microsoft/dusseldorf

microsoft/dusseldorf

Description: Dusseldorf is an out-of-band security tool to help in security research.

Language: TypeScript

License: MIT

Stars: 74

Forks: 15

Open issues: 6

Created: 2025-01-16T01:00:22Z

Pushed: 2026-06-19T06:14:38Z

Default branch: main

Fork: no

Archived: no

README:

Dusseldorf

Dusseldorf is a private, customizable out-of-band application security testing (OAST) platform. It captures inbound network traffic across multiple protocols and lets you craft automated responses for security validation workflows.

It is designed for security professionals who need controlled infrastructure to detect and validate out-of-band vulnerabilities such as SSRF, XSS, SSTI, XXE, and related classes of defects.

> This project is often stylized as *duSSeldoRF*, following a common practice within Microsoft to use place names as project names. The beautiful city Düsseldorf is one of the few places in the world with the letters *SSRF* in its name. For ease of use we substituted the umlaut character (alt-0252) ü for a normal u.

Dusseldorf deploys DNS, HTTP, and HTTPS network listeners and listens on a domain name, such as *.yourdomain.net. All requests to this domain name, and any subdomain in it (called _zones_, such as foo.yourdomain.net and foo.bar.yourdomain.net) are captured by these network listeners.

Using the protected graphical user interface (and corresponding REST API), you can see these captured requests and their responses. Furthermore, you can configure your own custom responses and filters.

Who This Is For

• Security researchers and operators running private OAST infrastructure.
• Developers and platform engineers extending listener behavior, API features, and automation.

Getting Started

Dusseldorf is designed to run on the Internet and is natively built for Azure deployments. To run Dusseldorf, you need the following prerequisites:

• a machine on the Internet with one or more public IPv4 address(es)
• a domain name with its NS record (name server) pointed at this IP address/addresses.

If you have this baseline setup, continue with the [installation guide](docs/install.md). The documentation supports both operator workflows and developer extensibility paths.

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.

Trademarks

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.