://github.com/In3tinct/See-SURF
• Owner: In3tinct
• License: gpl-3.0
• Created: 2019-06-22T00:58:13.000Z (over 5 years ago)
• Default Branch: master
• Last Pushed: 2024-03-22T21:49:08.000Z (8 months ago)
• Last Synced: 2024-06-06T20:02:44.042Z (5 months ago)
• Language: Python
• Size: 493 KB
• Stars: 280
• Watchers: 11
• Forks: 65
• Open Issues: 7
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-hacking-lists - In3tinct/See-SURF - Python based scanner to find potential SSRF parameters (Python)

README

        
# See-SURF

A Python based scanner to find potential SSRF parameters in a web application. See-SURF helps you detect potential SSRF parameters and validates the finding it by making a DNS/HTTP request back to your server. It can be added to your arsenal of recon while doing bug hunting/web security testing.

![alt text](https://user-images.githubusercontent.com/18059590/61342276-849e2800-a7fe-11e9-9f2a-7ba3835903a8.png)

## Tech/framework used

Built with

- `Python3`

## Installation

`git clone https://github.com/In3tinct/See-SURF.git`


`cd See-SURF/`


`pip3 install BeautifulSoup4`


`pip3 install requests`

## How to use?

 Burp Sitemap (-b switch check below if you don't know what that is) & Connect back to your server ( -p switch ) 



 Complete Command would look like this -  


 `python3 see-surf.py -H https://www.google.com -c cookie_name1=value1 cookie_name2=value2 -b burp_file.xml -p http://72.72.72.72:8000` 


` -H - Host name/Ip address`


` -c - Cookies seperated by space (Some websites use multiple cookies for session tracking`


` -b (Optional but recommended) - Spider the request using burp, export the file and give it to see-surf as input (check detailed features on how to do it)`


` -p (Optional but recommended) - Your own web server/burp collaborator, the script will try to connect back for validation of SSRF params`



## Features

1) Takes burp's sitemap as input and parses and parses the file with a strong regex matches any GET/POST URL parameters containing potentially vulnerable SSRF keywords like URL/website etc. Also,

checks the parameter values for any URL or IP address passed.

Examples

GET request -


google.com/url=https://yahoo.com 


google.com/q=https://yahoo.com 


FORMS -
 ``





2) Multi-threaded In-built crawler to run and gather as much data as possible to parse and identify potentially vulnerable SSRF parameters. by default it uses 10 threads.





3) Supply cookies for an authenticated scanning.


`python3 see-surf.py -H https://www.google.com -c cookie_name1=value1 cookie_name2=value2`





4) By default, normal mode is On, with a verbose switch you would see the same vulnerable param in different endpoints. The same parameter may not be sanitized at all places. But verbose mode generates a lot of noise. 


`python3 see-surf.py -H https://www.google.com -c cookie_name1=value1 cookie_name2=value2 -t 20 -v` 


Example:


https://google.com/path/1/urlToConnect=https://yahoo.com 


https://google.com/differentpath/urlToConnect=https://yahoo.com





5) Exploitation - Makes an external request to burp collaborator or any other http server with the vulnerable parameter to confirm the possibility of SSRF. 





### Version-2 Features

[-] -b switch Provide burp sitemap files for a better discovery of potential SSRF parameters. The script would first parse the burp file and try to identify potential params and then run the built in crawler on it 



Browser the target with your burpsuite running at the background, make some GET/POST requests, the more the better. Then go to target, right click-> "Save selected Items" and save it. Provide to the script as follows. 


`python3 see-surf.py -H https://www.google.com -c cookie_name1=value1 cookie_name2=value2 -b burp_file.xml`

![alt text](https://user-images.githubusercontent.com/18059590/61342249-6a644a00-a7fe-11e9-87e8-3b26305cd8b5.png))

[-] -p switch Fire up burpsuite collaborator and pass the host with -p parameter Or start a simple python http server and wait for the 

vulnerable param to execute your request. (Highly Recommended)


(This basically helps in exploiting GET requests, for POST you would need to try to exploit it manually)


Payload will get executed with the param at the end of the string so its easy to identify which one is vulnerable.

For example: http://72.72.72.72:8000/vulnerableparam 


`python3 see-surf.py -H https://www.google.com -c cookie_name1=value1 cookie_name2=value2 -p http://72.72.72.72:8000`

![alt text](https://user-images.githubusercontent.com/18059590/61342277-849e2800-a7fe-11e9-832b-7de37cb027ff.png)

## Contribute

- Report bugs.

- Suggestions for improvement.

- Suggestions for future extensions.

## Future Extensions

- Include more places to look for potential params like Javascript files

- Finding potential params during redirection.

- Exploitation.

- Hidden parameters.

## License

GNUV3 © [In3tinct]