finds.dev← search

// the find

swisskyrepo/SSRFmap

★ 3,583 · Python · MIT · updated Sep 2025

Automatic SSRF fuzzer and exploitation tool

SSRFmap is a pentest tool that takes a captured HTTP request (e.g., from Burp) and systematically exploits an SSRF vulnerability in a named parameter across a menu of ~20 backend services. It speaks Gopher protocol to reach Redis, FastCGI, MySQL, SMTP and others, and can chain through to RCE or credential theft. Aimed squarely at CTF players and pentesters who've already confirmed an SSRF and want to weaponize it fast.

The Burp request file as input is a genuinely good UX decision — no custom format to learn, just drop in what you captured. Module coverage is wide and practical: cloud metadata endpoints (AWS, GCE, DigitalOcean, Alibaba), Redis/FastCGI RCE, and SMB hash capture cover the scenarios that actually show up in real assessments. The `--level` flag encoding the IP in multiple bypass forms (e.g., `127.0.0.1` → `[::1]` → `0177.0.0.1`) is something you'd otherwise spend 20 minutes doing by hand. The plugin template is clean enough that adding a new service is maybe 30 lines.

The modules directory has no tests and several (github, zabbix) target specific old versions — no indication in the README which are still relevant vs. historical curiosities. Error handling across modules is inconsistent; a failed gopher payload tends to fail silently rather than telling you why. The `--level` bypass coverage is shallow compared to dedicated SSRF bypass lists; hitting a non-trivial WAF will exhaust the built-in options quickly. Python 3.4+ claim in the badge is aspirational — the codebase hasn't been updated to handle modern async patterns and the requirements aren't pinned, so dependency rot is likely.

View on GitHub →

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →