Next.js < 14.1.1 Server Actions Server-Side Request Forgery

Next.js versions from 13.4 included before 14.1.1 suffer from a Server-Side Request Forgery SSRF when using Server Actions performing a redirection to a relative path starting with '/'. By leveraging this vulnerability, a remote and unauthenticated attacker can forge an arbitrary 'Host' header an...

Extended-SSRF-Search - Smart SSRF Scanner Using Different Methods Like Parameter Brute Forcing In Post And Get...

This tool search for SSRF using predefined settings in different parts of a request path, host, headers, post and get parameters. First step Rename example.app-settings.conf to app-settings.conf and adjust settings. The most important setting is the callback url. I recommend to use burp...

See-SURF - Python Based Scanner To Find Potential SSRF Parameters

A Python based scanner to find potential SSRF parameters in a web application. Motivation SSRF being one of the critical vulnerabilities out there in web, I see there was no tool which would automate finding potential vulnerable parameters. See-SURF can be added to your arsenal for recon while...