search

Finding SSRF (all scope)

The goal of this laboratory is to use some tools to collect all subdomains from a specific domain, all the URLs and parameters, and retrieve some results using the burp collaborator utility.

hashtag
Tools

subfinderarrow-up-right - subdomain discovery.

How to install it:

GO111MODULE=on go get -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder

qsreplacearrow-up-right - Accept URLs on stdin, replace all query string values with a user-supplied value.

How to install it:

go get -u github.com/tomnomnom/qsreplace

gauarrow-up-right: Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.

How to install it:

GO111MODULE=on go get -u -v github.com/lc/gau

waybackurlsarrow-up-right: Fetch all the URLs that the Wayback Machine knows about for a domain.

How to install it:

go get github.com/tomnomnom/waybackurls

gfarrow-up-right: A wrapper around grep, to help you grep for things.

How to install it:

List to exclude:

ffufarrow-up-right: Fast web fuzzer written in Go.

How to install it:

hashtag
Scope

hashtag
Harvester

hashtag
Replacing params

hashtag
Fuzzing and test

hashtag
Resources

To collect all URLs from several sources:

LogoGitHub - hueristiq/xurlfind3r: A command-line utility designed to discover URLs for a given domain in a simple, efficient way. It works by gathering information from a variety of passive sources, meaning it doesn't interact directly with the target but instead gathers data that is already publicly available.GitHubchevron-right

PreviousServer Side Template Injection (SSTI)NextFormat String Exploitation

Last updated