bbot 2.2.0.5242rc0__py3-none-any.whl → 2.2.0.5279rc0__py3-none-any.whl

bbot/scanner/preset/args.py

@@ -91,7 +91,6 @@ class BBOTArgs:
             *self.parsed.targets,
             whitelist=self.parsed.whitelist,
             blacklist=self.parsed.blacklist,
-            strict_scope=self.parsed.strict_scope,
             name="args_preset",
         )
 
@@ -149,6 +148,9 @@ class BBOTArgs:
         if self.parsed.force:
             args_preset.force_start = self.parsed.force
 
+        if self.parsed.proxy:
+            args_preset.core.merge_custom({"web": {"http_proxy": self.parsed.proxy}})
+
         if self.parsed.custom_headers:
             args_preset.core.merge_custom({"web": {"http_headers": self.parsed.custom_headers}})
 
@@ -165,6 +167,10 @@ class BBOTArgs:
             except Exception as e:
                 raise BBOTArgumentError(f'Error parsing command-line config option: "{config_arg}": {e}')
 
+        # strict scope
+        if self.parsed.strict_scope:
+            args_preset.core.merge_custom({"scope": {"strict": True}})
+
         return args_preset
 
     def create_parser(self, *args, **kwargs):
@@ -265,6 +271,11 @@ class BBOTArgs:
             help="Run scan even in the case of condition violations or failed module setups",
         )
         scan.add_argument("-y", "--yes", action="store_true", help="Skip scan confirmation prompt")
+        scan.add_argument(
+            "--fast-mode",
+            action="store_true",
+            help="Scan only the provided targets as fast as possible, with no extra discovery",
+        )
         scan.add_argument("--dry-run", action="store_true", help=f"Abort before executing scan")
         scan.add_argument(
             "--current-preset",
@@ -310,6 +321,7 @@ class BBOTArgs:
 
         misc = p.add_argument_group(title="Misc")
         misc.add_argument("--version", action="store_true", help="show BBOT version and exit")
+        misc.add_argument("--proxy", help="Use this proxy for all HTTP requests", metavar="HTTP_PROXY")
         misc.add_argument(
             "-H",
             "--custom-headers",
@@ -359,6 +371,10 @@ class BBOTArgs:
             custom_headers_dict[k] = v
         self.parsed.custom_headers = custom_headers_dict
 
+        # --fast-mode
+        if self.parsed.fast_mode:
+            self.parsed.preset += ["fast"]
+
     def validate(self):
         # validate config options
         sentinel = object()

bbot/scanner/preset/preset.py

@@ -47,7 +47,6 @@ class Preset:
         target (Target): Target(s) of scan.
         whitelist (Target): Scan whitelist (by default this is the same as `target`).
         blacklist (Target): Scan blacklist (this takes ultimate precedence).
-        strict_scope (bool): If True, subdomains of targets are not considered to be in-scope.
         helpers (ConfigAwareHelper): Helper containing various reusable functions, regexes, etc.
         output_dir (pathlib.Path): Output directory for scan.
         scan_name (str): Name of scan. Defaults to random value, e.g. "demonic_jimmy".
@@ -87,7 +86,6 @@ class Preset:
         *targets,
         whitelist=None,
         blacklist=None,
-        strict_scope=False,
         modules=None,
         output_modules=None,
         exclude_modules=None,
@@ -117,7 +115,6 @@ class Preset:
             *targets (str): Target(s) to scan. Types supported: hostnames, IPs, CIDRs, emails, open ports.
             whitelist (list, optional): Whitelisted target(s) to scan. Defaults to the same as `targets`.
             blacklist (list, optional): Blacklisted target(s). Takes ultimate precedence. Defaults to empty.
-            strict_scope (bool, optional): If True, subdomains of targets are not in-scope.
             modules (list[str], optional): List of scan modules to enable for the scan. Defaults to empty list.
             output_modules (list[str], optional): List of output modules to use. Defaults to csv, human, and json.
             exclude_modules (list[str], optional): List of modules to exclude from the scan.
@@ -234,7 +231,6 @@ class Preset:
         self.module_dirs = module_dirs
 
         # target / whitelist / blacklist
-        self.strict_scope = strict_scope
         # these are temporary receptacles until they all get .baked() together
         self._seeds = set(targets if targets else [])
         self._whitelist = set(whitelist) if whitelist else whitelist
@@ -353,7 +349,6 @@ class Preset:
             else:
                 self._whitelist.update(other._whitelist)
         self._blacklist.update(other._blacklist)
-        self.strict_scope = self.strict_scope or other.strict_scope
 
