ronin-vulns 0.1.4 → 0.2.0.rc1

data/lib/ronin/vulns/importer.rb

@@ -0,0 +1,116 @@
+# frozen_string_literal: true
+#
+# ronin-vulns - A Ruby library for blind vulnerability testing.
+#
+# Copyright (c) 2022-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-vulns is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-vulns is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-vulns.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/db'
+
+module Ronin
+  module Vulns
+    #
+    # Handles importing discovered {WebVuln web vulnerability} objects into
+    # [ronin-db].
+    #
+    # [ronin-db]: https://github.com/ronin-rb/ronin-db#readme
+    #
+    # ## Examples
+    #
+    #     require 'ronin/vulns/url_scanner'
+    #     require 'ronin/vulns/importer'
+    #
+    #     Ronin::Vulns::URLScanner.scan(url) do |vuln|
+    #       Ronin::Vulns::Importer.import(vuln)
+    #     end
+    #
+    # @since 0.2.0
+    #
+    module Importer
+      #
+      # Imports a web vulnerability into database.
+      #
+      # @param [WebVuln] vuln
+      #   The web vulnerability to import.
+      #
+      # @yield [imported]
+      #   If a block is given, it will be passed the imported database records.
+      #
+      # @yieldparam [Ronin::DB::WebVuln] imported
+      #   The imported web vulnerability record.
+      #
+      # @return [Ronin::DB::WebVuln]
+      #   The imported web vuln record.
+      #
+      def self.import(vuln)
+        imported_url = import_url(vuln.url)
+
+        attributes = {
+          url:  imported_url,
+          type: vuln.class.vuln_type,
+
+          query_param:    vuln.query_param,
+          header_name:    vuln.header_name,
+          cookie_param:   vuln.cookie_param,
+          form_param:     vuln.form_param,
+          request_method: vuln.request_method
+        }
+
+        case vuln
+        when LFI
+          attributes[:lfi_os]            = vuln.os
+          attributes[:lfi_depth]         = vuln.depth
+          attributes[:lfi_filter_bypass] = vuln.filter_bypass
+        when RFI
+          attributes[:rfi_script_lang]   = vuln.script_lang
+          attributes[:rfi_filter_bypass] = vuln.filter_bypass
+        when SQLI
+          attributes[:sqli_escape_quote]  = vuln.escape_quote
+          attributes[:sqli_escape_parens] = vuln.escape_parens
+          attributes[:sqli_terminate]     = vuln.terminate
+        when SSTI
+          attributes[:ssti_escape_type] = vuln.escape_type
+        when CommandInjection
+          attributes[:command_injection_escape_quote]    = vuln.escape_quote
+          attributes[:command_injection_escape_operator] = vuln.escape_operator
+          attributes[:command_injection_terminator]      = vuln.terminator
+        end
+
+        imported_vuln = DB::WebVuln.transaction do
+                          DB::WebVuln.find_or_create_by(attributes)
+                        end
+
+        yield imported_vuln if block_given?
+        return imported_vuln
+      end
+
+      #
+      # Imports a URL into the database.
+      #
+      # @param [URI, String] url
+      #   The URL to import.
+      #
+      # @return [Ronin::DB::URL]
+      #   The imported URL record.
+      #
+      def self.import_url(url)
+        DB::URL.transaction do
+          DB::URL.find_or_import(url)
+        end
+      end
+    end
+  end
+end

data/lib/ronin/vulns/lfi/test_file.rb

@@ -2,7 +2,7 @@
 #
 # ronin-vulns - A Ruby library to blind vulnerability testing.
 #
-# Copyright (c) 2022-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2022-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-vulns is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published

data/lib/ronin/vulns/lfi.rb

@@ -2,7 +2,7 @@
 #
 # ronin-vulns - A Ruby library for blind vulnerability testing.
 #
-# Copyright (c) 2022-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2022-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-vulns is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published

data/lib/ronin/vulns/open_redirect.rb

@@ -2,7 +2,7 @@
 #
 # ronin-vulns - A Ruby library for blind vulnerability testing.
 #
-# Copyright (c) 2022-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2022-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-vulns is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published
@@ -80,7 +80,7 @@ module Ronin
         when '301', '302', '303', '307', '308'
           if (locations = response.get_fields('Location'))
             escaped_test_url = Regexp.escape(@test_url)
-            regexp           = /\A#{escaped_test_url}(?:[\?&].+)?\z/
+            regexp           = /\A#{escaped_test_url}.*\z/
 
