bbot 2.4.2.6109rc0__py3-none-any.whl → 2.4.2.6596rc0__py3-none-any.whl

bbot/modules/lightfuzz/submodules/xss.py

@@ -0,0 +1,191 @@
+from .base import BaseLightfuzz
+
+import regex as re
+
+
+class xss(BaseLightfuzz):
+    """
+    Detects Reflected Cross-Site Scripting vulnerabilities across multiple contexts and techniques
+
+    * Context Detection:
+       - Between HTML Tags: <tag>injection</tag>
+       - Within Tag Attributes: <tag attribute="injection">
+       - Inside JavaScript: <script>var x = 'injection'</script>
+
+    * Context-Specific Testing:
+       - Between Tags: Tests basic HTML injection and tag creation
+       - Tag Attributes: Tests quote escaping and JavaScript event handlers
+       - JavaScript Context: Tests string delimiter breaking and script tag termination
+       - Handles both single and double quote contexts in JavaScript
+
+    Can often detect through WAFs, since it does not attempt to construct an exploitation payload
+    """
+
+    friendly_name = "Cross-Site Scripting"
+
+    async def determine_context(self, cookies, html, random_string):
+        """
+        Determines the context of the random string in the HTML response.
+        With XSS, the context is what kind part of the page the injection is occuring in, which determine what payloads might be successful
+
+        https://portswigger.net/web-security/cross-site-scripting/contexts
+        """
+        between_tags = False
+        in_tag_attribute = False
+        in_javascript = False
+
+        between_tags_regex = re.compile(
+            rf"<(\/?\w+)[^>]*>.*?{random_string}.*?<\/?\w+>"
+        )  # The between tags context is when the injection occurs between HTML tags
+        in_tag_attribute_regex = re.compile(
+            rf'<(\w+)\s+[^>]*?(\w+)="([^"]*?{random_string}[^"]*?)"[^>]*>'
+        )  # The in tag attribute context is when the injection occurs in an attribute of an HTML tag
+        in_javascript_regex = re.compile(
+            rf"<script\b[^>]*>[^<]*(?:<(?!\/script>)[^<]*)*{random_string}[^<]*(?:<(?!\/script>)[^<]*)*<\/script>"
+        )  # The in javascript context is when the injection occurs within a <script> tag
+
+        between_tags_match = await self.lightfuzz.helpers.re.search(between_tags_regex, html)
+        if between_tags_match:
+            between_tags = True
+
+        in_tag_attribute_match = await self.lightfuzz.helpers.re.search(in_tag_attribute_regex, html)
+        if in_tag_attribute_match:
+            in_tag_attribute = True
+
+        in_javascript_match = await self.lightfuzz.helpers.re.search(in_javascript_regex, html)
+        if in_javascript_match:
+            in_javascript = True
+
+        return between_tags, in_tag_attribute, in_javascript
+
+    async def determine_javascript_quote_context(self, target, text):
+        # Define and compile regex patterns for double and single quotes
+        quote_patterns = {"double": re.compile(f'"[^"]*{target}[^"]*"'), "single": re.compile(f"'[^']*{target}[^']*'")}
+
+        # Split the text by semicolons to isolate JavaScript statements
+        statements = text.split(";")
+
+        # This function checks if the target string is balanced within a JavaScript statement
+        def is_balanced(section, target_index, quote_char):
+            left = section[:target_index]
+            right = section[target_index + len(target) :]
+            return left.count(quote_char) % 2 == 0 and right.count(quote_char) % 2 == 0
+
+        # For each javascript statement, attempt to determine the type of quote we are within, and therefore what will enable breaking out of it to result in a successful XSS
+        for statement in statements:
+            for quote_type, pattern in quote_patterns.items():
+                match = await self.lightfuzz.helpers.re.search(pattern, statement)
+                if match:
+                    context = match.group(0)
+                    target_index = context.find(target)
+                    opposite_quote = "'" if quote_type == "double" else '"'
+                    if is_balanced(context, target_index, opposite_quote):
+                        return quote_type
+        # If we have no matches, the target string is most likely not within quotes
+        return "outside"
+
+    async def check_probe(self, cookies, probe, match, context):
+        # Send the defined probe and look for the expected match value in the response
+        probe_result = await self.standard_probe(self.event.data["type"], cookies, probe)
+        if probe_result and match in probe_result.text:
+            self.results.append(
+                {
+                    "type": "FINDING",
+                    "description": f"Possible Reflected XSS. Parameter: [{self.event.data['name']}] Context: [{context}] Parameter Type: [{self.event.data['type']}]",
+                }
+            )
+            return True