         # module dirs
         self.module_dirs = self.module_dirs.union(other.module_dirs)
@@ -537,6 +532,14 @@ class Preset:
     def web_config(self):
         return self.core.config.get("web", {})
 
+    @property
+    def scope_config(self):
+        return self.config.get("scope", {})
+
+    @property
+    def strict_scope(self):
+        return self.scope_config.get("strict", False)
+
     def apply_log_level(self, apply_core=False):
         # silent takes precedence
         if self.silent:
@@ -635,7 +638,6 @@ class Preset:
             debug=preset_dict.get("debug", False),
             silent=preset_dict.get("silent", False),
             config=preset_dict.get("config"),
-            strict_scope=preset_dict.get("strict_scope", False),
             module_dirs=preset_dict.get("module_dirs", []),
             include=list(preset_dict.get("include", [])),
             scan_name=preset_dict.get("scan_name"),
@@ -764,8 +766,6 @@ class Preset:
                 preset_dict["whitelist"] = whitelist
             if blacklist:
                 preset_dict["blacklist"] = blacklist
-        if self.strict_scope:
-            preset_dict["strict_scope"] = True
 
         # flags + modules
         if self.require_flags:

bbot/scanner/scanner.py

@@ -10,11 +10,11 @@ from datetime import datetime
 from collections import OrderedDict
 
 from bbot import __version__
-
 from bbot.core.event import make_event
 from .manager import ScanIngress, ScanEgress
 from bbot.core.helpers.misc import sha1, rand_string
 from bbot.core.helpers.names_generator import random_name
+from bbot.core.multiprocess import SHARED_INTERPRETER_STATE
 from bbot.core.helpers.async_helpers import async_to_sync_gen
 from bbot.errors import BBOTError, ScanError, ValidationError
 
@@ -259,6 +259,9 @@ class Scanner:
         Creates the scan's output folder, loads its modules, and calls their .setup() methods.
         """
 
+        # update the master PID
+        SHARED_INTERPRETER_STATE.update_scan_pid()
+
         self.helpers.mkdir(self.home)
         if not self._prepped:
             # save scan preset

bbot/test/bbot_fixtures.py

@@ -15,8 +15,8 @@ from werkzeug.wrappers import Request
 from bbot.errors import *  # noqa: F401
 from bbot.core import CORE
 from bbot.scanner import Preset
-from bbot.core.helpers.misc import mkdir, rand_string
 from bbot.core.helpers.async_helpers import get_event_loop
+from bbot.core.helpers.misc import mkdir, rand_string, get_python_constraints
 
 
 log = logging.getLogger(f"bbot.test.fixtures")
@@ -229,4 +229,7 @@ def install_all_python_deps():
     deps_pip = set()
     for module in DEFAULT_PRESET.module_loader.preloaded().values():
         deps_pip.update(set(module.get("deps", {}).get("pip", [])))
-    subprocess.run([sys.executable, "-m", "pip", "install"] + list(deps_pip))
+
+    constraint_file = tempwordlist(get_python_constraints())
+
+    subprocess.run([sys.executable, "-m", "pip", "install", "--constraint", constraint_file] + list(deps_pip))

bbot/test/conftest.py

@@ -16,7 +16,6 @@ from bbot.core.helpers.interactsh import server_list as interactsh_servers
 # silence stdout + trace
 root_logger = logging.getLogger()
 pytest_debug_file = Path(__file__).parent.parent.parent / "pytest_debug.log"
-print(f"pytest_debug_file: {pytest_debug_file}")
 debug_handler = logging.FileHandler(pytest_debug_file)
 debug_handler.setLevel(logging.DEBUG)
 debug_format = logging.Formatter("%(asctime)s [%(levelname)s] %(name)s %(filename)s:%(lineno)s %(message)s")
@@ -95,9 +94,21 @@ def bbot_httpserver_ssl():
     server.clear()
 
 
-@pytest.fixture
-def non_mocked_hosts() -> list:
-    return ["127.0.0.1", "localhost", "raw.githubusercontent.com"] + interactsh_servers
+def should_mock(request):
+    return not request.url.host in ["127.0.0.1", "localhost", "raw.githubusercontent.com"] + interactsh_servers
+
+
+def pytest_collection_modifyitems(config, items):
+    # make sure all tests have the httpx_mock marker
+    for item in items:
+        item.add_marker(
+            pytest.mark.httpx_mock(
+                should_mock=should_mock,
+                assert_all_requests_were_expected=False,
+                assert_all_responses_were_requested=False,
+                can_send_already_matched_responses=True,
+            )
+        )
 
