bbot 2.4.2__py3-none-any.whl → 2.4.2.6590rc0__py3-none-any.whl

bbot/test/test_step_2/module_tests/test_module_paramminer_getparams.py

@@ -194,7 +194,10 @@ class TestParamminer_Getparams_xmlspeculative(Paramminer_Headers):
     targets = ["http://127.0.0.1:8888/"]
     modules_overrides = ["httpx", "excavate", "paramminer_getparams"]
     config_overrides = {
-        "modules": {"paramminer_getparams": {"wordlist": tempwordlist(["data", "common"]), "recycle_words": False}}
+        "modules": {
+            "excavate": {"speculate_params": True},
+            "paramminer_getparams": {"wordlist": tempwordlist(["data", "common"]), "recycle_words": False},
+        }
     }
     getparam_extract_xml = """
     <data>

bbot/test/test_step_2/module_tests/test_module_paramminer_headers.py

@@ -27,7 +27,7 @@ class Paramminer_Headers(ModuleTestBase):
     """
 
     async def setup_after_prep(self, module_test):
-        module_test.scan.modules["paramminer_headers"].rand_string = lambda *args, **kwargs: "AAAAAAAAAAAAAA"
+        module_test.scan.modules["paramminer_headers"].helpers.rand_string = lambda *args, **kwargs: "AAAAAAAAAAAAAA"
         module_test.monkeypatch.setattr(
             helper.HttpCompare, "gen_cache_buster", lambda *args, **kwargs: {"AAAAAA": "1"}
         )
@@ -108,7 +108,7 @@ class TestParamminer_Headers_extract(Paramminer_Headers):
     """
 
     async def setup_after_prep(self, module_test):
-        module_test.scan.modules["paramminer_headers"].rand_string = lambda *args, **kwargs: "AAAAAAAAAAAAAA"
+        module_test.scan.modules["paramminer_headers"].helpers.rand_string = lambda *args, **kwargs: "AAAAAAAAAAAAAA"
         module_test.monkeypatch.setattr(
             helper.HttpCompare, "gen_cache_buster", lambda *args, **kwargs: {"AAAAAA": "1"}
         )
@@ -153,3 +153,47 @@ class TestParamminer_Headers_extract_norecycle(TestParamminer_Headers_extract):
         assert not excavate_extracted_web_parameter, (
             "Excavate extract WEB_PARAMETER despite disabling parameter extraction"
         )
+
+
+class TestParamminer_Headers_NoCookieRetention(Paramminer_Headers):
+    async def setup_after_prep(self, module_test):
+        module_test.scan.modules["paramminer_headers"].helpers.rand_string = lambda *args, **kwargs: "AAAAAAAAAAAAAA"
+        module_test.monkeypatch.setattr(
+            helper.HttpCompare, "gen_cache_buster", lambda *args, **kwargs: {"AAAAAA": "1"}
+        )
+
+        expect_args = {"headers": {"tracestate": "AAAAAAAAAAAAAA"}}
+        respond_args = {"response_data": self.headers_body_match}
+        module_test.set_expect_requests(expect_args=expect_args, respond_args=respond_args)
+
+        headers_body_with_cookie = """
+        <html>
+        <title>the title</title>
+        <body>
+        <p>Hello with cookie!</p>';
+        </body>
+        </html>
+        """
+        expect_args = {"headers": {"Cookie": "test_cookie=cookie_value; AAAAAAAAAAAAAA=AAAAAAAAAAAAAA"}}
+        respond_args_with_cookie_body_change = {"response_data": headers_body_with_cookie}
+        module_test.set_expect_requests(expect_args=expect_args, respond_args=respond_args_with_cookie_body_change)
+
+        respond_args_default = {
+            "response_data": self.headers_body,
+            "headers": {"set-cookie": "test_cookie=cookie_value"},
+        }
+        module_test.set_expect_requests(respond_args=respond_args_default)
+
+    def check(self, module_test, events):
+        found_web_parameter = False
+        found_web_parameter_false_positive = False
+
+        for e in events:
+            if e.type == "WEB_PARAMETER":
+                if "[Paramminer] Header: [tracestate]" in e.data["description"]:
+                    found_web_parameter = True
+                if "junkword1" in e.data["description"]:
+                    found_web_parameter_false_positive = True
+
+        assert found_web_parameter, "WEB_PARAMETER event was not emitted"
+        assert not found_web_parameter_false_positive, "WEB_PARAMETER event was emitted with false positive"

bbot/test/test_step_2/module_tests/test_module_reflected_parameters.py

@@ -0,0 +1,226 @@
+from .base import ModuleTestBase, tempwordlist
+from werkzeug.wrappers import Response
+import re
+
+from .test_module_paramminer_getparams import TestParamminer_Getparams
+from .test_module_paramminer_headers import helper
+
+
+class TestReflected_parameters_fromexcavate(ModuleTestBase):
+    targets = ["http://127.0.0.1:8888"]
+    modules_overrides = ["httpx", "reflected_parameters", "excavate"]
+
+    def request_handler(self, request):
+        normal_block = '<html><a href="/?reflected=foo">foo</a></html>'
+        qs = str(request.query_string.decode())
+        if "reflected=" in qs:
+            value = qs.split("=")[1]
+            if "&" in value:
+                value = value.split("&")[0]
+            reflected_block = f'<html><a href="/?reflected={value}"></a></html>'
+            return Response(reflected_block, status=200)
+        else:
+            return Response(normal_block, status=200)
+
+    async def setup_after_prep(self, module_test):
+        expect_args = re.compile("/")
+        module_test.set_expect_requests_handler(expect_args=expect_args, request_handler=self.request_handler)
+
+    def check(self, module_test, events):
+        assert any(
+            e.type == "FINDING"
+            and e.data["description"]
+            == "[GETPARAM] Parameter value reflected in response body. Name: [reflected] Source Module: [excavate] Original Value: [foo]"
+            for e in events
+        )
+
+
+class TestReflected_parameters_headers(TestReflected_parameters_fromexcavate):
+    modules_overrides = ["httpx", "reflected_parameters", "excavate", "paramminer_headers"]
+    config_overrides = {
+        "modules": {
+            "paramminer_headers": {"wordlist": tempwordlist(["junkword1", "tracestate"]), "recycle_words": True}
+        }
+    }
+
+    def request_handler(self, request):
+        headers = {k.lower(): v for k, v in request.headers.items()}
+        if "tracestate" in headers:
+            reflected_value = headers["tracestate"]
+            reflected_block = f"<html><div>{reflected_value}</div></html>"
+            return Response(reflected_block, status=200)
+        else:
+            return Response("<html><div></div></html>", status=200)
+
+    def check(self, module_test, events):
+        assert any(
+            e.type == "FINDING"
+            and e.data["description"]
+            == "[HEADER] Parameter value reflected in response body. Name: [tracestate] Source Module: [paramminer_headers]"
+            for e in events
+        )
+
+
+class TestReflected_parameters_fromparamminer(TestParamminer_Getparams):
+    modules_overrides = ["httpx", "paramminer_getparams", "reflected_parameters"]
+
+    def request_handler(self, request):
+        normal_block = "<html></html>"
+        qs = str(request.query_string.decode())
+        if "id=" in qs:
+            value = qs.split("=")[1]
+            if "&" in value:
+                value = value.split("&")[0]
+            reflected_block = f'<html><a href="/?id={value}"></a></html>'
+            return Response(reflected_block, status=200)
+        else:
+            return Response(normal_block, status=200)
+
+    async def setup_after_prep(self, module_test):
+        module_test.scan.modules["paramminer_getparams"].rand_string = lambda *args, **kwargs: "AAAAAAAAAAAAAA"
+        module_test.monkeypatch.setattr(
+            helper.HttpCompare, "gen_cache_buster", lambda *args, **kwargs: {"AAAAAA": "1"}
+        )
+
+        expect_args = re.compile("/")
+        module_test.set_expect_requests_handler(expect_args=expect_args, request_handler=self.request_handler)
+
+    def check(self, module_test, events):
+        assert any(
+            e.type == "FINDING"
+            and "[GETPARAM] Parameter value reflected in response body. Name: [id] Source Module: [paramminer_getparams]"
+            in e.data["description"]
+            for e in events
+        )
+
+
+class TestReflected_parameters_with_canary(TestReflected_parameters_fromexcavate):
+    def request_handler(self, request):
+        normal_block = '<html><a href="/?reflected=foo">foo</a></html>'
+        qs = str(request.query_string.decode())
+        if qs:
+            # Split the query string into key-value pairs
+            params = qs.split("&")
+            # Construct the reflected block with all parameters
+            reflected_block = '<html><a href="/?'
+            reflected_block += "&".join(params)