             locations.last =~ regexp
           end
@@ -95,10 +95,34 @@ module Ronin
                 http-equiv\s*=\s*(?: "refresh" | 'refresh' | refresh )\s+
                 content\s*=\s*
                 (?:
-                 "\s*\d+\s*;\s*url\s*=\s*'\s*#{escaped_test_url}\s*'\s*"|
-                 '\s*\d+\s*;\s*url\s*=\s*"\s*#{escaped_test_url}\s*"\s*'|
-                 \s*\d+;url=(?: "#{escaped_test_url}" | '#{escaped_test_url}' )
-                )\s*
+                  # content="..."
+                  "\s*\d+\s*;\s*url\s*=\s*
+                  (?:
+                    # content="0; url='...'"
+                    '\s*#{escaped_test_url}[^'"]*' |
+                    # content="0; url=..."
+                    #{escaped_test_url}[^"]*
+                  )\s*" |
+                  # content='...'
+                  '\s*\d+\s*;\s*url\s*=\s*
+                  (?:
+                    # content='0; url="..."'
+                    "\s*#{escaped_test_url}[^"']*" |
+                    # content='0; url=...'
+                    #{escaped_test_url}[^']*
+                  )\s*' |
+                  # content=...
+                  \s*\d+;url=(?:
+                    # content=0;url="..."
+                    "\s*#{escaped_test_url}[^\s"]*" |
+                    # content=0;url='...'
+                    '\s*#{escaped_test_url}[^\s']*' |
+                    # content=0;url=...
+                    #{escaped_test_url}[^\s/>]*
+                  )
+                )
+                \s*
+                # /> or / >
                 (?:/\s*)?>
             }xi
 

data/lib/ronin/vulns/reflected_xss/context.rb

@@ -2,7 +2,7 @@
 #
 # ronin-vulns - A Ruby library for blind vulnerability testing.
 #
-# Copyright (c) 2022-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2022-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-vulns is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published

data/lib/ronin/vulns/reflected_xss/test_string.rb

@@ -2,7 +2,7 @@
 #
 # ronin-vulns - A Ruby library for blind vulnerability testing.
 #
-# Copyright (c) 2022-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2022-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-vulns is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published

data/lib/ronin/vulns/reflected_xss.rb

@@ -2,7 +2,7 @@
 #
 # ronin-vulns - A Ruby library for blind vulnerability testing.
 #
-# Copyright (c) 2022-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2022-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-vulns is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published

data/lib/ronin/vulns/rfi.rb

@@ -2,7 +2,7 @@
 #
 # ronin-vulns - A Ruby library for blind vulnerability testing.
 #
-# Copyright (c) 2022-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2022-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-vulns is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published
@@ -47,11 +47,11 @@ module Ronin
 
       # Mapping of scripting languages to RFI test scripts.
       TEST_SCRIPT_URLS = {
+        php:         "#{GITHUB_BASE_URL}/rfi_test.php",
         asp:         "#{GITHUB_BASE_URL}/rfi_test.asp",
         asp_net:     "#{GITHUB_BASE_URL}/rfi_test.aspx",
-        cold_fusion: "#{GITHUB_BASE_URL}/rfi_test.cfm",
         jsp:         "#{GITHUB_BASE_URL}/rfi_test.jsp",
-        php:         "#{GITHUB_BASE_URL}/rfi_test.php",
+        cold_fusion: "#{GITHUB_BASE_URL}/rfi_test.cfm",
         perl:        "#{GITHUB_BASE_URL}/rfi_test.pl"
       }
 
@@ -59,6 +59,13 @@ module Ronin
       # script is executed.
       VULN_RESPONSE_STRING = "Security Alert: Remote File Inclusion Detected!"
 
+      # The scripting language that the URL is using.
+      #
+      # @return [:asp, :asp_net, :cold_fusion, :jsp, :php, :perl, nil]
+      #
+      # @since 0.2.0
+      attr_reader :script_lang
+
       # The filter bypass technique to use.
       #
       # @return [nil, :double_encode, :suffix_escape, :null_byte]
@@ -93,15 +100,18 @@ module Ronin
       #   The URL of the RFI test script. If not specified, it will default to
       #   {test_script_for}.
       #
-      def initialize(url, script_lang: nil, test_script_url: nil, filter_bypass: nil, **kwargs)
+      def initialize(url, script_lang:     nil,
+                          test_script_url: nil,
+                          filter_bypass:   nil,
+                          **kwargs)
         super(url,**kwargs)
 
