SSRFRecon is an advanced Server-Side Request Forgery (SSRF) reconnaissance scanner designed to efficiently discover and validate URLs with potential SSRF parameters from multiple sources. It combines intelligent filtering with smart de-duplication to provide security researchers with high-quality results.
- Multi-Source Collection: Gathers URLs from Wayback Machine and Katana crawler
- Smart SSRF Filtering: Uses extended keyword matching and pattern recognition
- Live URL Validation: Verifies URL accessibility using HTTPX
- Intelligent De-duplication: Eliminates redundant URLs while preserving unique endpoints
- Parameter Analysis: Generates detailed reports on SSRF parameter frequency
- Pattern Recognition: Identifies common URL structures and parameter patterns
- Comprehensive Error Handling: Detailed error codes with recovery suggestions
- Parallel Processing: Efficient batch processing for large-scale scanning
- Python 3.7+
- Go tools (required for underlying utilities):
# Install Go tools
go install github.com/tomnomnom/waybackurls@latest
go install github.com/projectdiscovery/katana/cmd/katana@latest
go install github.com/projectdiscovery/httpx/cmd/httpx@latest
# Add Go bin to PATH (if not already)
export PATH=$PATH:$(go env GOPATH)/bingit clone https://github.com/00xmicho/script.gitpython3 ssrfrecon.py example.com# Custom output file
python3 ssrfrecon.py example.com -o results.txt
# Increase threads and timeout
python3 ssrfrecon.py example.com -t 100 -to 180
# Custom batch size for HTTPX
python3 ssrfrecon.py example.com -bs 200
# Verbose output and force mode
python3 ssrfrecon.py example.com -v -f
# Comprehensive scanning
python3 ssrfrecon.py example.com --comprehensive| Argument | Description | Default |
|---|---|---|
domain |
Target domain to scan | Required |
-o, --output |
Output file for SSRF URLs | ssrf_urls.txt |
-t, --threads |
Number of threads for httpx | 50 |
-to, --timeout |
Timeout for commands (seconds) | 120 |
-bs, --batch-size |
Batch size for HTTPX processing | 250 |
-v, --verbose |
Enable verbose output | False |
-f, --force |
Skip confirmation prompts | False |
--comprehensive |
Use comprehensive URL collection | False |
The tool generates several outphttpsles:
- Main Results (
ssrf_urls.txtor custom name): Contains unique, live URLs with SSRF parameters - Parameter Count (
count-param.txt): Lists SSRF parameters and their frequency - Pattern Analysis (
pattern-analysis-{domain}.txt): Analyzes common URL structures and parameter patterns
- URL Collection: Gathers URLs from multiple sources (Wayback Machine, Katana crawler)
- SSRF Filtering: Identifies URLs with potential SSRF parameters using extended keyword matching
- Live Verification: Checks which URLs are accessible using HTTPX
- De-duplication: Applies smart filtering to eliminate redundant URLs
- Analysis: Generates detailed reports on parameters and patterns
- Output: Saves results to specified files
SSRFRecon uses a comprehensive error code system:
ERROR 101:waybackurlstool not foundERROR 102:katanatool not foundERROR 103:httpxtool not foundERROR 104: Multiple tools missing
ERROR 201: Waybackurls execution timeoutERROR 202: Katana execution timeoutERROR 203: HTTPX execution timeoutERROR 204: Subprocess general timeout
ERROR 301: Temporary file creation failedERROR 302: Output file write permission deniedERROR 303: File not found during processingERROR 304: Disk space exhausted
ERROR 401: DNS resolution failedERROR 402: Connection refused by targetERROR 403: SSL certificate validation failedERROR 404: Network unreachableERROR 405: Too many redirects
ERROR 501: URL parsing failed (malformed URLs)ERROR 502: Query parameter parsing errorERROR 503: URL normalization failedERROR 504: Invalid URL encoding
ERROR 601: Memory allocation failedERROR 602: Thread pool exhaustionERROR 603: Too many open filesERROR 604: System resource limitation
ERROR 701: Invalid domain formatERROR 702: Invalid thread count specifiedERROR 703: Invalid timeout valueERROR 704: Output directory not writable
ERROR 801: No URLs discovered from sourcesERROR 802: No live URLs found after filteringERROR 803: Empty results after normalizationERROR 804: Critical URL detection failed
ERROR 901: Unhandled exception occurredERROR 902: Unknown error typeERROR 903: Unexpected behavior detected
- Tool Errors (1xx): Prompt user to install missing tools or continue
- Timeout Errors (2xx): Retry with increased timeout or skip operation
- File Errors (3xx): Check permissions and disk space, suggest alternatives
- Network Errors (4xx): Verify target availability and network connectivity
- Parsing Errors (5xx): Skip problematic URLs and continue processing
- Resource Errors (6xx): Reduce thread count and retry
- Input Errors (7xx): Validate user input and provide suggestions
- Logic Errors (8xx): Adjust parameters and retry scanning
- Unknown Errors (9xx): Log detailed information for debugging
Each error code includes:
- ✅ Error message explaining what went wrong
- ✅ Recovery suggestions for the user
- ✅ Automatic fallback where possible
- ✅ Clear exit codes for script automation
Contributions are welcome! Please feel free to submit a Pull Request. For major changes, please open an issue first to discuss what you would like to change.
- Fork the project
- Create your feature branch (
git checkout -b feature/AmazingFeature) - Commit your changes (
git commit -m 'Add some AmazingFeature') - Push to the branch (
git push origin feature/AmazingFeature) - Open a Pull Request
This tool is designed for security research and authorized testing only. The user is responsible for ensuring they have proper authorization before scanning any targets. The authors are not responsible for any misuse or damage caused by this program.
- Thanks to the creators of waybackurls, katana, and httpx
- Inspired by various SSRF research and methodologies in the security community