bbot 2.3.0.5546rc0__py3-none-any.whl → 2.3.1.5815rc0__py3-none-any.whl

bbot/test/test_step_2/module_tests/test_module_ajaxpro.py

@@ -4,17 +4,9 @@ from .base import ModuleTestBase
 class TestAjaxpro(ModuleTestBase):
     targets = ["http://127.0.0.1:8888"]
     modules_overrides = ["httpx", "ajaxpro"]
-
-    http_response_data = """
-    <script src="ajax/AMBusinessFacades.AjaxUtils,AMBusinessFacades.ashx" type="text/javascript"></script><script type='text/javascript'>$(document).ready(function(){if (!(top.hasTouchScreen || (top.home && top.home.hasTouchScreen))){$('#ctl01_userid').trigger('focus').trigger('select');}});</script>
-    <script type="text/javascript">
-    if(typeof AjaxPro != "undefined") AjaxPro.noUtcTime = true;
-    </script>
-
-    <script type="text/javascript" src="/AcmeTest/ajax/AMBusinessFacades.NotificationsAjax,AMBusinessFacades.ashx"></script>
-    <script type="text/javascript" src="/AcmeTest/ajax/AMBusinessFacades.ReportingAjax,AMBusinessFacades.ashx"></script>
-    <script type="text/javascript" src="/AcmeTest/ajax/AMBusinessFacades.UsersAjax,AMBusinessFacades.ashx"></script>
-    <script type="text/javascript" src="/AcmeTest/ajax/FAServerControls.FAPage,FAServerControls.ashx"></script>
+    exploit_headers = {"X-Ajaxpro-Method": "AddItem", "Content-Type": "text/json; charset=UTF-8"}
+    exploit_response = """
+    null; r.error = {"Message":"Constructor on type 'AjaxPro.Services.ICartService' not found.","Type":"System.MissingMethodException"};/*
     """
 
     async def setup_before_prep(self, module_test):
@@ -28,29 +20,57 @@ class TestAjaxpro(ModuleTestBase):
         respond_args = {"status": 404}
         module_test.set_expect_requests(expect_args=expect_args, respond_args=respond_args)
 
-        # Simulate HTTP_RESPONSE detection
         expect_args = {"method": "GET", "uri": "/"}
-        respond_args = {"response_data": self.http_response_data}
+        respond_args = {"response_data": "alive"}
+        module_test.set_expect_requests(expect_args=expect_args, respond_args=respond_args)
+
+        # Simulate Vulnerability
+        expect_args = {"method": "POST", "uri": "/ajaxpro/AjaxPro.Services.ICartService,AjaxPro.2.ashx"}
+        respond_args = {"response_data": self.exploit_response}
         module_test.set_expect_requests(expect_args=expect_args, respond_args=respond_args)
 
     def check(self, module_test, events):
         ajaxpro_url_detection = False
-        ajaxpro_httpresponse_detection = False
+        ajaxpro_exploit_detection = False
 
         for e in events:
             if (
-                e.type == "FINDING"
-                and "Ajaxpro Detected (Version Unconfirmed) Trigger: [http://127.0.0.1:8888/ajaxpro/whatever.ashx]"
+                e.type == "VULNERABILITY"
+                and "Ajaxpro Deserialization RCE (CVE-2021-23758)" in e.data["description"]
+                and "http://127.0.0.1:8888/ajaxpro/AjaxPro.Services.ICartService,AjaxPro.2.ashx"
                 in e.data["description"]
             ):
+                ajaxpro_exploit_detection = True
+
+            if e.type == "TECHNOLOGY" and e.data["technology"] == "ajaxpro":
                 ajaxpro_url_detection = True
-                continue
-            if (
-                e.type == "FINDING"
-                and 'Ajaxpro Detected (Version Unconfirmed) Trigger: [<script src="ajax/AMBusinessFacades.AjaxUtils,AMBusinessFacades.ashx"]'
-            ):
-                ajaxpro_httpresponse_detection = True
-                continue
 
