ssrf
Hunt Server-Side Request Forgery (CWE-918) through taint analysis from user-controlled URLs to HTTP client sinks. Covers cloud metadata pivoting, DNS rebinding, gopher smuggling, and the IMDSv1 → IAM role chain that turns SSRF into RCE.
Best for Security researchersWorks with GitHub
⌘source
- author
@PurpleAILAB- language
- Python
★2.1kstars
366forks
Apr 18, 2026
✦overview.md
Key Features
- ·Hunts Server-Side Request Forgery (CWE-918) vulnerabilities
- ·Performs taint analysis from user-controlled URLs to HTTP client sinks
- ·Covers cloud metadata pivoting and DNS rebinding techniques
- ·Identifies IMDSv1 → IAM role chains that escalate SSRF to RCE
- ·Includes bypass classes that automated scanners often miss
- ·Provides language-specific source patterns for Python, Node, Java, Go, Ruby, and PHP
Use Cases
- →Security researchers hunting for 0-day vulnerabilities in web applications
- →Penetration testers conducting deep security assessments of cloud infrastructure
- →Development teams proactively scanning their codebases for SSRF vectors before deployment
- →Bug bounty hunters looking for high-impact vulnerability chains
Best for
- ✓Security researchers
- ✓Penetration testers
- ✓Bug bounty programs
Not ideal for
- !General web development
- !Basic API testing
- !Non-security-focused code reviews
FAQs
name
ssrf
description
Hunt Server-Side Request Forgery (CWE-918) through taint analysis from user-controlled URLs to HTTP client sinks. Covers cloud metadata pivoting, DNS rebinding, gopher smuggling, and the IMDSv1 → IAM role chain that turns SSRF into RCE.
SSRF Hunting Playbook
SSRF is one of the highest-yield vuln classes for 0-day work because (a) it's often medium severity in isolation but chains to critical when it reaches cloud metadata, internal admin panels, or unprotected Redis/Elasticsearch, and (b) modern frameworks have dozens of bypass classes that scanners miss.
1. Sources (user-controlled input that becomes a URL)
Look for any parameter that gets fed into an HTTP client:
- Python:
requests.get(user_url),httpx.get,urllib.request.urlopen,aiohttp.get - Node:
fetch(userUrl),axios.get,http.request,got,node-fetch - Java:
HttpURLConnection,HttpClient.send,URL.openConnection,OkHttpClient - Go:
http.Get(u),http.NewRequest,net.Dial("tcp", u) - Ruby:
Net::HTTP.get,URI.open,Faraday.get - PHP:
file_get_contents($url),curl_exec,fsockopen
Grep patterns to run via bash:
semgrep --config p/ssrf /workspace/src --sarif -o /workspace/sem-ssrf.sarif
grep -rE 'requests\.get\(|httpx\.|urllib.*urlopen|fetch\(|axios\.|http\.Get\(|URL\(' /workspace/src
2. Sinks that make SSRF worth reporting
$install
1-click copynpx skills add PurpleAILAB/Decepticon --skill ssrfSafety assessment
★
Clarity score
How clear and easy to understand the SKILL.md instructions are, rated from 1 to 5.
5/ 5
excellentVery clear and well structured, with almost no room for misunderstanding.
◎
Actionability score
How directly an agent can act on the SKILL.md instructions, rated from 1 to 5.
5/ 5
very highHighly actionable with clear, concrete steps that an agent can follow directly.