bbot 2.4.2.6596rc0__tar.gz → 2.4.2.6611rc0__tar.gz

{bbot-2.4.2.6596rc0 → bbot-2.4.2.6611rc0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: bbot
-Version: 2.4.2.6596rc0
+Version: 2.4.2.6611rc0
 Summary: OSINT automation for hackers.
 License: GPL-3.0
 Keywords: python,cli,automation,osint,threat-intel,intelligence,neo4j,scanner,python-library,hacking,recursion,pentesting,recon,command-line-tool,bugbounty,subdomains,security-tools,subdomain-scanner,osint-framework,attack-surface,subdomain-enumeration,osint-tool

{bbot-2.4.2.6596rc0 → bbot-2.4.2.6611rc0}/bbot/__init__.py

@@ -1,5 +1,5 @@
 # version placeholder (replaced by poetry-dynamic-versioning)
-__version__ = "v2.4.2.6596rc"
+__version__ = "v2.4.2.6611rc"
 
 from .scanner import Scanner, Preset
 

{bbot-2.4.2.6596rc0 → bbot-2.4.2.6611rc0}/bbot/modules/internal/excavate.py

@@ -5,7 +5,7 @@ import time
 import inspect
 import regex as re
 from pathlib import Path
-from bbot.errors import ExcavateError
+from bbot.errors import ExcavateError, ValidationError
 import bbot.core.helpers.regexes as bbot_regexes
 from bbot.modules.base import BaseInterceptModule
 from bbot.modules.internal.base import BaseInternalModule
@@ -622,14 +622,15 @@ class excavate(BaseInternalModule, BaseInterceptModule):
                                 base_url += f"?{event.parsed_url.query}"
                             url = urljoin(base_url, endpoint)
 
+                        try:
+                            # Validate the URL before using it
+                            parsed_url = self.excavate.helpers.validators.validate_url_parsed(url)
+                        except (ValidationError, ValueError) as e:
+                            self.excavate.debug(f"Invalid URL [{url}]: {e}")
+                            continue
+
                         if self.excavate.helpers.validate_parameter(parameter_name, parameter_type):
                             if self.excavate.in_bl(parameter_name) is False:
-                                parsed_url = urlparse(url)
-                                if not parsed_url.hostname:
-                                    self.excavate.warning(
-                                        f"Error Parsing reconstructed URL [{url}] during parameter extraction, missing hostname"
-                                    )
-                                    continue
                                 description = f"HTTP Extracted Parameter [{parameter_name}] ({parameterExtractorSubModule.name} Submodule)"
                                 data = {
                                     "host": parsed_url.hostname,
@@ -848,45 +849,51 @@ class excavate(BaseInternalModule, BaseInterceptModule):
                 urls_found = 0
                 final_url = ""
                 for url_str in results:
-                    if identifier == "url_full":
-                        if not await self.helpers.re.search(self.full_url_regex, url_str):
+                    try:
+                        if identifier == "url_full":
+                            if not await self.helpers.re.search(self.full_url_regex, url_str):
+                                self.excavate.debug(
+                                    f"Rejecting potential full URL [{url_str}] as did not match full_url_regex"
+                                )
+                                continue
+                            final_url = url_str
+                            self.excavate.debug(f"Discovered Full URL [{final_url}]")
+
+                        elif identifier == "url_attr" and hasattr(event, "parsed_url"):
+                            m = await self.helpers.re.search(self.tag_attribute_regex, url_str)
+                            if not m:
+                                self.excavate.debug(
+                                    f"Rejecting potential attribute URL [{url_str}] as did not match tag_attribute_regex"
+                                )
+                                continue
+                            unescaped_url = html.unescape(m.group(1))
+                            source_url = event.parsed_url.geturl()
+                            final_url = urldefrag(urljoin(source_url, unescaped_url)).url
+                            if not await self.helpers.re.search(self.full_url_regex_strict, final_url):
+                                self.excavate.debug(
+                                    f"Rejecting reconstructed URL [{final_url}] as did not match full_url_regex_strict"
+                                )
+                                continue
                             self.excavate.debug(
-                                f"Rejecting potential full URL [{url_str}] as did not match full_url_regex"
+                                f"Reconstructed Full URL [{final_url}] from extracted relative URL [{unescaped_url}] "
                             )
-                            continue
-                        final_url = url_str
 
-                        self.excavate.debug(f"Discovered Full URL [{final_url}]")
-                    elif identifier == "url_attr" and hasattr(event, "parsed_url"):
-                        m = await self.helpers.re.search(self.tag_attribute_regex, url_str)
-                        if not m:
-                            self.excavate.debug(
-                                f"Rejecting potential attribute URL [{url_str}] as did not match tag_attribute_regex"
+                        if final_url:
+                            # Validate the URL before using it
+                            self.excavate.helpers.validators.validate_url_parsed(final_url)
+                            if self.excavate.scan.in_scope(final_url):
+                                urls_found += 1
+                            await self.report(
+                                final_url,
+                                event,
+                                yara_rule_settings,
+                                discovery_context,
+                                event_type="URL_UNVERIFIED",
+                                urls_found=urls_found,
                             )
-                            continue
-                        unescaped_url = html.unescape(m.group(1))
-                        source_url = event.parsed_url.geturl()
-                        final_url = urldefrag(urljoin(source_url, unescaped_url)).url
-                        if not await self.helpers.re.search(self.full_url_regex_strict, final_url):
-                            self.excavate.debug(
-                                f"Rejecting reconstructed URL [{final_url}] as did not match full_url_regex_strict"
-                            )
-                            continue
-                        self.excavate.debug(
-                            f"Reconstructed Full URL [{final_url}] from extracted relative URL [{unescaped_url}] "
-                        )
-
-                    if final_url:
-                        if self.excavate.scan.in_scope(final_url):
-                            urls_found += 1
-                        await self.report(
-                            final_url,
-                            event,
-                            yara_rule_settings,
-                            discovery_context,
-                            event_type="URL_UNVERIFIED",
-                            urls_found=urls_found,
-                        )
+                    except (ValidationError, ValueError) as e:
+                        self.excavate.debug(f"Invalid URL [{url_str if not final_url else final_url}]: {e}")
+                        continue
 
         async def report_prep(self, event_data, event_type, event, tags, **kwargs):
             event_draft = self.excavate.make_event(event_data, event_type, parent=event)
@@ -1114,7 +1121,10 @@ class excavate(BaseInternalModule, BaseInterceptModule):
 
                 # Check if rule processing function exists
                 if rule_name in self.yara_preprocess_dict:
-                    await self.yara_preprocess_dict[rule_name](result, event, discovery_context)
+                    try:
+                        await self.yara_preprocess_dict[rule_name](result, event, discovery_context)
+                    except ValidationError as e:
+                        self.debug(f"ValidationError in rule {rule_name} for result {result}: {e}")
                 else:
                     self.hugewarning(f"YARA Rule {rule_name} not found in pre-compiled rules")
 

{bbot-2.4.2.6596rc0 → bbot-2.4.2.6611rc0}/bbot/modules/lightfuzz/submodules/serial.py

@@ -22,7 +22,7 @@ class serial(BaseLightfuzz):
     CONTROL_PAYLOAD_PHP_RAW = "z:0:{}"
 
     BASE64_SERIALIZATION_PAYLOADS = {
-        "php_base64": "YTowOnt9",
+        "php_base64": "YToxOntpOjA7aToxO30=",
         "java_base64": "rO0ABXNyABFqYXZhLmxhbmcuQm9vbGVhbs0gcoDVnPruAgABWgAFdmFsdWV4cAA=",
         "java_base64_string_error": "rO0ABXQABHRlc3Q=",
         "java_base64_OptionalDataException": "rO0ABXcEAAAAAAEAAAABc3IAEGphdmEudXRpbC5IYXNoTWFwAAAAAAAAAAECAAJMAARrZXkxYgABAAAAAAAAAAJ4cHcBAAAAB3QABHRlc3Q=",

{bbot-2.4.2.6596rc0 → bbot-2.4.2.6611rc0}/bbot/test/test_step_2/module_tests/base.py

@@ -91,9 +91,9 @@ class ModuleTestBase:
     async def module_test(
         self, httpx_mock, bbot_httpserver, bbot_httpserver_ssl, monkeypatch, request, caplog, capsys
     ):
-        # Skip dastardly test if we're in the distro tests (because dastardly uses docker)
+        # If a test uses docker, we can't run it in the distro tests
         if os.getenv("BBOT_DISTRO_TESTS") and self.skip_distro_tests:
-            pytest.skip("Skipping module_test for dastardly module due to BBOT_DISTRO_TESTS environment variable")
+            pytest.skip("Skipping test since it uses docker")
 
         self.log.info(f"Starting {self.name} module test")
         module_test = self.ModuleTest(