+        @script_lang = script_lang || self.class.infer_script_lang(@url)
+
         @test_script_url = if test_script_url
                              test_script_url
-                           elsif script_lang
-                             self.class.test_script_url_for(script_lang)
-                           else
-                             self.class.test_script_for(@url)
+                           elsif @script_lang
+                             self.class.test_script_url_for(@script_lang)
                            end
 
         @filter_bypass = filter_bypass
@@ -196,12 +206,57 @@ module Ronin
       #   Specifies whether the URL and query parameter are vulnerable to RFI.
       #
       def vulnerable?
-        response = exploit(@test_script_url)
+        if @test_script_url
+          test_a_test_script(@test_script_url)
+        else
+          test_each_test_script
+        end
+      end
+
+      #
+      # Determines if a specific test script URL can be remotely injected.
+      #
+      # @param [String] test_script_url
+      #   The test script URL to attempt injecting.
+      #
+      # @return [Boolean]
+      #   Indicates whether the test script was successfully executed or not.
+      #
+      # @api private
+      #
+      def test_a_test_script(test_script_url)
+        response = exploit(test_script_url)
         body     = response.body
 
         return body.include?(VULN_RESPONSE_STRING)
       end
 
+      #
+      # Test each scripting language and RFI test payload in {TEST_SCRIPT_URLS}
+      # until one succeeds.
+      #
+      # @return [Boolean]
+      #   Indicates whether one of the test script was successfully executed or
+      #   not.
+      #
+      # @note
+      #   If one of the test script URLs successfully executes, then
+      #   {#script_lang} and {#test_script_url} will be updated accordingly.
+      #
+      # @api private
+      #
+      def test_each_test_script
+        TEST_SCRIPT_URLS.each do |script_lang,test_script_url|
+          if test_a_test_script(test_script_url)
+            @script_lang     = script_lang
+            @test_script_url = test_script_url
+            return true
+          end
+        end
+
+        return false
+      end
+
       #
       # Returns the type or kind of vulnerability.
       #

data/lib/ronin/vulns/root.rb

@@ -2,7 +2,7 @@
 #
 # ronin-vulns - A Ruby library for blind vulnerability testing.
 #
-# Copyright (c) 2022-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2022-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-vulns is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published

data/lib/ronin/vulns/sqli/error_pattern.rb

@@ -2,7 +2,7 @@
 #
 # ronin-vulns - A Ruby library for blind vulnerability testing.
 #
-# Copyright (c) 2022-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2022-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-vulns is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published

data/lib/ronin/vulns/sqli.rb

@@ -2,7 +2,7 @@
 #
 # ronin-vulns - A Ruby library for blind vulnerability testing.
 #
-# Copyright (c) 2022-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2022-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-vulns is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published
@@ -100,10 +100,12 @@ module Ronin
       public
 
       #
-      # Scans the URL for SQL injections.
+      # Tests the URL and a specific query param, header name, cookie param, or
+      # form param for SQL injections by enumerating over various SQLi
+      # configurations.
       #
-      # @param [URI::HTTP, String] url
-      #   The URL to test or exploit.
+      # @param [URI::HTTP] url
+      #   The URL to test.
       #
       # @param [Array<Boolean>, Boolean] escape_quote
       #   Controls whether to escape a quoted string value. If not specified,
@@ -123,40 +125,46 @@ module Ronin
       # @param [Hash{Symbol => Object}] kwargs
       #   Additional keyword arguments for {WebVuln.scan}.
       #
-      # @yield [sqli]
-      #   If a block is given it will be yielded each discovered SQL injection
-      #   vulnerability.
+      # @option kwargs [Symbol, String, nil] :query_param
+      #   The query param name to test.
       #
-      # @yieldparam [SQLI] sqli
-      #   A discovered SQL injection vulnerability in the URL.
+      # @option kwargs [Symbol, String, nil] :header_name
+      #   The header name to test.
       #
-      # @return [Array<SQLI>]
-      #   All discovered SQL injection vulnerabilities.
+      # @option kwargs [Symbol, String, true, nil] :cookie_param
+      #   The cookie param name to test.
       #
-      def self.scan(url, escape_quote:  [false, true],
-                         escape_parens: [false, true],
-                         terminate:     [false, true],
-                         # WebVuln.scan keyword arguments
-                         http: nil, **kwargs, &block)
-        url    = URI(url)
-        http ||= Support::Network::HTTP.connect_uri(url)
-
-        vulns = []
-
+      # @option kwargs [Symbol, String, nil] :form_param
+      #   The form param name to test.
+      #
+      # @return [SQLI] sqli
+      #   The first discovered SQLi vulnerability for the specific query param,
+      #   header name, cookie param, or form param.
+      #
+      # @api private
+      #
+      # @since 0.2.0
+      #
+      def self.test_param(url, escape_quote:  [false, true],
+                               escape_parens: [false, true],
+                               terminate:     [false, true],
+                               # keyword arguments for initialize
+                               http: , **kwargs)
         Array(escape_quote).each do |escape_quote_value|
           Array(escape_parens).each do |escape_parens_value|
             Array(terminate).each do |terminate_value|
-              vulns.concat(super(url, escape_quote:    escape_quote_value,
-                                      escape_parens:   escape_parens_value,
-                                      terminate:       terminate_value,
-                                      http:            http,
-                                      **kwargs,
-                                      &block))
+              vuln = new(url, escape_quote:    escape_quote_value,
+                              escape_parens:   escape_parens_value,
+                              terminate:       terminate_value,
+                              http:            http,
+                              **kwargs)
+
+              return vuln if vuln.vulnerable?
             end
           end
         end
 