         assert ajaxpro_url_detection, "Ajaxpro URL probe detection failed"
+        assert ajaxpro_exploit_detection, "Ajaxpro Exploit detection failed"
+
+
+class TestAjaxpro_httpdetect(TestAjaxpro):
+    http_response_data = """
+    <script src="ajax/AMBusinessFacades.AjaxUtils,AMBusinessFacades.ashx" type="text/javascript"></script><script type='text/javascript'>$(document).ready(function(){if (!(top.hasTouchScreen || (top.home && top.home.hasTouchScreen))){$('#ctl01_userid').trigger('focus').trigger('select');}});</script>
+    <script type="text/javascript">
+    if(typeof AjaxPro != "undefined") AjaxPro.noUtcTime = true;
+    </script>
+
+    <script type="text/javascript" src="/AcmeTest/ajax/AMBusinessFacades.NotificationsAjax,AMBusinessFacades.ashx"></script>
+    <script type="text/javascript" src="/AcmeTest/ajax/AMBusinessFacades.ReportingAjax,AMBusinessFacades.ashx"></script>
+    <script type="text/javascript" src="/AcmeTest/ajax/AMBusinessFacades.UsersAjax,AMBusinessFacades.ashx"></script>
+    <script type="text/javascript" src="/AcmeTest/ajax/FAServerControls.FAPage,FAServerControls.ashx"></script>
+    """
+
+    async def setup_before_prep(self, module_test):
+        # Simulate HTTP_RESPONSE detection
+        expect_args = {"method": "GET", "uri": "/"}
+        respond_args = {"response_data": self.http_response_data}
+        module_test.set_expect_requests(expect_args=expect_args, respond_args=respond_args)
+
+    def check(self, module_test, events):
+        ajaxpro_httpresponse_detection = False
+        for e in events:
+            if e.type == "TECHNOLOGY" and e.data["technology"] == "ajaxpro":
+                ajaxpro_httpresponse_detection = True
         assert ajaxpro_httpresponse_detection, "Ajaxpro HTTP_RESPONSE detection failed"

bbot/test/test_step_2/module_tests/test_module_azure_realm.py

@@ -27,6 +27,6 @@ class TestAzure_Realm(ModuleTestBase):
         )
 
     def check(self, module_test, events):
-        assert any(
-            e.data == "https://evilcorp.okta.com/app/office365/deadbeef/sso/wsfed/passive" for e in events
-        ), "Failed to detect URL"
+        assert any(e.data == "https://evilcorp.okta.com/app/office365/deadbeef/sso/wsfed/passive" for e in events), (
+            "Failed to detect URL"
+        )

bbot/test/test_step_2/module_tests/test_module_baddns.py

@@ -61,7 +61,7 @@ class TestBaddns_cname_signature(BaseTestBaddns):
 
     def check(self, module_test, events):
         assert any(e for e in events)
-        assert any(
-            e.type == "VULNERABILITY" and "bigcartel.com" in e.data["description"] for e in events
-        ), "Failed to emit VULNERABILITY"
+        assert any(e.type == "VULNERABILITY" and "bigcartel.com" in e.data["description"] for e in events), (
+            "Failed to emit VULNERABILITY"
+        )
         assert any("baddns-cname" in e.tags for e in events), "Failed to add baddns tag"

bbot/test/test_step_2/module_tests/test_module_bucket_amazon.py

@@ -70,14 +70,14 @@ class Bucket_Amazon_Base(ModuleTestBase):
 