{bbot-2.4.2.6596rc0 → bbot-2.4.2.6611rc0}/bbot/test/test_step_2/module_tests/test_module_excavate.py

@@ -1418,3 +1418,17 @@ class TestExcavateBadURLs(ModuleTestBase):
 
         url_events = [e for e in events if e.type == "URL_UNVERIFIED"]
         assert sorted([e.data for e in url_events]) == sorted(["https://ssl/", "http://127.0.0.1:8888/"])
+
+
+class TestExcavateURL_InvalidPort(TestExcavate):
+    modules_overrides = ["excavate", "httpx", "hunt"]
+
+    async def setup_before_prep(self, module_test):
+        # Test URL with invalid port (greater than 65535)
+        module_test.httpserver.expect_request("/").respond_with_data(
+            '<div><img loading="lazy" src="https://asdffoo.test.notreal:9212952841/whatever.jpg" width="576" height="382" alt="...." /></div>'
+        )
+
+    def check(self, module_test, events):
+        # Verify we got the hostname
+        assert any(e.data == "asdffoo.test.notreal" for e in events)

{bbot-2.4.2.6596rc0 → bbot-2.4.2.6611rc0}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "bbot"
-version = "v2.4.2.6596rc"
+version = "v2.4.2.6611rc"
 description = "OSINT automation for hackers."
 authors = [
     "TheTechromancer",

bbot-2.4.2.6596rc0/bbot/modules/dastardly.py

@@ -1,137 +0,0 @@
-from lxml import etree
-from bbot.modules.base import BaseModule
-
-
-class dastardly(BaseModule):
-    watched_events = ["HTTP_RESPONSE"]
-    produced_events = ["FINDING", "VULNERABILITY"]
-    flags = ["active", "aggressive", "slow", "web-thorough", "deadly"]
-    meta = {
-        "description": "Lightweight web application security scanner",
-        "created_date": "2023-12-11",
-        "author": "@domwhewell-sage",
-    }
-
-    deps_pip = ["lxml~=5.3.0"]
-    deps_common = ["docker"]
-    per_hostport_only = True
-
-    default_discovery_context = "{module} performed a light web scan against {event.parent.data['url']} and discovered {event.data['description']} at {event.data['url']}"
-
-    async def setup(self):
-        await self.run_process("systemctl", "start", "docker", sudo=True)
-        await self.run_process("docker", "pull", "public.ecr.aws/portswigger/dastardly:latest", sudo=True)
-        self.output_dir = self.scan.home / "dastardly"
-        self.helpers.mkdir(self.output_dir)
-        return True
-
-    async def filter_event(self, event):
-        # Reject redirects. This helps to avoid scanning the same site twice.
-        is_redirect = str(event.data["status_code"]).startswith("30")
-        if is_redirect:
-            return False, "URL is a redirect"
-        return True
-
-    async def handle_event(self, event):
-        host = event.parsed_url._replace(path="/").geturl()
-        self.verbose(f"Running Dastardly scan against {host}")
-        command, output_file = self.construct_command(host)
-        finished_proc = await self.run_process(command, sudo=True)
-        self.debug(f"dastardly stdout: {getattr(finished_proc, 'stdout', '')}")
-        self.debug(f"dastardly stderr: {getattr(finished_proc, 'stderr', '')}")
-        for testsuite in self.parse_dastardly_xml(output_file):
-            url = testsuite.endpoint
-            for testcase in testsuite.testcases:
-                for failure in testcase.failures:
-                    if failure.severity == "Info":
-                        await self.emit_event(
-                            {
-                                "host": str(event.host),
-                                "url": url,
-                                "description": failure.instance,
-                            },
-                            "FINDING",
-                            event,
-                            context=f"{{module}} executed web scan against {host} and identified {{event.type}}: {failure.instance}",
-                        )
-                    else:
-                        await self.emit_event(
-                            {
-                                "severity": failure.severity,
-                                "host": str(event.host),
-                                "url": url,
-                                "description": failure.instance,
-                            },
-                            "VULNERABILITY",
-                            event,
-                            context=f"{{module}} executed web scan against {host} and identified {failure.severity.lower()} {{event.type}}: {failure.instance}",
-                        )
-
-    def construct_command(self, target):
-        date_time = self.helpers.make_date()
-        file_name = self.helpers.tagify(target)
-        temp_path = self.output_dir / f"{date_time}_{file_name}.xml"
-        command = [
-            "docker",
-            "run",
-            "--user",
-            "0",
-            "--rm",
-            "-v",
-            f"{self.output_dir}:/dastardly",
-            "-e",
-            f"BURP_START_URL={target}",
-            "-e",
-            f"BURP_REPORT_FILE_PATH=/dastardly/{temp_path.name}",
-            "public.ecr.aws/portswigger/dastardly:latest",
-        ]
-        return command, temp_path
-
-    def parse_dastardly_xml(self, xml_file):
-        try:
-            with open(xml_file, "rb") as f:
-                et = etree.parse(f, parser=etree.XMLParser(recover=True, resolve_entities=False))
-                for testsuite in et.iter("testsuite"):
-                    yield TestSuite(testsuite)
-        except FileNotFoundError:
-            self.debug(f"Could not find Dastardly XML file at {xml_file}")
-        except OSError as e:
-            self.verbose(f"Error opening Dastardly XML file at {xml_file}: {e}")
-        except etree.ParseError as e:
-            self.warning(f"Error parsing Dastardly XML at {xml_file}: {e}")
-
-
-class Failure:
-    def __init__(self, xml):
-        self.etree = xml
-
-        # instance information
-        self.instance = self.etree.attrib.get("message", "")
-        self.severity = self.etree.attrib.get("type", "")
-        self.text = self.etree.text
-
-
-class TestCase:
-    def __init__(self, xml):
-        self.etree = xml
-
-        # title information
-        self.title = self.etree.attrib.get("name", "")
-
-        # findings / failures(as dastardly names them)
-        self.failures = []
-        for failure in self.etree.findall("failure"):
-            self.failures.append(Failure(failure))
-
-
-class TestSuite:
-    def __init__(self, xml):
-        self.etree = xml
-
-        # endpoint information
-        self.endpoint = self.etree.attrib.get("name", "")
-
-        # test cases
-        self.testcases = []
-        for testcase in self.etree.findall("testcase"):
-            self.testcases.append(TestCase(testcase))

bbot-2.4.2.6596rc0/bbot/test/test_step_2/module_tests/test_module_dastardly.py

@@ -1,70 +0,0 @@
-import json
-from werkzeug import Response
-
-from .base import ModuleTestBase
-
-
-class TestDastardly(ModuleTestBase):
-    targets = ["http://127.0.0.1:5556/"]
-    modules_overrides = ["httpx", "dastardly"]
-    skip_distro_tests = True
-
-    web_response = """<!DOCTYPE html>
-    <html>
-    <body>
-        <a href="/test?test=yes">visit this<a/>
-    </body>
-    </html>"""
-
-    def xss_handler(self, request):
-        response = f"""<!DOCTYPE html>
-    <html>
-    <head>
-        <title>Email Form</title>
-    </head>
-    <body>
-        {request.args.get("test", "")}
-    </body>
-    </html>"""
-        return Response(response, content_type="text/html")
-
-    async def get_docker_ip(self, module_test):
-        docker_ip = "172.17.0.1"
-        try:
-            ip_output = await module_test.scan.helpers.run(["ip", "-j", "-4", "a", "show", "dev", "docker0"])
-            interface_json = json.loads(ip_output.stdout)
-            docker_ip = interface_json[0]["addr_info"][0]["local"]
-        except Exception:
-            pass
-        return docker_ip
-
-    async def setup_after_prep(self, module_test):
-        httpserver = module_test.request_fixture.getfixturevalue("bbot_httpserver_allinterfaces")
-        httpserver.expect_request("/").respond_with_data(self.web_response)
-        httpserver.expect_request("/test").respond_with_handler(self.xss_handler)
-
-        # get docker IP
-        docker_ip = await self.get_docker_ip(module_test)
-        module_test.scan.target.seeds.add(docker_ip)
-
-        # replace 127.0.0.1 with docker host IP to allow dastardly access to local http server
-        old_filter_event = module_test.module.filter_event
-
-        def new_filter_event(event):
-            self.new_url = f"http://{docker_ip}:5556/"
-            event.data["url"] = self.new_url
-            event.parsed_url = module_test.scan.helpers.urlparse(self.new_url)
-            return old_filter_event(event)
-
-        module_test.monkeypatch.setattr(module_test.module, "filter_event", new_filter_event)
-
-    def check(self, module_test, events):
-        assert 1 == len(
-            [
-                e
-                for e in events
-                if e.type == "VULNERABILITY"
-                and f"{self.new_url}test" in e.data["description"]
-                and "Cross-site scripting".lower() in e.data["description"].lower()
-            ]
-        )