loading
loading
Vulnerabilities
A tool to find Server-Side Request Forgery vulnerabilities.
overview
ssrfuzz hunts for server-side request forgery. Give it a list of URLs that carry parameters and it swaps each value for an SSRF payload, then watches for the responses that show the server reached out to an address it was told to fetch. Scheme fuzzing, network fuzzing, and CRLF injection all run in a single pass.
The payloads aim at the addresses SSRF exposes: loopback, internal hosts, and cloud metadata endpoints like the 169.254.169.254 IMDS that hands back credentials on AWS and GCP. Scheme fuzzing swaps http for gopher, file, and dict to reach services a plain URL cannot, and CRLF fuzzing folds header injection into the same run.
Tune it to the target. Skip any category that does not apply, switch between GET and POST bodies, and set threads and delay to push hard or stay quiet. Feed it parameterized URLs from a crawler or a parameter-discovery stage so it fuzzes inputs worth testing, and point a Slack webhook at the run to get confirmed hits in a channel as they land.
use cases
Fuzz parameterized URLs with SSRF payloads to surface endpoints where the server fetches an attacker-controlled address.
Point network and scheme fuzzing at loopback, internal ranges, and metadata endpoints like 169.254.169.254 to test whether a parameter can pull AWS or GCP credentials.
Add CRLF payloads to available paths with --crlf-path so header injection surfaces alongside SSRF instead of in a separate scan.
Skip scheme or network fuzzing, choose GET or POST, and set threads and delay so the run matches the app's request shapes and its rate limits.
Give ssrfuzz a Slack webhook so confirmed hits post to a channel while the scan runs, not only when it finishes.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| target-domains | FILE | --domains | File of URLs with parameters to fuzz. |
| http-method | STRING | --http-method | HTTP method, GET or POST (default "GET"). |
| threads | STRING | --threads | Number of threads to run ssrfuzz on (default 50). |
| delay | STRING | --delay | Time each thread waits between requests, in milliseconds (default 100). |
| skip-crlf | BOOLEAN | --skip-crlf | Skip CRLF fuzzing. |
| skip-scheme | BOOLEAN | --skip-scheme | Skip scheme fuzzing. |
| skip-network | BOOLEAN | --skip-network | Skip network fuzzing. |
| slack-webhook | STRING | --slack-webhook | Slack webhook to post findings to a channel. |
Showing key inputs. ssrfuzz exposes 13 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| delay | STRING | --delay | Time each thread waits between requests, in milliseconds (default 100). |
| cookie | STRING | --cookie | Cookie to send with each request. |
| threads | STRING | --threads | Number of threads to run ssrfuzz on (default 50). |
| timeout | STRING | --timeout | Seconds to wait before closing a connection that has hung (default 10). |
| verbose | STRING | --verbose | Enable verbose output. |
| crlf-path | STRING | --crlf-path | Add CRLF payloads to every available path (e.g. example.com/%0Atest.php). |
| skip-crlf | BOOLEAN | --skip-crlf | Skip CRLF fuzzing. |
| http-method | STRING | --http-method | HTTP method, GET or POST (default "GET"). |
| skip-scheme | BOOLEAN | --skip-scheme | Skip scheme fuzzing. |
| skip-network | BOOLEAN | --skip-network | Skip network fuzzing. |
| slack-webhook | STRING | --slack-webhook | Slack webhook to post findings to a channel. |
| target-domains | FILE | --domains | File of URLs with parameters to fuzz. |
| custom-user-agent | STRING | --user-agent | User agent for requests (defaults to a Chrome on Linux string). |
example
# fuzz a list of parameterized URLs for SSRF and CRLF, POST bodies, throttledssrfuzz --domains params.txt --http-method POST --threads 25 --delay 200ssrfuzz :: Server-Side Request Forgery Fuzzer [network] https://example.com/fetch?url= -> injecting SSRF payloads[network] SSRF candidate: https://example.com/fetch?url=http://203.0.113.10/ status=200 len=1462[scheme] https://example.com/api?proxy= -> injecting scheme payloads[scheme] SSRF candidate: https://example.com/api?proxy=gopher://203.0.113.10:11211/ status=500 len=94[crlf] https://example.com/%0d%0aSet-Cookie:ssrf=1 -> header injecteddone: 2 SSRF candidates, 1 CRLF candidate written to ssrfuzz-output/guidance
Use ssrfuzz when you have URLs with parameters and want to test them specifically for SSRF and CRLF. It needs parameterized inputs, so feed it a crawler or parameter-discovery output rather than bare hostnames. For broad template-based testing, pair it with a general scanner.
Template-based scanner with SSRF checks among many. ssrfuzz focuses entirely on SSRF and CRLF fuzzing depth.
General request fuzzer. ssrfuzz ships SSRF-specific payloads and scheme/network logic out of the box.
faq
related
A Go script for bypassing 403 forbidden responses.
An open-source tool that automates detecting and exploiting command injection.
Detect and abuse vulnerable implementations of stateless sessions.
A Python tool to find Cross-Origin Resource Sharing misconfigurations.
A tool to find HTTP splitting vulnerabilities.
Multi-threaded, IPv6-aware username enumeration via CVE-2018-15473.
A file of parameterized URLs feeds ssrfuzz, which injects SSRF and CRLF payloads and writes the findings as a queryable output.
Facts on this page come from the live Trickest tool library.