pkg

package
v1.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 18, 2026 License: MIT Imports: 14 Imported by: 0

Documentation

Overview

Package pkg provides shared infrastructure for the ressrf SSRF fuzzer: configuration parsing, HTTP request sending, rate limiting, payload file management, and Interactsh client session lifecycle. All scanning-phase packages (lib) import this package for common types and utilities.

Index

Constants

This section is empty.

Variables

View Source
var (
	// InputFile is the path to the file containing target URLs. Read from the -l flag.
	InputFile *string
	// CollabServer is an optional custom collaboration server domain. Read from the -c flag.
	CollabServer *string
	// Threads is the number of concurrent worker goroutines. Read from the -t flag.
	Threads *int
	// RateLimit is the maximum number of HTTP requests per second. Read from the -r flag.
	RateLimit *int
	// OutDir is the directory path for output files (logs, findings). Read from the -o flag.
	OutDir *string
	// ExtraHeader is an optional custom HTTP header in "Key: Value" format. Read from the -H flag.
	ExtraHeader *string
	// Silent controls whether banners and progress messages are printed. Read from the -s flag.
	Silent *bool
	// ColorBlind disables colored terminal output. Read from the -b flag.
	ColorBlind *bool
	// Verbose enables live streaming of connection updates. Read from the -v flag.
	Verbose *bool

	// PayloadsFile is the path to the payload configuration file, located at
	// ~/.config/ressrf/payloads.cfg. It is populated with embedded default vectors on first
	// use and user customisations are preserved across updates.
	PayloadsFile = filepath.Join(os.Getenv("HOME"), ".config", "ressrf", "payloads.cfg")
	// HeadersInject is the list of HTTP header names that will be tested for SSRF
	// vulnerabilities. Each header is injected with a collaboration payload and the
	// scanner monitors for out-of-band callbacks.
	HeadersInject = []string{
		"Base-Url", "CF-Connecting_IP", "Client-IP", "Contact",
		"Forwarded", "From", "Http-Url", "Proxy-Host", "Proxy-Url",
		"Real-Ip", "Redirect", "Referer", "Referrer", "Request-Uri",
		"True-Client-IP", "Uri", "Url", "X-Client-IP", "X-Forward-For",
		"X-Forwarded-By", "X-Forwarded-For-Original", "X-Forwarded-For",
		"X-Forwarded-Host", "X-Forwarded-Server", "X-Forwarded",
		"X-Forwarder-For", "X-Host", "X-Http-Destinationurl",
		"X-Http-Host-Override", "X-Original-Remote-Addr", "X-Original-Url",
		"X-Originating-IP", "X-Proxy-Url", "X-Real-Ip", "X-Remote-Addr",
		"X-Rewrite-Url", "X-Wap-Profile",
	}
	// AltProtoRegex matches response bodies that indicate an alternate-protocol SSRF
	// vulnerability (e.g. cloud metadata endpoints, localhost references, or gopher/dict/file
	// scheme content). When the regex matches, the scanner reports an ALT-PROTO HIT.
	AltProtoRegex = regexp.MustCompile(`169\.254\.169\.254|latest/meta-data|root:|127\.0\.0\.1|localhost|gopher://|dict://|file://`)
	// QsReplaceRegex matches the value portion of URL query parameters (the text after "="
	// up to the next "&" or end-of-string). It is used by QsReplace to substitute payloads
	// into query strings.
	QsReplaceRegex = regexp.MustCompile(`=([^?|&]*)`)
)
View Source
var ClientInstance *client.Client

ClientInstance holds the active Interactsh client session, shared across packages.

View Source
var HttpClient = &http.Client{
	Timeout: 10 * time.Second,
	Transport: &http.Transport{
		MaxIdleConnsPerHost: 100,
	},
	CheckRedirect: func(req *http.Request, via []*http.Request) error {
		return http.ErrUseLastResponse
	},
}

HttpClient is the shared HTTP client used for all scan requests. It has a 10-second timeout and is configured to not follow redirects (ErrUseLastResponse) so that the scanner can inspect every intermediate response.