     def check(self, module_test, events):
         # make sure buckets were excavated
-        assert any(
-            e.type == "STORAGE_BUCKET" and str(e.module) == f"cloud_{self.provider}" for e in events
-        ), f'bucket not found for module "{self.module_name}"'
+        assert any(e.type == "STORAGE_BUCKET" and str(e.module) == f"cloud_{self.provider}" for e in events), (
+            f'bucket not found for module "{self.module_name}"'
+        )
         # make sure open buckets were found
         if module_test.module.supports_open_check:
-            assert any(
-                e.type == "FINDING" and str(e.module) == self.module_name for e in events
-            ), f'open bucket not found for module "{self.module_name}"'
+            assert any(e.type == "FINDING" and str(e.module) == self.module_name for e in events), (
+                f'open bucket not found for module "{self.module_name}"'
+            )
             for e in events:
                 if e.type == "FINDING" and str(e.module) == self.module_name:
                     url = e.data.get("url", "")

bbot/test/test_step_2/module_tests/test_module_bufferoverrun.py

@@ -30,6 +30,6 @@ class TestBufferOverrunCommercial(ModuleTestBase):
         )
 
     def check(self, module_test, events):
-        assert any(
-            e.data == "sub.blacklanternsecurity.com" for e in events
-        ), "Failed to detect subdomain for commercial API"
+        assert any(e.data == "sub.blacklanternsecurity.com" for e in events), (
+            "Failed to detect subdomain for commercial API"
+        )

bbot/test/test_step_2/module_tests/test_module_cloudcheck.py

@@ -58,9 +58,9 @@ class TestCloudCheck(ModuleTestBase):
         for event in (aws_event3, other_event1):
             await module.handle_event(event)
             assert "cloud-amazon" not in event.tags, f"{event} was improperly cloud-tagged"
-            assert not any(
-                t for t in event.tags if t.startswith("cloud-") or t.startswith("cdn-")
-            ), f"{event} was improperly cloud-tagged"
+            assert not any(t for t in event.tags if t.startswith("cloud-") or t.startswith("cdn-")), (
+                f"{event} was improperly cloud-tagged"
+            )
 
         google_event1 = scan.make_event("asdf.googleapis.com", parent=scan.root_event)
         google_event2 = scan.make_event("asdf.google", parent=scan.root_event)

bbot/test/test_step_2/module_tests/test_module_dnsbimi.py

@@ -68,9 +68,9 @@ class TestBIMI(ModuleTestBase):
             for e in events
         ), "Failed to emit RAW_DNS_RECORD"
 
-        assert any(
-            e.type == "DNS_NAME" and e.data == "bimi.test.localdomain" for e in events
-        ), "Failed to emit DNS_NAME"
+        assert any(e.type == "DNS_NAME" and e.data == "bimi.test.localdomain" for e in events), (
+            "Failed to emit DNS_NAME"
+        )
 
         # This should be filtered by a default BBOT configuration
         assert not any(str(e.data) == "https://nondefault.thirdparty.tld/brand/logo.svg" for e in events)

bbot/test/test_step_2/module_tests/test_module_dnscaa.py

@@ -41,16 +41,16 @@ class TestDNSCAA(ModuleTestBase):
     def check(self, module_test, events):
         assert any(e.type == "DNS_NAME" and e.data == "comodoca.com" for e in events), "Failed to detect CA DNS name"
         assert any(e.type == "DNS_NAME" and e.data == "digicert.com" for e in events), "Failed to detect CA DNS name"
-        assert any(
-            e.type == "DNS_NAME" and e.data == "letsencrypt.org" for e in events
-        ), "Failed to detect CA DNS name"
+        assert any(e.type == "DNS_NAME" and e.data == "letsencrypt.org" for e in events), (
+            "Failed to detect CA DNS name"
+        )
         assert any(e.type == "DNS_NAME" and e.data == "pki.goog" for e in events), "Failed to detect CA DNS name"
         assert any(
             e.type == "URL_UNVERIFIED" and e.data == "https://caa.blacklanternsecurity.notreal/" for e in events
         ), "Failed to detect URL"
-        assert any(
-            e.type == "EMAIL_ADDRESS" and e.data == "caa@blacklanternsecurity.notreal" for e in events
-        ), "Failed to detect email address"
+        assert any(e.type == "EMAIL_ADDRESS" and e.data == "caa@blacklanternsecurity.notreal" for e in events), (
+            "Failed to detect email address"
+        )
         # make sure we're not checking CAA records for out-of-scope hosts
         assert not any(str(e.host) == "caa.comodoca.com" for e in events)
 

bbot/test/test_step_2/module_tests/test_module_dnscommonsrv.py

@@ -75,21 +75,21 @@ class TestDNSCommonSRV(ModuleTestBase):
                 and str(e.module) == "dnscommonsrv"
             ]
         ), "Failed to detect subdomain 2"
-        assert 2 == len(
-            [e for e in events if e.type == "DNS_NAME" and e.data == "asdf.blacklanternsecurity.com"]
-        ), "Failed to detect subdomain 3"
-        assert 1 == len(
-            [e for e in events if e.type == "DNS_NAME" and e.data == "api.blacklanternsecurity.com"]
-        ), "Failed to detect subdomain 4"
+        assert 2 == len([e for e in events if e.type == "DNS_NAME" and e.data == "asdf.blacklanternsecurity.com"]), (
+            "Failed to detect subdomain 3"
+        )
+        assert 1 == len([e for e in events if e.type == "DNS_NAME" and e.data == "api.blacklanternsecurity.com"]), (
+            "Failed to detect subdomain 4"
+        )
         assert 1 == len(
             [e for e in events if e.type == "DNS_NAME" and e.data == "test.api.blacklanternsecurity.com"]
         ), "Failed to detect subdomain 5"
         assert 1 == len(
             [e for e in events if e.type == "DNS_NAME" and e.data == "_msdcs.api.blacklanternsecurity.com"]
         ), "Failed to detect subdomain 5"
-        assert 1 == len(
-            [e for e in events if e.type == "DNS_NAME" and e.data == "blacklanternsecurity.com"]
-        ), "Failed to detect main domain"
+        assert 1 == len([e for e in events if e.type == "DNS_NAME" and e.data == "blacklanternsecurity.com"]), (
+            "Failed to detect main domain"
+        )
         assert 1 == len(
             [
                 e

bbot/test/test_step_2/module_tests/test_module_dnstlsrpt.py

@@ -34,21 +34,21 @@ class TestDNSTLSRPT(ModuleTestBase):
         )
 
     def check(self, module_test, events):
-        assert any(
-            e.type == "RAW_DNS_RECORD" and e.data["answer"] == raw_smtp_tls_txt for e in events
-        ), "Failed to emit RAW_DNS_RECORD"
-        assert any(
-            e.type == "DNS_NAME" and e.data == "sub.blacklanternsecurity.notreal" for e in events
-        ), "Failed to detect sub-domain"
+        assert any(e.type == "RAW_DNS_RECORD" and e.data["answer"] == raw_smtp_tls_txt for e in events), (
+            "Failed to emit RAW_DNS_RECORD"
+        )
+        assert any(e.type == "DNS_NAME" and e.data == "sub.blacklanternsecurity.notreal" for e in events), (
+            "Failed to detect sub-domain"
+        )
         assert any(
             e.type == "EMAIL_ADDRESS" and e.data == "tlsrpt@sub.blacklanternsecurity.notreal" for e in events
         ), "Failed to detect email address"
-        assert any(
-            e.type == "EMAIL_ADDRESS" and e.data == "test@on.thirdparty.com" for e in events
-        ), "Failed to detect third party email address"
-        assert any(
-            e.type == "URL_UNVERIFIED" and e.data == "https://tlspost.example.com/" for e in events
-        ), "Failed to detect third party URL"
+        assert any(e.type == "EMAIL_ADDRESS" and e.data == "test@on.thirdparty.com" for e in events), (
+            "Failed to detect third party email address"
+        )
+        assert any(e.type == "URL_UNVERIFIED" and e.data == "https://tlspost.example.com/" for e in events), (
+            "Failed to detect third party URL"
+        )
 
 
 class TestDNSTLSRPTRecursiveRecursion(TestDNSTLSRPT):

bbot/test/test_step_2/module_tests/test_module_excavate.py

@@ -396,9 +396,9 @@ class TestExcavateSerializationPositive(TestExcavate):
 
     def check(self, module_test, events):
         for serialize_type in ["Java", "DOTNET", "PHP_Array", "PHP_String", "PHP_Object", "Possible_Compressed"]:
-            assert any(
-                e.type == "FINDING" and serialize_type in e.data["description"] for e in events
-            ), f"Did not find {serialize_type} Serialized Object"
+            assert any(e.type == "FINDING" and serialize_type in e.data["description"] for e in events), (
+                f"Did not find {serialize_type} Serialized Object"
+            )
 
 
 class TestExcavateNonHttpScheme(TestExcavate):
@@ -975,14 +975,14 @@ A href <a href='/donot_detect.js'>Click me</a>"""
         assert open(file).read() == self.pdf_data, f"File at {file} does not contain the correct content"
         raw_text_events = [e for e in events if e.type == "RAW_TEXT"]
         assert 1 == len(raw_text_events), "Failed to emit RAW_TEXT event"
-        assert (
-            raw_text_events[0].data == self.extractous_response
-        ), f"Text extracted from PDF is incorrect, got {raw_text_events[0].data}"
+        assert raw_text_events[0].data == self.extractous_response, (
+            f"Text extracted from PDF is incorrect, got {raw_text_events[0].data}"
+        )
         email_events = [e for e in events if e.type == "EMAIL_ADDRESS"]
         assert 1 == len(email_events), "Failed to emit EMAIL_ADDRESS event"
-        assert (
-            email_events[0].data == "example@blacklanternsecurity.notreal"
-        ), f"Email extracted from extractous text is incorrect, got {email_events[0].data}"
+        assert email_events[0].data == "example@blacklanternsecurity.notreal", (
+            f"Email extracted from extractous text is incorrect, got {email_events[0].data}"
+        )
         finding_events = [e for e in events if e.type == "FINDING"]
         assert 2 == len(finding_events), "Failed to emit FINDING events"
         assert any(
@@ -1005,12 +1005,12 @@ A href <a href='/donot_detect.js'>Click me</a>"""
         ), f"Failed to emit serialized event got {finding_events}"
         assert finding_events[0].data["path"] == str(file), "File path not included in finding event"
         url_events = [e.data for e in events if e.type == "URL_UNVERIFIED"]
-        assert (
-            "https://www.test.notreal/about" in url_events
-        ), f"URL extracted from extractous text is incorrect, got {url_events}"
-        assert (
-            "/donot_detect.js" not in url_events
-        ), f"URL extracted from extractous text is incorrect, got {url_events}"
+        assert "https://www.test.notreal/about" in url_events, (
+            f"URL extracted from extractous text is incorrect, got {url_events}"
+        )
+        assert "/donot_detect.js" not in url_events, (
+            f"URL extracted from extractous text is incorrect, got {url_events}"
+        )
 
 
 class TestExcavateBadURLs(ModuleTestBase):

bbot/test/test_step_2/module_tests/test_module_extractous.py

@@ -42,9 +42,9 @@ class TestExtractous(ModuleTestBase):
         for filesystem_event in filesystem_events:
             file = Path(filesystem_event.data["path"])
             assert file.is_file(), "Destination file doesn't exist"
-            assert (
-                open(file, "rb").read() == self.pdf_data or open(file, "rb").read() == self.docx_data
-            ), f"File at {file} does not contain the correct content"
+            assert open(file, "rb").read() == self.pdf_data or open(file, "rb").read() == self.docx_data, (
+                f"File at {file} does not contain the correct content"
+            )
         raw_text_events = [e for e in events if e.type == "RAW_TEXT"]
         assert 2 == len(raw_text_events), "Failed to emit RAW_TEXT event"
         for raw_text_event in raw_text_events:

bbot/test/test_step_2/module_tests/test_module_ffuf_shortnames.py

@@ -31,7 +31,7 @@ class TestFFUFShortnames(ModuleTestBase):
                 "URL_HINT",
                 parent_event,
                 module="iis_shortnames",
-                tags=["shortname-file"],
+                tags=["shortname-endpoint"],
             )
         )
         seed_events.append(
@@ -40,7 +40,7 @@ class TestFFUFShortnames(ModuleTestBase):
                 "URL_HINT",
                 parent_event,
                 module="iis_shortnames",
-                tags=["shortname-file"],
+                tags=["shortname-endpoint"],
             )
         )
         seed_events.append(
@@ -49,7 +49,7 @@ class TestFFUFShortnames(ModuleTestBase):
                 "URL_HINT",
                 parent_event,
                 module="iis_shortnames",
-                tags=["shortname-file"],
+                tags=["shortname-endpoint"],
             )
         )
         seed_events.append(
@@ -58,7 +58,7 @@ class TestFFUFShortnames(ModuleTestBase):
                 "URL_HINT",
                 parent_event,
                 module="iis_shortnames",
-                tags=["shortname-file"],
+                tags=["shortname-endpoint"],
             )
         )
         seed_events.append(
@@ -67,7 +67,7 @@ class TestFFUFShortnames(ModuleTestBase):
                 "URL_HINT",
                 parent_event,
                 module="iis_shortnames",
-                tags=["shortname-file"],
+                tags=["shortname-endpoint"],
             )
         )
         seed_events.append(
@@ -76,7 +76,7 @@ class TestFFUFShortnames(ModuleTestBase):
                 "URL_HINT",
                 parent_event,
                 module="iis_shortnames",
-                tags=["shortname-file"],
+                tags=["shortname-endpoint"],
             )
         )
         seed_events.append(
@@ -139,7 +139,7 @@ class TestFFUFShortnames(ModuleTestBase):
                 "URL_HINT",
                 parent_event,
                 module="iis_shortnames",
-                tags=["shortname-file"],
+                tags=["shortname-endpoint"],
             )
         )
         module_test.scan.target.seeds.events = set(seed_events)
@@ -191,7 +191,7 @@ class TestFFUFShortnames(ModuleTestBase):
                     prefix_detection = True
                 if e.data == "http://127.0.0.1:8888/abcconsole.aspx":
                     delimiter_detection = True
-                if e.data == "http://127.0.0.1:8888/abcconsole.aspx":
+                if e.data == "http://127.0.0.1:8888/adm_directory/":
                     directory_delimiter_detection = True
                 if e.data == "http://127.0.0.1:8888/xyzdirectory/":
                     prefix_delimiter_detection = True

bbot/test/test_step_2/module_tests/test_module_generic_ssrf.py

@@ -42,7 +42,9 @@ class TestGeneric_SSRF(ModuleTestBase):
 
     def check(self, module_test, events):
         assert any(
-            e.type == "VULNERABILITY" and "Out-of-band interaction: [Generic SSRF (GET)]" in e.data["description"]
+            e.type == "VULNERABILITY"
+            and "Out-of-band interaction: [Generic SSRF (GET)]"
+            and "[Triggering Parameter: Dest]" in e.data["description"]
             for e in events
         ), "Failed to detect Generic SSRF (GET)"
         assert any(

bbot/test/test_step_2/module_tests/test_module_github_codesearch.py

@@ -99,6 +99,6 @@ Gnl54dJHT+EhlfY=
                 if e.type == "HTTP_RESPONSE" and e.data["url"] == self.github_file_url and e.scope_distance == 2
             ]
         ), "Failed to visit URL"
-        assert [
-            e for e in events if e.type == "FINDING" and str(e.module) == "trufflehog"
-        ], "Failed to find secret in repo file"
+        assert [e for e in events if e.type == "FINDING" and str(e.module) == "trufflehog"], (
+            "Failed to find secret in repo file"
+        )

bbot/test/test_step_2/module_tests/test_module_gowitness.py

@@ -46,15 +46,15 @@ class TestGowitness(ModuleTestBase):
     def check(self, module_test, events):
         webscreenshots = [e for e in events if e.type == "WEBSCREENSHOT"]
         assert webscreenshots, "failed to raise WEBSCREENSHOT events"
-        assert not any(
-            "blob" in e.data for e in webscreenshots
-        ), "blob was included in WEBSCREENSHOT data when it shouldn't have been"
+        assert not any("blob" in e.data for e in webscreenshots), (
+            "blob was included in WEBSCREENSHOT data when it shouldn't have been"
+        )
 
         screenshots_path = self.home_dir / "scans" / module_test.scan.name / "gowitness" / "screenshots"
         screenshots = list(screenshots_path.glob("*.png"))
-        assert (
-            len(screenshots) == 1
-        ), f"{len(screenshots):,} .png files found at {screenshots_path}, should have been 1"
+        assert len(screenshots) == 1, (
+            f"{len(screenshots):,} .png files found at {screenshots_path}, should have been 1"
+        )
         assert 1 == len([e for e in events if e.type == "URL" and e.data == "http://127.0.0.1:8888/"])
         assert 1 == len(
             [e for e in events if e.type == "URL_UNVERIFIED" and e.data == "https://fonts.googleapis.com/"]
@@ -75,9 +75,9 @@ class TestGowitness_Social(TestGowitness):
     def check(self, module_test, events):
         screenshots_path = self.home_dir / "scans" / module_test.scan.name / "gowitness" / "screenshots"
         screenshots = list(screenshots_path.glob("*.png"))
-        assert (
-            len(screenshots) == 2
-        ), f"{len(screenshots):,} .png files found at {screenshots_path}, should have been 2"
+        assert len(screenshots) == 2, (
+            f"{len(screenshots):,} .png files found at {screenshots_path}, should have been 2"
+        )
         assert 2 == len([e for e in events if e.type == "WEBSCREENSHOT"])
         assert 1 == len(
             [

bbot/test/test_step_2/module_tests/test_module_iis_shortnames.py

@@ -52,7 +52,7 @@ class TestIIS_Shortnames(ModuleTestBase):
         vulnerabilityEmitted = False
         url_hintEmitted = False
         for e in events:
-            if e.type == "VULNERABILITY":
+            if e.type == "VULNERABILITY" and "iis-magic-url" not in e.tags:
                 vulnerabilityEmitted = True
             if e.type == "URL_HINT" and e.data == "http://127.0.0.1:8888/BLSHAX~1":
                 url_hintEmitted = True

bbot/test/test_step_2/module_tests/test_module_paramminer_getparams.py

@@ -193,9 +193,12 @@ class TestParamminer_Getparams_finish(Paramminer_Headers):
 class TestParamminer_Getparams_xmlspeculative(Paramminer_Headers):
     targets = ["http://127.0.0.1:8888/"]
     modules_overrides = ["httpx", "excavate", "paramminer_getparams"]
-    config_overrides = {"modules": {"paramminer_getparams": {"wordlist": tempwordlist([]), "recycle_words": False}}}
+    config_overrides = {
+        "modules": {"paramminer_getparams": {"wordlist": tempwordlist(["data", "common"]), "recycle_words": False}}
+    }
     getparam_extract_xml = """
     <data>
+     <junkparameter>1</junkparameter>
      <obscureParameter>1</obscureParameter>
          <common>1</common>
      </data>
@@ -242,3 +245,34 @@ class TestParamminer_Getparams_xmlspeculative(Paramminer_Headers):
 