 
 @pytest.fixture
@@ -240,80 +251,80 @@ def pytest_terminal_summary(terminalreporter, exitstatus, config):  # pragma: no
 
 
 # BELOW: debugging for frozen/hung tests
-# import psutil
-# import traceback
-# import inspect
-
-
-# def _print_detailed_info():  # pragma: no cover
-#     """
-#     Debugging pytests hanging
-#     """
-#     print("=== Detailed Thread and Process Information ===\n")
-#     try:
-#         print("=== Threads ===")
-#         for thread in threading.enumerate():
-#             print(f"Thread Name: {thread.name}")
-#             print(f"Thread ID: {thread.ident}")
-#             print(f"Is Alive: {thread.is_alive()}")
-#             print(f"Daemon: {thread.daemon}")
-
-#             if hasattr(thread, "_target"):
-#                 target = thread._target
-#                 if target:
-#                     qualname = (
-#                         f"{target.__module__}.{target.__qualname__}"
-#                         if hasattr(target, "__qualname__")
-#                         else str(target)
-#                     )
-#                     print(f"Target Function: {qualname}")
-
-#                     if hasattr(thread, "_args"):
-#                         args = thread._args
-#                         kwargs = thread._kwargs if hasattr(thread, "_kwargs") else {}
-#                         arg_spec = inspect.getfullargspec(target)
-
-#                         all_args = list(args) + [f"{k}={v}" for k, v in kwargs.items()]
-
-#                         if inspect.ismethod(target) and arg_spec.args[0] == "self":
-#                             arg_spec.args.pop(0)
-
-#                         named_args = list(zip(arg_spec.args, all_args))
-#                         if arg_spec.varargs:
-#                             named_args.extend((f"*{arg_spec.varargs}", arg) for arg in all_args[len(arg_spec.args) :])
-
-#                         print("Arguments:")
-#                         for name, value in named_args:
-#                             print(f"  {name}: {value}")
-#                 else:
-#                     print("Target Function: None")
-#             else:
-#                 print("Target Function: Unknown")
-
-#             print()
-
-#         print("=== Processes ===")
-#         current_process = psutil.Process()
-#         for child in current_process.children(recursive=True):
-#             print(f"Process ID: {child.pid}")
-#             print(f"Name: {child.name()}")
-#             print(f"Status: {child.status()}")
-#             print(f"CPU Times: {child.cpu_times()}")
-#             print(f"Memory Info: {child.memory_info()}")
-#             print()
-
-#         print("=== Current Process ===")
-#         print(f"Process ID: {current_process.pid}")
-#         print(f"Name: {current_process.name()}")
-#         print(f"Status: {current_process.status()}")
-#         print(f"CPU Times: {current_process.cpu_times()}")
-#         print(f"Memory Info: {current_process.memory_info()}")
-#         print()
-
-#     except Exception as e:
-#         print(f"An error occurred: {str(e)}")
-#         print("Traceback:")
-#         traceback.print_exc()
+import psutil
+import traceback
+import inspect
+
+
+def _print_detailed_info():  # pragma: no cover
+    """
+    Debugging pytests hanging
+    """
+    print("=== Detailed Thread and Process Information ===\n")
+    try:
+        print("=== Threads ===")
+        for thread in threading.enumerate():
+            print(f"Thread Name: {thread.name}")
+            print(f"Thread ID: {thread.ident}")
+            print(f"Is Alive: {thread.is_alive()}")
+            print(f"Daemon: {thread.daemon}")
+
+            if hasattr(thread, "_target"):
+                target = thread._target
+                if target:
+                    qualname = (
+                        f"{target.__module__}.{target.__qualname__}"
+                        if hasattr(target, "__qualname__")
+                        else str(target)
+                    )
+                    print(f"Target Function: {qualname}")
+
+                    if hasattr(thread, "_args"):
+                        args = thread._args
+                        kwargs = thread._kwargs if hasattr(thread, "_kwargs") else {}
+                        arg_spec = inspect.getfullargspec(target)
+
+                        all_args = list(args) + [f"{k}={v}" for k, v in kwargs.items()]
+
+                        if inspect.ismethod(target) and arg_spec.args[0] == "self":
+                            arg_spec.args.pop(0)
+
+                        named_args = list(zip(arg_spec.args, all_args))
+                        if arg_spec.varargs:
+                            named_args.extend((f"*{arg_spec.varargs}", arg) for arg in all_args[len(arg_spec.args) :])
+
+                        print("Arguments:")
+                        for name, value in named_args:
+                            print(f"  {name}: {value}")
+                else:
+                    print("Target Function: None")
+            else:
+                print("Target Function: Unknown")
+
+            print()
+
+        print("=== Processes ===")
+        current_process = psutil.Process()
+        for child in current_process.children(recursive=True):
+            print(f"Process ID: {child.pid}")
+            print(f"Name: {child.name()}")
+            print(f"Status: {child.status()}")
+            print(f"CPU Times: {child.cpu_times()}")
+            print(f"Memory Info: {child.memory_info()}")
+            print()
+
+        print("=== Current Process ===")
+        print(f"Process ID: {current_process.pid}")
+        print(f"Name: {current_process.name()}")
+        print(f"Status: {current_process.status()}")
+        print(f"CPU Times: {current_process.cpu_times()}")
+        print(f"Memory Info: {current_process.memory_info()}")
+        print()
+
+    except Exception as e:
+        print(f"An error occurred: {str(e)}")
+        print("Traceback:")
+        traceback.print_exc()
 