-        return vulns
+        return nil
       end
 
       #
@@ -296,7 +304,7 @@ module Ronin
       #
       def check_for_sql_errors(response)
         if response.code == '500'
-          ERROR_PATTERNS.each do |database,error_pattern|
+          ERROR_PATTERNS.each_value do |error_pattern|
             if error_pattern =~ response.body
               return true
             end

data/lib/ronin/vulns/ssti/test_expression.rb

@@ -2,7 +2,7 @@
 #
 # ronin-vulns - A Ruby library for blind vulnerability testing.
 #
-# Copyright (c) 2022-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2022-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-vulns is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published

data/lib/ronin/vulns/ssti.rb

@@ -2,7 +2,7 @@
 #
 # ronin-vulns - A Ruby library for blind vulnerability testing.
 #
-# Copyright (c) 2022-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2022-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-vulns is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published
@@ -31,14 +31,22 @@ module Ronin
       # List of common Server Side Template Injection (SSTI) escapes.
       #
       # @api private
-      ESCAPES = [
-        nil, # does not escape the expression
-        ->(expression) { "{{#{expression}}}"    },
-        ->(expression) { "${#{expression}}"     },
-        ->(expression) { "${{#{expression}}}"   },
-        ->(expression) { "\#{#{expression}}"    },
-        ->(expression) { "<%= #{expression} %>" }
-      ]
+      ESCAPES = {
+        nil => nil, # does not escape the expression
+
+        double_curly_braces:        ->(expression) { "{{#{expression}}}"    },
+        dollar_curly_braces:        ->(expression) { "${#{expression}}"     },
+        dollar_double_curly_braces: ->(expression) { "${{#{expression}}}"   },
+        pound_curly_braces:         ->(expression) { "\#{#{expression}}"    },
+        angle_brackets_percent:     ->(expression) { "<%= #{expression} %>" }
+      }
+
+      # The type of SSTI escape used.
+      #
+      # @return [:double_curly_braces, :dollar_curly_braces, :dollar_double_curly_braces, :pound_curly_braces, :angle_brackets_percent, :custom, nil]
+      #
+      # @since 0.2.0
+      attr_reader :escape_type
 
       # How to escape the payload so that it's executed.
       #
@@ -58,21 +66,38 @@ module Ronin
       # @param [String, URI::HTTP] url
       #   The URL to exploit.
       #
-      # @param [Proc, nil] escape
+      # @param [:double_curly_braces, :dollar_curly_braces, :dollar_double_curly_braces, :pound_curly_braces, :angle_brackets_percent, :custom, Proc, nil] escape
       #   How to escape a given payload. Either a proc that will accept a String
-      #   and return a String, or `nil` to indicate that the payload will not
-      #   be escaped.
+      #   and return a String, a Symbol describing the template syntax to use,
+      #   or `nil` to indicate that the payload will not be escaped.
       #
       # @param [TestExpression] test_expr
       #   The test payload and expected result to check for when testing the URL
       #   for SSTI.
       #
-      def initialize(url, escape: nil,
+      # @raise [ArgumentError]
+      #   An unknown `escape_type:` or `escape:` value was given, or no
+      #   `test_expr:` was given.
+      #
+      def initialize(url, escape:    nil,
                           test_expr: self.class.random_test,
                           **kwargs)
         super(url,**kwargs)
 
