I'm the creator of See-SURF. Excited to announce an update to See-SURF with v3.0, for detecting Server-Side Request Forgery (SSRF) vulnerabilities! Earlier version was pattern matching based (tons of FPs as you know) but after experimenting with AI/LLM. I've just merged some major enhancements that bring AI context capabilities and Out-of-Band (OOB) / Blind SSRF detection to the scanner.

- AI-Powered Detection & Exploitation for Non-Blind/Reflected SSRF :

Leverages Google Gemini, OpenAI (GPT-4/4o), or local Ollama models to intelligently analyze web application responses.

Generates custom payloads to target internal services (e.g., AWS metadata endpoints, internal IPs) based on AI-driven fingerprinting.

AI validates the output to confirm sensitive data leakage, reducing false positives.

- Blind SSRF with OOB Detection (Webhook.site) :

For parameters that don't reflect directly, See-SURF now integrates with Webhook.site to detect out-of-band interactions as well.

Check it out - https://github.com/In3tinct/See-SURF

Feedbacks are very welcome!

Code does need improvement and to make it modular, wrote it in 2019 first.