# Finding SSRF (all scope) The goal of this laboratory is to use some tools to collect all subdomains from a specific domain, all the URLs and parameters, and retrieve some results using the burp collaborator utility. ## Tools [**subfinder**](https://github.com/projectdiscovery/subfinder) - subdomain discovery. How to install it: ``` GO111MODULE=on go get -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder ``` [**qsreplace**](https://github.com/tomnomnom/qsreplace) - Accept URLs on stdin, replace all query string values with a user-supplied value. How to install it: ``` go get -u github.com/tomnomnom/qsreplace ``` [**gau**](https://github.com/lc/gau)**:** Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl. How to install it: ``` GO111MODULE=on go get -u -v github.com/lc/gau ``` [**waybackurls**](https://github.com/tomnomnom/waybackurls)**:** Fetch all the URLs that the Wayback Machine knows about for a domain. How to install it: ``` go get github.com/tomnomnom/waybackurls ``` [**gf**](https://github.com/tomnomnom/gf)**:** A wrapper around grep, to help you grep for things. How to install it: ``` go get -u github.com/tomnomnom/gf ``` List to exclude: ``` grep -v "\.css?ver" | grep -v "\.js" | grep -v "\.png" | grep -v "\.woff" | grep "collaborator" ``` [**ffuf**](https://github.com/ffuf/ffuf)**:** Fast web fuzzer written in Go. How to install it: ``` go get -u github.com/ffuf/ffuf ``` ## Scope ``` In Scope: *.example.com ``` ## Harvester ``` gau -subs example.com; subfinder -d example.com -silent | waybackurls | sort -u > output.txt ``` ## Replacing params ``` cat output.txt | qsreplace "http://xxxxxxxxxxx.burpcollaborator.net" >> fuzz_list.txt ``` ## Fuzzing and test ``` ffuf -c -w fuzz_list.txt -u FUZZ -t 200 -r ``` ## Resources To collect all URLs from several sources: {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gitbook.seguranca-informatica.pt/fuzzing-and-web/finding-ssrf-all-scope.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.