> For the complete documentation index, see [llms.txt](https://gitbook.seguranca-informatica.pt/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://gitbook.seguranca-informatica.pt/fuzzing-and-web/finding-ssrf-all-scope.md). # Finding SSRF (all scope) The goal of this laboratory is to use some tools to collect all subdomains from a specific domain, all the URLs and parameters, and retrieve some results using the burp collaborator utility. ## Tools [**subfinder**](https://github.com/projectdiscovery/subfinder) - subdomain discovery. How to install it: ``` GO111MODULE=on go get -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder ``` [**qsreplace**](https://github.com/tomnomnom/qsreplace) - Accept URLs on stdin, replace all query string values with a user-supplied value. How to install it: ``` go get -u github.com/tomnomnom/qsreplace ``` [**gau**](https://github.com/lc/gau)**:** Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl. How to install it: ``` GO111MODULE=on go get -u -v github.com/lc/gau ``` [**waybackurls**](https://github.com/tomnomnom/waybackurls)**:** Fetch all the URLs that the Wayback Machine knows about for a domain. How to install it: ``` go get github.com/tomnomnom/waybackurls ``` [**gf**](https://github.com/tomnomnom/gf)**:** A wrapper around grep, to help you grep for things. How to install it: ``` go get -u github.com/tomnomnom/gf ``` List to exclude: ``` grep -v "\.css?ver" | grep -v "\.js" | grep -v "\.png" | grep -v "\.woff" | grep "collaborator" ``` [**ffuf**](https://github.com/ffuf/ffuf)**:** Fast web fuzzer written in Go. How to install it: ``` go get -u github.com/ffuf/ffuf ``` ## Scope ``` In Scope: *.example.com ``` ## Harvester ``` gau -subs example.com; subfinder -d example.com -silent | waybackurls | sort -u > output.txt ``` ## Replacing params ``` cat output.txt | qsreplace "http://xxxxxxxxxxx.burpcollaborator.net" >> fuzz_list.txt ``` ## Fuzzing and test ``` ffuf -c -w fuzz_list.txt -u FUZZ -t 200 -r ``` ## Resources To collect all URLs from several sources: {% embed url="" %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gitbook.seguranca-informatica.pt/fuzzing-and-web/finding-ssrf-all-scope.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.