 
 @pytest.hookimpl(tryfirst=True, hookwrapper=True)
@@ -331,11 +342,11 @@ def pytest_sessionfinish(session, exitstatus):
     yield
 
     # temporarily suspend stdout capture and print detailed thread info
-    # capmanager = session.config.pluginmanager.get_plugin("capturemanager")
-    # if capmanager:
-    #     capmanager.suspend_global_capture(in_=True)
+    capmanager = session.config.pluginmanager.get_plugin("capturemanager")
+    if capmanager:
+        capmanager.suspend_global_capture(in_=True)
 
-    # _print_detailed_info()
+    _print_detailed_info()
 
-    # if capmanager:
-    #     capmanager.resume_global_capture()
+    if capmanager:
+        capmanager.resume_global_capture()

bbot/test/fastapi_test.py

@@ -0,0 +1,17 @@
+from typing import List
+from bbot import Scanner
+from fastapi import FastAPI, Query
+
+app = FastAPI()
+
+
+@app.get("/start")
+async def start(targets: List[str] = Query(...)):
+    scanner = Scanner(*targets, modules=["httpx"])
+    events = [e async for e in scanner.async_start()]
+    return [e.json() for e in events]
+
+
+@app.get("/ping")
+async def ping():
+    return {"status": "ok"}

bbot/test/test_step_1/test_bbot_fastapi.py

@@ -0,0 +1,82 @@
+import time
+import httpx
+import multiprocessing
+from pathlib import Path
+from subprocess import Popen
+from contextlib import suppress
+
+cwd = Path(__file__).parent.parent.parent
+
+
+def run_bbot_multiprocess(queue):
+    from bbot import Scanner
+
+    scan = Scanner("http://127.0.0.1:8888", "blacklanternsecurity.com", modules=["httpx"])
+    events = [e.json() for e in scan.start()]
+    queue.put(events)
+
+
+def test_bbot_multiprocess(bbot_httpserver):
+
+    bbot_httpserver.expect_request("/").respond_with_data("test@blacklanternsecurity.com")
+
+    queue = multiprocessing.Queue()
+    events_process = multiprocessing.Process(target=run_bbot_multiprocess, args=(queue,))
+    events_process.start()
+    events_process.join()
+    events = queue.get()
+    assert len(events) >= 3
+    scan_events = [e for e in events if e["type"] == "SCAN"]
+    assert len(scan_events) == 2
+    assert any([e["data"] == "test@blacklanternsecurity.com" for e in events])
+
+
+def test_bbot_fastapi(bbot_httpserver):
+
+    bbot_httpserver.expect_request("/").respond_with_data("test@blacklanternsecurity.com")
+    fastapi_process = start_fastapi_server()
+
+    try:
+
+        # wait for the server to start with a timeout of 60 seconds
+        start_time = time.time()
+        while True:
+            try:
+                response = httpx.get("http://127.0.0.1:8978/ping")
+                response.raise_for_status()
+                break
+            except httpx.HTTPError:
+                if time.time() - start_time > 60:
+                    raise TimeoutError("Server did not start within 60 seconds.")
+                time.sleep(0.1)
+                continue
+
+        # run a scan
+        response = httpx.get(
+            "http://127.0.0.1:8978/start",
+            params={"targets": ["http://127.0.0.1:8888", "blacklanternsecurity.com"]},
+            timeout=100,
+        )
+        events = response.json()
+        assert len(events) >= 3
+        scan_events = [e for e in events if e["type"] == "SCAN"]
+        assert len(scan_events) == 2
+        assert any([e["data"] == "test@blacklanternsecurity.com" for e in events])
+
+    finally:
+        with suppress(Exception):
+            fastapi_process.terminate()
+
+
+def start_fastapi_server():
+    import os
+    import sys
+
+    env = os.environ.copy()
+    with suppress(KeyError):
+        del env["BBOT_TESTING"]
+    python_executable = str(sys.executable)
+    process = Popen(
+        [python_executable, "-m", "uvicorn", "bbot.test.fastapi_test:app", "--port", "8978"], cwd=cwd, env=env
+    )
+    return process

bbot/test/test_step_1/test_cli.py

@@ -626,6 +626,35 @@ config:
     stdout_preset = yaml.safe_load(captured.out)
     assert stdout_preset["config"]["web"]["http_proxy"] == "http://proxy2"
 
+    # --fast-mode
+    monkeypatch.setattr("sys.argv", ["bbot", "--current-preset"])
+    cli.main()
+    captured = capsys.readouterr()
+    stdout_preset = yaml.safe_load(captured.out)
+    assert list(stdout_preset) == ["description"]
+
+    monkeypatch.setattr("sys.argv", ["bbot", "--fast", "--current-preset"])
+    cli.main()
+    captured = capsys.readouterr()
+    stdout_preset = yaml.safe_load(captured.out)
+    stdout_preset.pop("description")
+    assert stdout_preset == {
+        "config": {
+            "scope": {"strict": True},
+            "dns": {"minimal": True},
+            "modules": {"speculate": {"essential_only": True}},
+        },
+        "exclude_modules": ["excavate"],
+    }
+
+    # --proxy
+    monkeypatch.setattr("sys.argv", ["bbot", "--proxy", "http://127.0.0.1:8080", "--current-preset"])
+    cli.main()
+    captured = capsys.readouterr()
+    stdout_preset = yaml.safe_load(captured.out)
+    stdout_preset.pop("description")
+    assert stdout_preset == {"config": {"web": {"http_proxy": "http://127.0.0.1:8080"}}}
+
     # cli config overrides all presets
     monkeypatch.setattr(
         "sys.argv",

bbot/test/test_step_1/test_dns.py

@@ -631,6 +631,42 @@ def custom_lookup(query, rdtype):
     assert len(modified_wildcard_events) == 0
 
 
+@pytest.mark.asyncio
+async def test_wildcard_deduplication(bbot_scanner):
+
+    custom_lookup = """
+def custom_lookup(query, rdtype):
+    if rdtype == "TXT" and query.strip(".").endswith("evilcorp.com"):
+        return {""}
+"""
+
+    mock_data = {
+        "evilcorp.com": {"A": ["127.0.0.1"]},
+    }
+
+    from bbot.modules.base import BaseModule
+
+    class DummyModule(BaseModule):
+        watched_events = ["DNS_NAME"]
+        per_domain_only = True
+
+        async def handle_event(self, event):
+            for i in range(30):
+                await self.emit_event(f"www{i}.evilcorp.com", "DNS_NAME", parent=event)
+
+    # scan without omitted event type
+    scan = bbot_scanner(
+        "evilcorp.com", config={"dns": {"minimal": False, "wildcard_ignore": []}, "omit_event_types": []}
+    )
+    await scan.helpers.dns._mock_dns(mock_data, custom_lookup_fn=custom_lookup)
+    dummy_module = DummyModule(scan)
+    scan.modules["dummy_module"] = dummy_module
+    events = [e async for e in scan.async_start()]
+    dns_name_events = [e for e in events if e.type == "DNS_NAME"]
+    assert len(dns_name_events) == 2
+    assert 1 == len([e for e in dns_name_events if e.data == "_wildcard.evilcorp.com"])
+
+
 @pytest.mark.asyncio
 async def test_dns_raw_records(bbot_scanner):
 

bbot/test/test_step_1/test_events.py

@@ -484,7 +484,6 @@ async def test_events(events, helpers):
     json_event = db_event.json()
     assert isinstance(json_event["uuid"], str)
     assert json_event["uuid"] == str(db_event.uuid)
-    print(f"{json_event} / {db_event.uuid} / {db_event.parent_uuid} / {scan.root_event.uuid}")
     assert json_event["parent_uuid"] == str(scan.root_event.uuid)
     assert json_event["scope_distance"] == 1
     assert json_event["data"] == "evilcorp.com:80"
@@ -966,3 +965,35 @@ def test_event_magic():
     assert event.tags == {"folder"}
 
     zip_file.unlink()
+
+
+def test_event_hashing():
+    scan = Scanner("example.com")
+    url_event = scan.make_event("https://api.example.com/", "URL_UNVERIFIED", parent=scan.root_event)
+    host_event_1 = scan.make_event("www.example.com", "DNS_NAME", parent=url_event)
+    host_event_2 = scan.make_event("test.example.com", "DNS_NAME", parent=url_event)
+    finding_data = {"description": "Custom Yara Rule [find_string] Matched via identifier [str1]"}
+    finding1 = scan.make_event(finding_data, "FINDING", parent=host_event_1)
+    finding2 = scan.make_event(finding_data, "FINDING", parent=host_event_2)
+    finding3 = scan.make_event(finding_data, "FINDING", parent=host_event_2)
+
+    assert finding1.data == {
+        "description": "Custom Yara Rule [find_string] Matched via identifier [str1]",
+        "host": "www.example.com",
+    }
+    assert finding2.data == {
+        "description": "Custom Yara Rule [find_string] Matched via identifier [str1]",
+        "host": "test.example.com",
+    }
+    assert finding3.data == {
+        "description": "Custom Yara Rule [find_string] Matched via identifier [str1]",
+        "host": "test.example.com",
+    }
+    assert finding1.id != finding2.id
+    assert finding2.id == finding3.id
+    assert finding1.data_id != finding2.data_id
+    assert finding2.data_id == finding3.data_id
+    assert finding1.data_hash != finding2.data_hash
+    assert finding2.data_hash == finding3.data_hash
+    assert hash(finding1) != hash(finding2)
+    assert hash(finding2) == hash(finding3)

bbot/test/test_step_1/test_modules_basic.py

@@ -10,9 +10,6 @@ from bbot.modules.internal.base import BaseInternalModule
 
 @pytest.mark.asyncio
 async def test_modules_basic_checks(events, httpx_mock):
-    for http_method in ("GET", "CONNECT", "HEAD", "POST", "PUT", "TRACE", "DEBUG", "PATCH", "DELETE", "OPTIONS"):
-        httpx_mock.add_response(method=http_method, url=re.compile(r".*"), json={"test": "test"})
-
     from bbot.scanner import Scanner
 
     scan = Scanner(config={"omit_event_types": ["URL_UNVERIFIED"]})

bbot/test/test_step_1/test_presets.py

@@ -86,7 +86,6 @@ def test_preset_yaml(clean_default_config):
         debug=False,
         silent=True,
         config={"preset_test_asdf": 1},
-        strict_scope=False,
     )
     preset1 = preset1.bake()
     assert "evilcorp.com" in preset1.target
@@ -210,7 +209,7 @@ def test_preset_scope():
         "evilcorp.org",
         whitelist=["evilcorp.de"],
         blacklist=["test.www.evilcorp.de"],
-        strict_scope=True,
+        config={"scope": {"strict": True}},
     )
 
     preset1.merge(preset3)

bbot/test/test_step_1/test_web.py

@@ -471,6 +471,9 @@ async def test_web_cookies(bbot_scanner, httpx_mock):
     # but that they're not sent in the response
     with pytest.raises(httpx.TimeoutException):
         r = await client2.get(url="http://www2.evilcorp.com/cookies/test")
+    # make sure cookies are sent
+    r = await client2.get(url="http://www2.evilcorp.com/cookies/test", cookies={"wats": "fdsa"})
+    assert r.status_code == 200
     # make sure we can manually send cookies
     httpx_mock.add_response(url="http://www2.evilcorp.com/cookies/test2", match_headers={"Cookie": "fdsa=wats"})
     r = await client2.get(url="http://www2.evilcorp.com/cookies/test2", cookies={"fdsa": "wats"})