View Source
var SessionDomain string

SessionDomain stores the interaction domain returned by the Interactsh client, used as the callback target for out-of-band SSRF payloads.

Functions

func AppendLine

func AppendLine(path, line string)

AppendLine appends a single line of text to the file at the given path, creating the file if it does not already exist. Errors during open or write are silently discarded.

func BaseHeaders

func BaseHeaders() map[string]string

BaseHeaders returns a default set of HTTP headers used for scan requests. It always includes a User-Agent header. If the global ExtraHeader flag is set, it is parsed as "Key: Value" and added to the returned map.

func EnsurePayloadsConfig

func EnsurePayloadsConfig(silent bool) error

EnsurePayloadsConfig ensures the payloads configuration file exists and contains the embedded default vectors.

If the configured payload file does not exist, it will be created containing the embedded defaults. If the file exists, any default vectors not already present will be appended (with a separator) so existing user content is preserved. When `silent` is false a brief status message is printed.

Errors are returned for filesystem failures such as directory creation, file reads, or writes.

func QsReplace

func QsReplace(rawURL, payload string) string

QsReplace substitutes the first value in every URL query parameter with the given URL-escaped payload. It replaces the right-hand side of "=" in query strings, so "?foo=bar&baz=qux" with payload "p" becomes "?foo=p&baz=p".

func ReadLines

func ReadLines(path string) ([]string, error)

ReadLines reads a file line by line, trimming whitespace and skipping blank lines and comment lines (those starting with "#"). Returns the non-empty lines or an error if the file cannot be opened.

func RunPhase

func RunPhase(name string, jobs chan<- func(), wg *sync.WaitGroup, fn func())

RunPhase prints the phase name and then executes the provided function. It does not interact with the jobs channel or WaitGroup directly; those are managed by the caller inside fn.

func SendRequest

func SendRequest(targetURL string, headers map[string]string) (int, string, error)

SendRequest issues an HTTP GET request to the target URL with the given headers. It returns the HTTP status code, the response body (truncated to 4096 bytes), and any transport-level error. Redirects are not followed (see HttpClient).

func StartInteractsh

func StartInteractsh() (string, error)

StartInteractsh creates a new Interactsh client using the ProjectDiscovery service and returns the generated collaboration domain. The global ClientInstance is set so that the caller can later close the session. Returns the raw domain string (protocol prefix stripped) or an error if the client cannot be initialized.

Types

type Options

type Options struct {
	InputFile    string
	CollabServer string
	Threads      int
	RateLimit    int
	OutDir       string
	ExtraHeader  string
	Silent       bool
	ColorBlind   bool
	Verbose      bool
}

Options holds all user-configurable parameters parsed from command-line flags.

func ParseOptions

func ParseOptions() (*Options, error)

ParseOptions parses command-line flags into an Options value and initializes package-level option pointers.

It validates the optional InputFile when provided (must exist, must not be a directory, must be non-empty). It also ensures the payloads configuration is present by running the sync routine and will return an error if that setup fails. Returns the populated *Options on success or a non-nil error if flag parsing, input validation, or config setup fails.

type RateLimiter

type RateLimiter struct{ Ticker *time.Ticker }

RateLimiter controls the rate of outgoing HTTP requests using a time.Ticker. Call Wait before each request to stay within the configured requests-per-second limit.

func NewRateLimiter

func NewRateLimiter(rps int) *RateLimiter

NewRateLimiter creates a RateLimiter that allows up to rps requests per second. The rate is evenly spaced: each call to Wait blocks for 1/rps seconds.

func (*RateLimiter) Wait

func (r *RateLimiter) Wait()

Wait blocks until the next tick according to the rate limiter's configured requests-per- second interval. It should be called once before each HTTP request.

type VulnerabilityMetadata

type VulnerabilityMetadata struct {
	BaseURL    string
	InjectType string
	HeaderName string
}

VulnerabilityMetadata stores the context of an injected payload so that out-of-band callbacks can be correlated back to the specific request and injection point.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL