ssrf-sheriff: SSRF testing sheriff written in Go
SSRF Sheriff
This is an SSRF testing sheriff written in Go. It was originally created for the Uber H1-4420 2019 London Live Hacking Event, but it is now being open-sourced for other organizations to implement and contribute back to.
Features
- Respond to any HTTP method (GET, POST, PUT, DELETE, etc.)
- Configurable secret token (see base.example.yaml)
- Content-specific responses
- With the secret token in the response body
- JSON
- XML
- HTML
- CSV
- TXT
- Without token in the response body
- GIF
- PNG
- JPEG
- MP3
- MP4
- With the secret token in the response body
Use
go get github.com/teknogeek/ssrf-sheriff
cd $GOPATH/src/github.com/teknogeek/ssrf-sheriff
cp config/base.example.yaml config/base.yaml# … configure …
go run main.go
Example Requests:
Plaintext
$ curl -sSD- http://127.0.0.1:8000/foobar
HTTP/1.1 200 OK
Content-Type: text/plain
X-Secret-Token: SUP3R_S3cret_1337_K3y
Date: Mon, 14 Oct 2019 16:37:36 GMT
Content-Length: 21SUP3R_S3cret_1337_K3y
XML
$ curl -sSD- http://127.0.0.1:8000/foobar.xml
HTTP/1.1 200 OK
Content-Type: application/xml
X-Secret-Token: SUP3R_S3cret_1337_K3y
Date: Mon, 14 Oct 2019 16:37:41 GMT
Content-Length: 81<SerializableResponse><token>SUP3R_S3cret_1337_K3y</token></SerializableResponse>
Copyright (c) 2019 Joel Margolis
Source: https://github.com/teknogeek/