-        @escape    = escape
+        case escape
+        when Symbol
+          @escape_type = escape
+          @escape      = ESCAPES.fetch(escape) do
+                           raise(ArgumentError,"unknown template syntax: #{escape_type.inspect}")
+                         end
+        when Proc
+          @escape_type = :custom
+          @escape      = escape
+        when nil # no-op
+        else
+          raise(ArgumentError,"invalid escape type, must be a Symbol, Proc, or nil: #{escape.inspect}")
+        end
+
         @test_expr = test_expr
 
         unless @test_expr
@@ -97,62 +122,53 @@ module Ronin
       end
 
       #
-      # Scans the URL for Server Side Template Injection (SSTI) vulnerabilities.
+      # Tests the URL and a specific query param, header name, cookie param, or
+      # form param for a Server Side Template Injection (SSTI) vulnerability
+      # by enumerating over various SSTI syntaxes.
       #
-      # @param [URI::HTTP, String] url
-      #   The URL to scan.
+      # @param [URI::HTTP] url
+      #   The URL to test.
       #
-      # @param [Array<Proc>, Proc, nil] escape
+      # @param [Array<Symbol, Proc>, Symbol, Proc, nil] escape
       #   The escape method to use. If `escape:` is not given, then all escapes
-      #   in {ESCAPES} will be tested..
+      #   names in {ESCAPES} will be tested..
+      #
+      # @param [Ronin::Support::Network::HTTP] http
+      #   The HTTP session to use for testing the URL.
       #
       # @param [Hash{Symbol => Object}] kwargs
       #   Additional keyword arguments for {#initialize}.
       #
-      # @option kwargs [Array<Symbol, String>, Symbol, String, true, nil] :query_params
-      #   The query param name(s) to test.
-      #
-      # @option kwargs [Array<Symbol, String>, Symbol, String, nil] :header_names
-      #   The header name(s) to test.
-      #
-      # @option kwargs [Array<Symbol, String>, Symbol, String, true, nil] :cookie_params
-      #   The cookie param name(s) to test.
-      #
-      # @option kwargs [Array<Symbol, String>, Symbol, String, nil] :form_params
-      #   The form param name(s) to test.
+      # @option kwargs [Symbol, String, true, nil] :query_param
+      #   The query param name to test.
       #
-      # @option kwargs [Ronin::Support::Network::HTTP, nil] :http
-      #   An HTTP session to use for testing the LFI.
+      # @option kwargs [Symbol, String, nil] :header_name
+      #   The header name to test.
       #
-      # @option kwargs [Hash{String => String}, nil] :headers
-      #   Additional headers to send with requests.
+      # @option kwargs [Symbol, String, true, nil] :cookie_param
+      #   The cookie param name to test.
       #
-      # @option kwargs [String, Ronin::Support::Network::HTTP::Cookie, nil] :cookie
-      #   Additional cookie params to send with requests.
+      # @option kwargs [Symbol, String, nil] :form_param
+      #   The form param name to test.
       #
-      # @option kwargs [String, nil] :referer
-      #   Optional `Referer` header to send with requests.
+      # @return [SSTI, nil]
+      #   The first discovered web vulnerability for the specific query param,
+      #   header name, cookie param, or form param.
       #
-      # @option kwargs [Hash{String => String}, nil] :form_data
-      #   Additional form data to send with requests.
-      #
-      # @yield [vuln]
-      #   If a block is given it will be yielded each discovered vulnerability.
-      #
-      # @yieldparam [SSTI] vuln
-      #   A discovered SSTI vulnerability in the URL.
+      # @api private
       #
-      # @return [Array<SSTI>]
-      #   All discovered SSTI vulnerabilities.
+      # @since 0.2.0
       #
-      def self.scan(url, escape: ESCAPES, **kwargs,&block)
-        vulns = []
+      def self.test_param(url, escape: ESCAPES.keys,
+                               # initialize keyword arguments
+                               http: , **kwargs)
+        Array(escape).each do |escape_value|
+          vuln = new(url, escape: escape_value, http: http, **kwargs)
 
-        Array(escape).each do |escape_char|
-          vulns.concat(super(url, escape: escape_char, **kwargs, &block))
+          return vuln if vuln.vulnerable?
         end
 
-        return vulns
+        return nil
       end
 
       #