I'm the creator of See-SURF.
Excited to announce an update to See-SURF with v3.0, for detecting Server-Side Request Forgery (SSRF) vulnerabilities! Earlier version was pattern matching based (tons of FPs as you know) but after experimenting with AI/LLM. I've just merged some major enhancements that bring AI context capabilities and Out-of-Band (OOB) / Blind SSRF detection to the scanner.
- AI-Powered Detection & Exploitation for Non-Blind/Reflected SSRF :
Leverages Google Gemini, OpenAI (GPT-4/4o), or local Ollama models to intelligently analyze web application responses.
Generates custom payloads to target internal services (e.g., AWS metadata endpoints, internal IPs) based on AI-driven fingerprinting.
AI validates the output to confirm sensitive data leakage, reducing false positives.
- Blind SSRF with OOB Detection (Webhook.site) :
For parameters that don't reflect directly, See-SURF now integrates with Webhook.site to detect out-of-band interactions as well.
Hi folks,
I'm the creator of See-SURF. Excited to announce an update to See-SURF with v3.0, for detecting Server-Side Request Forgery (SSRF) vulnerabilities! Earlier version was pattern matching based (tons of FPs as you know) but after experimenting with AI/LLM. I've just merged some major enhancements that bring AI context capabilities and Out-of-Band (OOB) / Blind SSRF detection to the scanner.
- AI-Powered Detection & Exploitation for Non-Blind/Reflected SSRF :
Leverages Google Gemini, OpenAI (GPT-4/4o), or local Ollama models to intelligently analyze web application responses.
Generates custom payloads to target internal services (e.g., AWS metadata endpoints, internal IPs) based on AI-driven fingerprinting.
AI validates the output to confirm sensitive data leakage, reducing false positives.
- Blind SSRF with OOB Detection (Webhook.site) :
For parameters that don't reflect directly, See-SURF now integrates with Webhook.site to detect out-of-band interactions as well.
Check it out - https://github.com/In3tinct/See-SURF
Feedbacks are very welcome!
Code does need improvement and to make it modular, wrote it in 2019 first.