         assert excavate_discovered_speculative, "Excavate failed to discover speculative xml parameter"
         assert paramminer_used_speculative, "Paramminer failed to confirm speculative GET parameter"
+
+
+class TestParamminer_Getparams_filter_static(TestParamminer_Getparams_finish):
+    targets = ["http://127.0.0.1:8888/test1.php", "http://127.0.0.1:8888/test2.pdf"]
+
+    test_1_html = """
+    <html><a href="/test2.pdf?abcd1234=foo">paramstest2</a></html>
+    """
+
+    def check(self, module_test, events):
+        found_hidden_getparam_recycled = False
+        emitted_excavate_paramminer_duplicate = False
+
+        for e in events:
+            if e.type == "WEB_PARAMETER":
+                if (
+                    "http://127.0.0.1:8888/test1.php" in e.data["url"]
+                    and "[Paramminer] Getparam: [abcd1234] Reasons: [body] Reflection: [False]"
+                    in e.data["description"]
+                ):
+                    found_hidden_getparam_recycled = True
+
+                if (
+                    "http://127.0.0.1:8888/test2.pdf" in e.data["url"]
+                    and "[Paramminer] Getparam: [abcd1234] Reasons: [body] Reflection: [False]"
+                    in e.data["description"]
+                ):
+                    emitted_excavate_paramminer_duplicate = True
+
+        assert found_hidden_getparam_recycled, "Failed to find hidden GET parameter"
+        assert not emitted_excavate_paramminer_duplicate, "Paramminer emitted parameter for static URL"

bbot/test/test_step_2/module_tests/test_module_paramminer_headers.py

@@ -150,6 +150,6 @@ class TestParamminer_Headers_extract_norecycle(TestParamminer_Headers_extract):
                 if "HTTP Extracted Parameter [foo] (HTML Tags Submodule)" in e.data["description"]:
                     excavate_extracted_web_parameter = True
 
-        assert (
-            not excavate_extracted_web_parameter
-        ), "Excavate extract WEB_PARAMETER despite disabling parameter extraction"
+        assert not excavate_extracted_web_parameter, (
+            "Excavate extract WEB_PARAMETER despite disabling parameter extraction"
+        )

bbot/test/test_step_2/module_tests/test_module_portfilter.py

@@ -0,0 +1,48 @@
+from .base import ModuleTestBase
+
+
+class TestPortfilter_disabled(ModuleTestBase):
+    modules_overrides = []
+
+    async def setup_before_prep(self, module_test):
+        from bbot.modules.base import BaseModule
+
+        class DummyModule(BaseModule):
+            _name = "dummy_module"
+            watched_events = ["DNS_NAME"]
+
+            async def handle_event(self, event):
+                if event.type == "DNS_NAME" and event.data == "blacklanternsecurity.com":
+                    await self.emit_event(
+                        "www.blacklanternsecurity.com:443",
+                        "OPEN_TCP_PORT",
+                        parent=event,
+                        tags=["cdn-ip", "cdn-amazon"],
+                    )
+                    # when portfilter is enabled, this should be filtered out
+                    await self.emit_event(
+                        "www.blacklanternsecurity.com:8080",
+                        "OPEN_TCP_PORT",
+                        parent=event,
+                        tags=["cdn-ip", "cdn-amazon"],
+                    )
+                    await self.emit_event("www.blacklanternsecurity.com:21", "OPEN_TCP_PORT", parent=event)
+
+        module_test.scan.modules["dummy_module"] = DummyModule(module_test.scan)
+
+    def check(self, module_test, events):
+        open_ports = {event.data for event in events if event.type == "OPEN_TCP_PORT"}
+        assert open_ports == {
+            "www.blacklanternsecurity.com:443",
+            "www.blacklanternsecurity.com:8080",
+            "www.blacklanternsecurity.com:21",
+        }
+
+
+class TestPortfilter_enabled(TestPortfilter_disabled):
+    modules_overrides = ["portfilter"]
+
+    def check(self, module_test, events):
+        open_ports = {event.data for event in events if event.type == "OPEN_TCP_PORT"}
+        # we should be missing the 8080 port because it's a CDN and not in portfilter's allowed list of open ports
+        assert open_ports == {"www.blacklanternsecurity.com:443", "www.blacklanternsecurity.com:21"}