Documentation
¶
Overview ¶
Package pkg provides shared infrastructure for the ressrf SSRF fuzzer: configuration parsing, HTTP request sending, rate limiting, payload file management, and Interactsh client session lifecycle. All scanning-phase packages (lib) import this package for common types and utilities.
Index ¶
- Variables
- func AppendLine(path, line string)
- func BaseHeaders() map[string]string
- func EnsurePayloadsConfig(silent bool) error
- func QsReplace(rawURL, payload string) string
- func ReadLines(path string) ([]string, error)
- func RunPhase(name string, jobs chan<- func(), wg *sync.WaitGroup, fn func())
- func SendRequest(targetURL string, headers map[string]string) (int, string, error)
- func StartInteractsh() (string, error)
- type Options
- type RateLimiter
- type VulnerabilityMetadata
Constants ¶
This section is empty.
Variables ¶
var ( // InputFile is the path to the file containing target URLs. Read from the -l flag. InputFile *string // CollabServer is an optional custom collaboration server domain. Read from the -c flag. CollabServer *string // Threads is the number of concurrent worker goroutines. Read from the -t flag. Threads *int // RateLimit is the maximum number of HTTP requests per second. Read from the -r flag. RateLimit *int // OutDir is the directory path for output files (logs, findings). Read from the -o flag. OutDir *string // ExtraHeader is an optional custom HTTP header in "Key: Value" format. Read from the -H flag. ExtraHeader *string // Silent controls whether banners and progress messages are printed. Read from the -s flag. Silent *bool // ColorBlind disables colored terminal output. Read from the -b flag. ColorBlind *bool // Verbose enables live streaming of connection updates. Read from the -v flag. Verbose *bool // PayloadsFile is the path to the payload configuration file, located at // ~/.config/ressrf/payloads.cfg. It is populated with embedded default vectors on first // use and user customisations are preserved across updates. PayloadsFile = filepath.Join(os.Getenv("HOME"), ".config", "ressrf", "payloads.cfg") // HeadersInject is the list of HTTP header names that will be tested for SSRF // vulnerabilities. Each header is injected with a collaboration payload and the // scanner monitors for out-of-band callbacks. HeadersInject = []string{ "Base-Url", "CF-Connecting_IP", "Client-IP", "Contact", "Forwarded", "From", "Http-Url", "Proxy-Host", "Proxy-Url", "Real-Ip", "Redirect", "Referer", "Referrer", "Request-Uri", "True-Client-IP", "Uri", "Url", "X-Client-IP", "X-Forward-For", "X-Forwarded-By", "X-Forwarded-For-Original", "X-Forwarded-For", "X-Forwarded-Host", "X-Forwarded-Server", "X-Forwarded", "X-Forwarder-For", "X-Host", "X-Http-Destinationurl", "X-Http-Host-Override", "X-Original-Remote-Addr", "X-Original-Url", "X-Originating-IP", "X-Proxy-Url", "X-Real-Ip", "X-Remote-Addr", "X-Rewrite-Url", "X-Wap-Profile", } // AltProtoRegex matches response bodies that indicate an alternate-protocol SSRF // vulnerability (e.g. cloud metadata endpoints, localhost references, or gopher/dict/file // scheme content). When the regex matches, the scanner reports an ALT-PROTO HIT. AltProtoRegex = regexp.MustCompile(`169\.254\.169\.254|latest/meta-data|root:|127\.0\.0\.1|localhost|gopher://|dict://|file://`) // QsReplaceRegex matches the value portion of URL query parameters (the text after "=" // up to the next "&" or end-of-string). It is used by QsReplace to substitute payloads // into query strings. QsReplaceRegex = regexp.MustCompile(`=([^?|&]*)`) )
var ClientInstance *client.Client
ClientInstance holds the active Interactsh client session, shared across packages.
var HttpClient = &http.Client{ Timeout: 10 * time.Second, Transport: &http.Transport{ MaxIdleConnsPerHost: 100, }, CheckRedirect: func(req *http.Request, via []*http.Request) error { return http.ErrUseLastResponse }, }
HttpClient is the shared HTTP client used for all scan requests. It has a 10-second timeout and is configured to not follow redirects (ErrUseLastResponse) so that the scanner can inspect every intermediate response.
var SessionDomain string
SessionDomain stores the interaction domain returned by the Interactsh client, used as the callback target for out-of-band SSRF payloads.
Functions ¶
func AppendLine ¶
func AppendLine(path, line string)
AppendLine appends a single line of text to the file at the given path, creating the file if it does not already exist. Errors during open or write are silently discarded.
func BaseHeaders ¶
BaseHeaders returns a default set of HTTP headers used for scan requests. It always includes a User-Agent header. If the global ExtraHeader flag is set, it is parsed as "Key: Value" and added to the returned map.
func EnsurePayloadsConfig ¶
EnsurePayloadsConfig ensures the payloads configuration file exists and contains the embedded default vectors.
If the configured payload file does not exist, it will be created containing the embedded defaults. If the file exists, any default vectors not already present will be appended (with a separator) so existing user content is preserved. When `silent` is false a brief status message is printed.
Errors are returned for filesystem failures such as directory creation, file reads, or writes.
func QsReplace ¶
QsReplace substitutes the first value in every URL query parameter with the given URL-escaped payload. It replaces the right-hand side of "=" in query strings, so "?foo=bar&baz=qux" with payload "p" becomes "?foo=p&baz=p".
func ReadLines ¶
ReadLines reads a file line by line, trimming whitespace and skipping blank lines and comment lines (those starting with "#"). Returns the non-empty lines or an error if the file cannot be opened.
func RunPhase ¶
RunPhase prints the phase name and then executes the provided function. It does not interact with the jobs channel or WaitGroup directly; those are managed by the caller inside fn.
func SendRequest ¶
SendRequest issues an HTTP GET request to the target URL with the given headers. It returns the HTTP status code, the response body (truncated to 4096 bytes), and any transport-level error. Redirects are not followed (see HttpClient).
func StartInteractsh ¶
StartInteractsh creates a new Interactsh client using the ProjectDiscovery service and returns the generated collaboration domain. The global ClientInstance is set so that the caller can later close the session. Returns the raw domain string (protocol prefix stripped) or an error if the client cannot be initialized.
Types ¶
type Options ¶
type Options struct {
InputFile string
CollabServer string
Threads int
RateLimit int
OutDir string
ExtraHeader string
Silent bool
ColorBlind bool
Verbose bool
}
Options holds all user-configurable parameters parsed from command-line flags.
func ParseOptions ¶
ParseOptions parses command-line flags into an Options value and initializes package-level option pointers.
It validates the optional InputFile when provided (must exist, must not be a directory, must be non-empty). It also ensures the payloads configuration is present by running the sync routine and will return an error if that setup fails. Returns the populated *Options on success or a non-nil error if flag parsing, input validation, or config setup fails.
type RateLimiter ¶
RateLimiter controls the rate of outgoing HTTP requests using a time.Ticker. Call Wait before each request to stay within the configured requests-per-second limit.
func NewRateLimiter ¶
func NewRateLimiter(rps int) *RateLimiter
NewRateLimiter creates a RateLimiter that allows up to rps requests per second. The rate is evenly spaced: each call to Wait blocks for 1/rps seconds.
func (*RateLimiter) Wait ¶
func (r *RateLimiter) Wait()
Wait blocks until the next tick according to the rate limiter's configured requests-per- second interval. It should be called once before each HTTP request.
type VulnerabilityMetadata ¶
VulnerabilityMetadata stores the context of an injected payload so that out-of-band callbacks can be correlated back to the specific request and injection point.