+        return False
+
+    async def fuzz(self):
+        lightfuzz_event = self.event.parent
+        cookies = self.event.data.get("assigned_cookies", {})
+
+        # If this came from paramminer_getparams and didn't have a http_reflection tag, we don't need to check again
+        if (
+            lightfuzz_event.type == "WEB_PARAMETER"
+            and str(lightfuzz_event.module) == "paramminer_getparams"
+            and "http-reflection" not in lightfuzz_event.tags
+        ):
+            self.debug("Got WEB_PARAMETER from paramminer, with no reflection tag - xss is not possible, aborting")
+            return
+
+        reflection = None
+        random_string = self.lightfuzz.helpers.rand_string(8)
+
+        reflection_probe_result = await self.standard_probe(self.event.data["type"], cookies, random_string)
+        # before continuing, check if the random string is reflected in the response - a prerequisite for XSS
+        if reflection_probe_result and random_string in reflection_probe_result.text:
+            reflection = True
+
+        if not reflection or reflection is False:
+            return
+
+        between_tags, in_tag_attribute, in_javascript = await self.determine_context(
+            cookies, reflection_probe_result.text, random_string
+        )
+        self.debug(
+            f"determine_context returned: between_tags [{between_tags}], in_tag_attribute [{in_tag_attribute}], in_javascript [{in_javascript}]"
+        )
+        tags = [
+            "z",
+            "svg",
+            "img",
+        ]  # These represent easy to exploit tags, along with an arbitrary tag which is less likely to be blocked
+        if between_tags:
+            for tag in tags:
+                between_tags_probe = f"<{tag}>{random_string}</{tag}>"
+                result = await self.check_probe(
+                    cookies, between_tags_probe, between_tags_probe, f"Between Tags ({tag} tag)"
+                )  # After reflection in the HTTP response, did the tags survive without url-encoding or other sanitization/escaping?
+                if result is True:
+                    break
+
+        if in_tag_attribute:
+            in_tag_attribute_probe = f'{random_string}"'
+            in_tag_attribute_match = f'{random_string}"'
+            await self.check_probe(
+                cookies, in_tag_attribute_probe, in_tag_attribute_match, "Tag Attribute"
+            )  # After reflection in the HTTP response, did the quote survive without url-encoding or other sanitization/escaping?
+
+            in_tag_attribute_probe = f'{random_string}"'
+            in_tag_attribute_match = f'"{random_string}""'
+            await self.check_probe(
+                cookies, in_tag_attribute_probe, in_tag_attribute_match, "Tag Attribute (autoquote)"
+            )  # After reflection in the HTTP response, did the quote survive without url-encoding or other sanitization/escaping (and account for auto-quoting)
+
+            in_tag_attribute_probe = f"javascript:{random_string}"
+            in_tag_attribute_match = f'action="javascript:{random_string}'
+            await self.check_probe(
+                cookies, in_tag_attribute_probe, in_tag_attribute_match, "Form Action Injection"
+            )  # After reflection in the HTTP response, did the javascript sch
+
+        if in_javascript:
+            in_javascript_probe = rf"</script><script>{random_string}</script>"
+            result = await self.check_probe(
+                cookies, in_javascript_probe, in_javascript_probe, "In Javascript"
+            )  # After reflection in the HTTP response, did the script tags survive without url-encoding or other sanitization/escaping?
+            if result is False:
+                # To attempt this technique, we need to determine the type of quote we are within
+                quote_context = await self.determine_javascript_quote_context(
+                    random_string, reflection_probe_result.text
+                )
+
+                # Skip the test if the context is outside
+                if quote_context == "outside":
+                    return
+
+                # Update probes based on the quote context
+                if quote_context == "single":
+                    in_javascript_escape_probe = rf"a\';zzzzz({random_string})\\"
+                    in_javascript_escape_match = rf"a\\';zzzzz({random_string})\\"
+                elif quote_context == "double":
+                    in_javascript_escape_probe = rf"a\";zzzzz({random_string})\\"
+                    in_javascript_escape_match = rf'a\\";zzzzz({random_string})\\'
+
+                await self.check_probe(
+                    cookies,
+                    in_javascript_escape_probe,
+                    in_javascript_escape_match,
+                    f"In Javascript (escaping the escape character, {quote_context} quote)",
+                )

bbot/modules/{deadly/nuclei.py → nuclei.py}

@@ -7,7 +7,7 @@ from bbot.modules.base import BaseModule
 class nuclei(BaseModule):
     watched_events = ["URL"]
     produced_events = ["FINDING", "VULNERABILITY", "TECHNOLOGY"]
-    flags = ["active", "aggressive"]
+    flags = ["active", "aggressive", "deadly"]
     meta = {
         "description": "Fast and customisable vulnerability scanner",
         "created_date": "2022-03-12",

bbot/modules/paramminer_headers.py

@@ -52,6 +52,7 @@ class paramminer_headers(BaseModule):
         "javascript",
         "keep-alive",
         "label",
+        "max-forwards",
         "negotiate",
         "proxy",
         "range",
@@ -148,6 +149,7 @@ class paramminer_headers(BaseModule):
                     "type": paramtype,
                     "description": description,
                     "name": result,
+                    "original_value": None,
                 },
                 "WEB_PARAMETER",
                 event,

bbot/modules/reflected_parameters.py

@@ -0,0 +1,80 @@
+from bbot.modules.base import BaseModule
+
+
+class reflected_parameters(BaseModule):
+    watched_events = ["WEB_PARAMETER"]
+    produced_events = ["FINDING"]
+    flags = ["active", "safe", "web-thorough"]
+    meta = {
+        "description": "Highlight parameters that reflect their contents in response body",
+        "author": "@liquidsec",
+        "created_date": "2024-10-29",
+    }
+
+    async def handle_event(self, event):
+        url = event.data.get("url")
+        reflection_detected = await self.detect_reflection(event, url)
+
+        if reflection_detected:
+            param_type = event.data.get("type", "UNKNOWN")
+            description = (
+                f"[{param_type}] Parameter value reflected in response body. Name: [{event.data['name']}] "
+                f"Source Module: [{str(event.module)}]"
+            )
+            if event.data.get("original_value"):
+                description += (
+                    f" Original Value: [{self.helpers.truncate_string(str(event.data['original_value']), 200)}]"
+                )
+            data = {"host": str(event.host), "description": description, "url": url}
+            await self.emit_event(data, "FINDING", event)
+
+    async def detect_reflection(self, event, url):
+        """Detects reflection by sending a probe with a random value and a canary parameter."""
+        probe_parameter_name = event.data["name"]
+        probe_parameter_value = self.helpers.rand_string()
+        canary_parameter_value = self.helpers.rand_string()
+        probe_response = await self.send_probe_with_canary(
+            event,
+            probe_parameter_name,
+            probe_parameter_value,
+            canary_parameter_value,
+            cookies=event.data.get("assigned_cookies", {}),
+            timeout=10,
+        )
+
+        # Check if the probe parameter value is reflected AND the canary is not
+        if probe_response:
+            response_text = probe_response.text
+            reflection_result = probe_parameter_value in response_text and canary_parameter_value not in response_text
+            return reflection_result
+        return False
+
+    async def send_probe_with_canary(self, event, parameter_name, parameter_value, canary_value, cookies, timeout=10):
+        method = "GET"
+        url = event.data["url"]
+        headers = {}
+        data = None
+        json_data = None
+        params = {parameter_name: parameter_value, "c4n4ry": canary_value}
+
+        if event.data["type"] == "GETPARAM":
+            url = f"{url}?{parameter_name}={parameter_value}&c4n4ry={canary_value}"
+        elif event.data["type"] == "COOKIE":
+            cookies.update(params)
+        elif event.data["type"] == "HEADER":
+            headers.update(params)
+        elif event.data["type"] == "POSTPARAM":
+            method = "POST"
+            data = params
+        elif event.data["type"] == "BODYJSON":
+            method = "POST"
+            json_data = params
+
+        self.debug(
+            f"Sending {method} request to {url} with headers: {headers}, cookies: {cookies}, data: {data}, json: {json_data}"
+        )
+
+        response = await self.helpers.request(
+            method=method, url=url, headers=headers, cookies=cookies, data=data, json=json_data, timeout=timeout
+        )
+        return response

bbot/modules/{deadly/vhost.py → vhost.py}

@@ -1,13 +1,13 @@
 import base64
 from urllib.parse import urlparse
 
-from bbot.modules.deadly.ffuf import ffuf
+from bbot.modules.ffuf import ffuf
 
 
 class vhost(ffuf):
     watched_events = ["URL"]
     produced_events = ["VHOST", "DNS_NAME"]
-    flags = ["active", "aggressive", "slow"]
+    flags = ["active", "aggressive", "slow", "deadly"]
     meta = {"description": "Fuzz for virtual hosts", "created_date": "2022-05-02", "author": "@liquidsec"}
 
     special_vhost_list = ["127.0.0.1", "localhost", "host.docker.internal"]

bbot/presets/web/lightfuzz-heavy.yml

@@ -0,0 +1,16 @@
+description: Discover web parameters and lightly fuzz them for vulnerabilities, with more intense discovery techniques, including POST parameters, which are more invasive. Uses all lightfuzz modules, and adds paramminer modules for parameter discovery.
+
+include:
+  - lightfuzz-medium
+
+flags:
+  - web-paramminer
+
+modules:
+  - robots
+
+config:
+  modules:
+    lightfuzz:
+      enabled_submodules: [cmdi,crypto,nosqli,path,serial,sqli,ssti,xss]
+      disable_post: False

bbot/presets/web/lightfuzz-light.yml

@@ -0,0 +1,20 @@
+description: Discover web parameters and lightly fuzz them for vulnerabilities, with only the most common vulnerabilities and minimal extra modules. Safest to run alongside larger scans.
+
+modules:
+  - httpx
+  - lightfuzz
+  - portfilter
+  
+config:
+  url_querystring_remove: False # don't strip off the querystring (BBOT normally does this; but lightfuzz needs it)
+  url_querystring_collapse: True # in cases where the same parameter has multiple values, collapse them into a single parameter to save on fuzzing attempts
+  modules:
+    lightfuzz:
+      enabled_submodules: [path,sqli,xss] # only look for the most common vulnerabilities
+      disable_post: True # don't send POST requests (less aggressive)
+
+conditions:
+- |
+  {% if config.web.spider_distance == 0 %}
+    {{ warn("Lightfuzz works much better with spider enabled! Consider adding 'spider' or 'spider-intense' preset.") }}
+  {% endif %}

bbot/presets/web/lightfuzz-medium.yml

@@ -0,0 +1,14 @@
+description: Discover web parameters and lightly fuzz them for vulnerabilities. Uses all lightfuzz modules, without some of the more intense discovery techniques. Does not send POST requests. This is the default lightfuzz preset; if you're not sure which one to use, this is a good starting point.
+
+include:
+  - lightfuzz-light
+
+modules:
+  - badsecrets
+  - hunt
+  - reflected_parameters
+  
+config:
+  modules:
+    lightfuzz:
+      enabled_submodules: [cmdi,crypto,nosqli,path,serial,sqli,ssti,xss]

bbot/presets/web/lightfuzz-superheavy.yml

@@ -0,0 +1,13 @@
+description: Discover web parameters and lightly fuzz them for vulnerabilities, with the most intense discovery techniques, including POST parameters, which are more invasive. Uses all lightfuzz modules, adds paramminer modules for parameter discovery, and tests each unique parameter-value instance individually.
+
+include:
+  - lightfuzz-heavy
+
+config:
+  url_querystring_collapse: False # in cases where the same parameter is observed multiple times, fuzz them individually instead of collapsing them into a single parameter
+  modules:
+    lightfuzz:
+      force_common_headers: True # Fuzz common headers like X-Forwarded-For even if they're not observed on the target
+      enabled_submodules: [cmdi,crypto,nosqli,path,serial,sqli,ssti,xss]
+    excavate:
+      speculate_params: True # speculate potential parameters extracted from JSON/XML web responses

bbot/presets/web/lightfuzz-xss.yml

@@ -0,0 +1,22 @@
+description: Discover web parameters and lightly fuzz them, limited to just GET-based xss vulnerabilities. This is an example of a custom lightfuzz preset, selectively enabling a single lightfuzz module.
+
+modules:
+  - httpx
+  - lightfuzz
+  - paramminer_getparams
+  - reflected_parameters
+  - portfilter
+  
+config:
+  url_querystring_remove: False
+  url_querystring_collapse: False
+  modules:
+    lightfuzz:
+      enabled_submodules: [xss]
+      disable_post: True
+
+conditions:
+  - |
+    {% if config.web.spider_distance == 0 %}
+      {{ warn("The lightfuzz-xss preset works much better with spider enabled! Consider adding 'spider' or 'spider-intense' preset.") }}
+    {% endif %}

bbot/presets/web/paramminer.yml

@@ -1,12 +1,15 @@
-description: Discover new web parameters via brute-force
+description: Discover new web parameters via brute-force, and analyze them with additional modules
 
 flags:
   - web-paramminer
 
 modules:
   - httpx
+  - reflected_parameters
+  - hunt
 
-config:
-  web:
-    spider_distance: 1
-    spider_depth: 4
+conditions:
+  - |
+    {% if config.web.spider_distance == 0 %}
+      {{ warn("The paramminer preset works much better with spider enabled! Consider adding 'spider' or 'spider-intense' preset.") }}
+    {% endif %}

bbot/scanner/preset/args.py

@@ -168,6 +168,9 @@ class BBOTArgs:
         if self.parsed.custom_headers:
             args_preset.core.merge_custom({"web": {"http_headers": self.parsed.custom_headers}})
 
+        if self.parsed.custom_cookies:
+            args_preset.core.merge_custom({"web": {"http_cookies": self.parsed.custom_cookies}})
+
         if self.parsed.custom_yara_rules:
             args_preset.core.merge_custom(
                 {"modules": {"excavate": {"custom_yara_rules": self.parsed.custom_yara_rules}}}
@@ -375,6 +378,13 @@ class BBOTArgs:
             default=[],
             help="List of custom headers as key value pairs (header=value).",
         )
+        misc.add_argument(
+            "-C",
+            "--custom-cookies",
+            nargs="+",
+            default=[],
+            help="List of custom cookies as key value pairs (cookie=value).",
+        )
         misc.add_argument("--custom-yara-rules", "-cy", help="Add custom yara rules to excavate")
 
         misc.add_argument("--user-agent", "-ua", help="Set the user-agent for all HTTP requests")
@@ -420,6 +430,22 @@ class BBOTArgs:
             custom_headers_dict[k] = v
         self.parsed.custom_headers = custom_headers_dict
 
+        # Custom Cookie Parsing / Validation
+        custom_cookies_dict = {}
+        custom_cookie_example = "Example: --custom-cookies foo=bar foo2=bar2"
+
+        for i in self.parsed.custom_cookies:
+            parts = i.split("=", 1)
+            if len(parts) != 2:
+                raise ValidationError(f"Custom cookies not formatted correctly (missing '='). {custom_cookie_example}")
+            k, v = parts
+            if not k or not v:
+                raise ValidationError(
+                    f"Custom cookies not formatted correctly (missing cookie name or value). {custom_cookie_example}"
+                )
+            custom_cookies_dict[k] = v
+        self.parsed.custom_cookies = custom_cookies_dict
+
         # --fast-mode
         if self.parsed.fast_mode:
             self.parsed.preset += ["fast"]

bbot/scanner/preset/path.py

@@ -6,6 +6,7 @@ from bbot.errors import *
 log = logging.getLogger("bbot.presets.path")
 
 DEFAULT_PRESET_PATH = Path(__file__).parent.parent.parent / "presets"
+DEFAULT_PRESET_PATH = DEFAULT_PRESET_PATH.expanduser().resolve()
 
 
 class PresetPath:
@@ -17,7 +18,7 @@ class PresetPath:
         self.paths = [DEFAULT_PRESET_PATH]
 
     def find(self, filename):
-        filename_path = Path(filename).resolve()
+        filename_path = Path(filename).expanduser().resolve()
         extension = filename_path.suffix.lower()
         file_candidates = set()
         extension_candidates = {".yaml", ".yml"}
@@ -29,16 +30,12 @@ class PresetPath:
             file_candidates.add(f"{filename_path.stem}{ext}")
         file_candidates = sorted(file_candidates)
         file_candidates_str = ",".join([str(s) for s in file_candidates])
-        paths_to_search = self.paths
         if "/" in str(filename):
-            if filename_path.parent not in paths_to_search:
-                paths_to_search.append(filename_path.parent)
-        log.debug(
-            f"Searching for preset in {[str(p) for p in paths_to_search]}, file candidates: {file_candidates_str}"
-        )
-        for path in paths_to_search:
+            self.add_path(filename_path.parent)
+        log.debug(f"Searching for {file_candidates_str} in {[str(p) for p in self.paths]}")
+        for path in self.paths:
             for candidate in file_candidates:
-                for file in path.rglob(candidate):
+                for file in path.rglob(f"**/{candidate}"):
                     if file.is_file():
                         log.verbose(f'Found preset matching "{filename}" at {file}')
                         self.add_path(file.parent)
@@ -51,14 +48,19 @@ class PresetPath:
         return ":".join([str(s) for s in self.paths])
 
     def add_path(self, path):
-        path = Path(path).resolve()
+        path = Path(path).expanduser().resolve()
+        # skip if already in paths
         if path in self.paths:
             return
+        # skip if path is a subdirectory of any path in paths
         if any(path.is_relative_to(p) for p in self.paths):
             return
+        # skip if path is not a directory
         if not path.is_dir():
             log.debug(f'Path "{path.resolve()}" is not a directory')
             return
+        # preemptively remove any paths that are subdirectories of the new path
+        self.paths = [p for p in self.paths if not p.is_relative_to(path)]
         self.paths.append(path)
 
     def __iter__(self):