The Ultimate Server-Side Request Forgery Framework for Red Teams & Bug Bounty Hunters
SSRFHunter Elite v3.0 is a comprehensive, AI-enhanced SSRF (Server-Side Request Forgery) exploitation framework that automates the entire SSRF attack lifecycle from reconnaissance to critical impact demonstration. Built for elite red teams and bug bounty hunters, it integrates 2025's most advanced SSRF techniques, including GraphQL/WebSocket exploitation, serverless RCE chains, container escape vectors, and cloud metadata abuse.
- 452% surge detection patterns from 2025 threat landscape
- CVE-2025 specific exploits: Oracle EBS (CVE-2025-61882), Azure OpenAI (CVE-2025-53767)
- AI-generated payloads with context-aware obfuscation
- Serverless targeting: Lambda, GCP Functions, Azure Functions exploitation
- Kubernetes/container escape via CVE-2025-31133
- URL Discovery: Integrates
gau,katana,waybackurls,urlfinder - GraphQL Endpoint Detection: Auto-discovers
/graphql,/gql,/queryendpoints - WebSocket Detection: Identifies
ws://,wss://upgrade vectors - AI Platform Detection: Targets OpenAI, Azure AI, GCP AI endpoints
- Wildcard Domain Support: Scans
*.target.comautomatically
- Standard Payloads: 50+ classic SSRF indicators
- Cloud Metadata: AWS IMDSv2, GCP, Azure, Oracle Cloud (100+ paths)
- Container/K8s: Kubernetes API, Docker socket, etcd, kubelet
- WAF Bypass: Unicode normalization, encoding, protocol smuggling, multipart confusion
- OOB/Blind SSRF: Integrated interactsh/Burp Collaborator callbacks
- AI-Generated: Context-aware bypass techniques
- HTTP Redirect Loops: Novel 2025 validation bypass
- Randomized Delays: 1-5 second jitter between requests
- User-Agent Rotation: 20+ realistic agents (browsers + AI clients)
- Proxy Support: HTTP/SOCKS5 rotation
- WAF Fingerprinting: Auto-detects Cloudflare, AWS WAF, Akamai, Imperva
- Request Jitter: Avoids detection patterns
- Confidence Scoring: Auto-calculates CVSS (1.0-10.0)
- Credential Extraction: Regex patterns for AWS, GCP, Azure, K8s tokens
- Response Diffing: Time-based, size-based, header-based detection
- Intelligent Correlation: Links OOB callbacks to source IPs
- Behavioral Analysis: Detects internal vs external service responses
- GraphQLSSRFDetector: Field resolver injection, introspection abuse
- WebSocketSSRFDetector: Handshake hijacking, real-time testing
- ServerlessExploitationEngine: Metadata + runtime API chaining
- ContainerEscapeEngine: Docker socket, K8s API abuse
- RedirectLoopSSRFEngine: Novel HTTP redirect bypass
- Markdown Report: Professional executive summary
- JSON Results: Machine-readable for CI/CD integration
- Specialized Outputs:
graphql_ssrf.jsonwebsocket_ssrf.jsonserverless_exploitation.jsoncontainer_escape.jsoncloud_metadata.json
- Evidence Packaging: Screenshots, curl commands, HTTP traces
# Install Go tools (required for URL discovery)
go install github.com/lc/gau/v2/cmd/gau@latest
go install github.com/projectdiscovery/katana/cmd/katana@latest
go install github.com/tomnomnom/waybackurls@latest
go install github.com/projectdiscovery/urlfinder/cmd/urlfinder@latest
# Verify installation
which gau katana waybackurls urlfinder# Install Python 3.8+
python3 --version
# Install required packages
pip install aiohttp aiofiles websocket-client
# Or install via requirements.txt
pip install -r requirements.txtgit clone https://github.com/BotGJ16/GF_Patterns/ssrfhunter-elite
cd ssrfhunter-elite
chmod +x ssrfhunter_elite_v3.py# Standard domain scan
python ssrfhunter_elite_v3.py -d target.com -o results/
# Wildcard domain scan
python ssrfhunter_elite_v3.py -d "*.target.com" -o results/ --concurrency 20# Slow, undetectable scan with proxy
python ssrfhunter_elite_v3.py -d target.com -o results/ \
--stealth --proxy http://127.0.0.1:8080 --concurrency 3# With cookies and JWT token
python ssrfhunter_elite_v3.py -d target.com -o results/ \
--session admin \
--cookie "session=abc123;token=xyz456" \
--jwt "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..." \
--header "X-API-Key:secret123"# Target Azure OpenAI, GCP AI, etc.
python ssrfhunter_elite_v3.py -d openai.azure.com -o results/ --ai-platform# Internal K8s scan with escape attempts
python ssrfhunter_elite_v3.py -d k8s.internal -o results/ \
--internal-scan --container-escape --full-arsenal# Enable EVERYTHING (elite red team mode)
python ssrfhunter_elite_v3.py -d *.target.com -o results/ \
--full-arsenal --concurrency 20 --stealthresults/
βββ all_urls_2025.txt # All discovered URLs (including GraphQL/WS)
βββ ssrf_urls_2025.txt # URLs with SSRF parameters
βββ ssrf_results_2025.json # Complete test results
βββ cloud_metadata.json # Cloud credentials found
βββ graphql_ssrf.json # GraphQL-specific findings
βββ websocket_ssrf.json # WebSocket SSRF results
βββ serverless_exploitation.json # Serverless RCE chains
βββ container_escape.json # K8s/Docker escape vectors
βββ ssrf_report_2025.md # Professional markdown report
The tool doesn't just run gau and katana - it intelligently merges results and auto-discovers 2025 endpoints:
- GraphQL:
/graphql,/gql,/api/graphql,/v1/graphql - WebSocket:
ws://,wss://upgrade endpoints - AI Platforms: OpenAI, Azure AI, GCP AI endpoints
- Serverless:
.lambda-url,.cloudfunctions.net,.azurewebsites.net
Every payload is CVSS-scored and categorized:
- Standard: Classic SSRF (score: 7.5)
- Cloud Metadata: AWS IMDSv2, GCP, Azure (score: 9.0)
- Container/K8s: Docker socket, K8s API (score: 10.0)
- WAF Bypass: Unicode, encoding, protocol smuggling (score: 8.5)
- OOB/Blind: interactsh integration (score: 6.5)
- AI-Generated: Context-aware (score: 8.0)
- CVE-2025: Oracle EBS, Azure OpenAI (score: 10.0)
The AI engine calculates confidence based on:
- Status codes (200/30x = +1)
- Response time (<0.1s or >15s = +2)
- Content size (<200B or >10KB = +1)
- WAF bypass success (+2)
- Network errors (+1)
- Cloud metadata leaked (+3)
- K8s/API access (+3)
Confidence Levels:
critical(score β₯3): Immediate action requiredhigh(score 2): Likely exploitablemedium(score 1): Possible SSRFlow(score 0): Unlikely
Live stats during scan:
============================================================
SSRFHUNTER ELITE - REALTIME DASHBOARD (2025)
============================================================
URLs Collected : 15,432
SSRF-Susceptible : 1,247
Test Cases : 24,680
Potential Findings : 892
High Confidence : 156
Cloud Metadata : 23
Internal Services : 67
Blind SSRF : 45
GraphQL SSRF : 12
WebSocket SSRF : 8
Serverless RCE : 34
Container Escape : 19
CVE-2025 Exploits : 5
============================================================
Each engine handles a specific 2025 attack vector:
- GraphQLSSRFDetector: Tests field resolvers, mutations, nested queries
- WebSocketSSRFDetector: Performs handshake tests, message injection
- ServerlessExploitationEngine: Chains metadata access to runtime API abuse
- ContainerEscapeEngine: Tests Docker socket, K8s exec, etcd access
- RedirectLoopSSRFEngine: Uses HTTP redirect chains to bypass validation
The markdown report includes:
- Executive Summary: CVSS scores, impact assessment
- Cloud Metadata Section: Stolen credentials, platform-specific guidance
- Container Escape Section: K8s API access, escape paths
- GraphQL/WebSocket Sections: Specialized findings
- CVE-2025 Section: Specific exploit confirmations
- 2025 Recommendations: Immediate, short-term, long-term actions
# Find P1 SSRF in minutes
python ssrfhunter_elite_v3.py -d api.target.com -o bounty_results/
# Check for blind SSRF with OOB
# Submit high-confidence findings to HackerOne/Bugcrowd# Internal network recon via SSRF
python ssrfhunter_elite_v3.py -d internal.app -o redteam/ --internal-scan
# Cloud credential exfiltration
# Use stolen keys for lateral movement# Audit cloud metadata protection
python ssrfhunter_elite_v3.py -d ec2-instance.com -o cloud_audit/
# Verify IMDSv2 implementation
# Check for serverless metadata leaks# Automated scanning in pipeline
python ssrfhunter_elite_v3.py -d staging.app -o ci_cd/ --json-output
# Parse results.json for critical findings
# Fail pipeline on CVSS β₯9.0βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SSRFHunter Elite v3.0 β
β 2025 SSRF Arsenal β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β RECONNAISSANCE PHASE β
β βββββββββββ βββββββββββ βββββββββββββββ ββββββββββββ β
β β GAU β β Katana β β WaybackURLs β β URLFinderβ β
β ββββββ¬βββββ ββββββ¬βββββ ββββββββ¬βββββββ βββββββ¬βββββ β
β β β β β β
β ββββββββββββββ΄ββββββββββββββββ΄ββββββββββββββββ β
β β β
β ββββββββββββββββββββββββ΄βββββββββββββββββββββββ β
β β GraphQL Endpoint Detection β β
β β WebSocket Upgrade Detection β β
β ββββββββββββββββββββββββ¬βββββββββββββββββββββββ β
ββββββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββ
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PAYLOAD GENERATION PHASE (200+ variants) β
β βββββββββββββββ βββββββββββββββ βββββββββββββββ β
β β Standard β β Cloud β β WAF Bypass β β
β β Metadata β β Container β β AI-Gen β β
β ββββββββ¬βββββββ ββββββββ¬βββββββ ββββββββ¬βββββββ β
β β β β β
β ββββββββ΄βββββββ ββββββββ΄βββββββ ββββββββ΄βββββββ β
β β Redirect β β GraphQL β β WebSocket β β
β β Loop β β SSRF β β SSRF β β
β ββββββββ¬βββββββ ββββββββ¬βββββββ ββββββββ¬βββββββ β
β ββββββββββββββββββ΄βββββββββββββββββ β
β β β
ββββββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββ
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β TESTING & ANALYSIS PHASE (Async) β
β βββββββββββββββ βββββββββββββββ βββββββββββββββ β
β β Stealth β β WAF Evade β β OOB Detect β β
β ββββββββ¬βββββββ ββββββββ¬βββββββ ββββββββ¬βββββββ β
β β β β β
β ββββββββ΄βββββββ ββββββββ΄βββββββ ββββββββ΄βββββββ β
β β CVSS β β Cloud β β Container β β
β β Scoring β β Metadata β β Escape β β
β ββββββββ¬βββββββ ββββββββ¬βββββββ ββββββββ¬βββββββ β
β ββββββββββββββββββ΄βββββββββββββββββ β
β β β
ββββββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββ
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β REPORTING PHASE (Professional) β
β βββββββββββββββ βββββββββββββββ βββββββββββββββ β
β β Markdown β β JSON β β Evidence β β
β β Report β β Results β β Package β β
β βββββββββββββββ βββββββββββββββ βββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
| Option | Description | Example |
|---|---|---|
-d, --domain |
Target domain (required) | -d target.com |
-o, --output |
Output directory (required) | -o results/ |
-c, --concurrency |
Parallel requests (default: 10) | -c 20 |
--stealth |
Enable stealth mode | --stealth |
--proxy |
Proxy URL (http/socks5) | --proxy http://127.0.0.1:8080 |
--internal-scan |
Scan internal networks | --internal-scan |
--container-escape |
Test container escape | --container-escape |
--ai-platform |
Target AI platforms | --ai-platform |
--full-arsenal |
Enable ALL 2025 features | --full-arsenal |
--session |
Session name for auth | --session admin |
--cookie |
Cookies (name=value;...) | --cookie "sess=abc;token=xyz" |
--header |
Custom headers (Header:Value,...) | --header "X-API:secret" |
--jwt |
JWT token for authentication | --jwt "eyJhbGc..." |
# Always start with low concurrency
python ssrfhunter_elite_v3.py -d target.com -o results/ --concurrency 5 --stealth# Auth bypasses often lead to higher impact SSRF
python ssrfhunter_elite_v3.py -d target.com -o results/ --session user --jwt "$JWT"# After scan, prioritize critical/high findings
grep -B5 -A5 "confidence.*critical" results/ssrf_results_2025.json# Use cloud metadata to access internal services
# Use SSRF to steal K8s tokens β access K8s API β escape containers# The markdown report is your proof-of-concept
cat results/ssrf_report_2025.mdSSRFHunter Elite v3.0 is for authorized security testing only.
You must have explicit permission to scan any target. Unauthorized scanning is illegal. The authors are not responsible for misuse.
- Fork the repository
- Create a feature branch (
git checkout -b feature/2025-payload) - Commit changes (
git commit -am 'Add CVE-2025-61882 exploit') - Push to branch (
git push origin feature/2025-payload) - Open a Pull Request
MIT License - Free for educational and authorized security testing purposes.
- 100+ SSRF parameter patterns (2025)
- 200+ payload variants with CVSS scoring
- GraphQL SSRF detection & exploitation
- WebSocket SSRF testing
- Serverless RCE chains (Lambda, GCP, Azure)
- Container/K8s escape vectors
- HTTP redirect loop bypass
- AI-generated WAF bypass payloads
- Cloud metadata exploitation (AWS IMDSv2, GCP, Azure, Oracle)
- Blind SSRF OOB detection (interactsh)
- Real-time monitoring dashboard
- Comprehensive markdown reporting
- Stealth mode with OPSEC features
- JWT/session management
- Proxy support (HTTP/SOCKS5)
- Auto CVSS calculation
- Credential extraction (AWS, GCP, Azure, K8s)
- Internal network reconnaissance
- CVE-2025 specific exploits
- Time-based enumeration
- WAF fingerprinting & bypass
Total: 25 elite features integrated π
For issues, feature requests, or 2025 payload contributions, visit: https://github.com/BotGJ16
Happy Hunting! May you find critical SSRF in every target. π―π₯