+            reflected_block += '"></a></html>'
+            return Response(reflected_block, status=200)
+        else:
+            return Response(normal_block, status=200)
+
+    def check(self, module_test, events):
+        # Ensure no findings are emitted when the canary is reflected
+        assert not any(e.type == "FINDING" for e in events)
+
+
+class TestReflected_parameters_cookies(TestReflected_parameters_fromexcavate):
+    modules_overrides = ["httpx", "reflected_parameters", "excavate", "paramminer_cookies"]
+    config_overrides = {
+        "modules": {
+            "paramminer_cookies": {"wordlist": tempwordlist(["junkword1", "testcookie"]), "recycle_words": True}
+        }
+    }
+
+    def request_handler(self, request):
+        cookies = request.cookies
+        if "testcookie" in cookies:
+            reflected_value = cookies["testcookie"]
+            reflected_block = f"<html><div>{reflected_value}</div></html>"
+            return Response(reflected_block, status=200)
+        else:
+            return Response("<html><div></div></html>", status=200)
+
+    def check(self, module_test, events):
+        assert any(
+            e.type == "FINDING"
+            and e.data["description"]
+            == "[COOKIE] Parameter value reflected in response body. Name: [testcookie] Source Module: [paramminer_cookies]"
+            for e in events
+        )
+
+
+class TestReflected_parameters_postparams(TestReflected_parameters_fromexcavate):
+    modules_overrides = ["httpx", "reflected_parameters", "excavate"]
+
+    def request_handler(self, request):
+        form_data = request.form
+        if "testparam" in form_data:
+            reflected_value = form_data["testparam"]
+            reflected_block = f"<html><div>{reflected_value}</div></html>"
+            return Response(reflected_block, status=200)
+        else:
+            form_html = """
+            <html>
+                <body>
+                    <form action="/" method="post">
+                        <input type="text" name="testparam" value="default_value">
+                        <input type="submit" value="Submit">
+                    </form>
+                </body>
+            </html>
+            """
+            return Response(form_html, status=200)
+
+    def check(self, module_test, events):
+        assert any(
+            e.type == "FINDING"
+            and e.data["description"]
+            == "[POSTPARAM] Parameter value reflected in response body. Name: [testparam] Source Module: [excavate] Original Value: [default_value]"
+            for e in events
+        )
+
+
+class TestReflected_parameters_bodyjson(TestReflected_parameters_fromexcavate):
+    modules_overrides = ["httpx", "reflected_parameters", "excavate"]
+
+    def request_handler(self, request):
+        # Ensure the request is expecting JSON data
+        if request.content_type == "application/json":
+            json_data = request.json
+            if "username" in json_data:
+                reflected_value = json_data["username"]
+                reflected_block = f"<html><div>{reflected_value}</div></html>"
+                return Response(reflected_block, status=200)
+        # Provide an HTML page with a jQuery AJAX call
+        jsonajax_extract_html = """
+        <html>
+        <script>
+        function doLogin(e) {
+          e.preventDefault();
+          var username = $("#usernamefield").val();
+          var password = $("#passwordfield").val();
+          $.ajax({
+            url: '/api/auth',
+            type: 'POST',
+            contentType: 'application/json',
+            data: JSON.stringify({ username: username, password: password }),
+            success: function (r) {
+              window.location.replace("/demo");
+            },
+            error: function (r) {
+              if (r.status == 401) {
+                notify("Access denied");
+              } else {
+                notify(r.responseText);
+              }
+            }
+          });
+        }
+        </script>
+        <form action=/ method=GET><input type=text name="novalue"><button type=submit class=button>Submit</button></form>
+        </html>
+        """
+        return Response(jsonajax_extract_html, status=200)
+
+    async def setup_after_prep(self, module_test):
+        expect_args = re.compile("/")
+        module_test.set_expect_requests_handler(expect_args=expect_args, request_handler=self.request_handler)
+
+    def check(self, module_test, events):
+        assert any(
+            e.type == "FINDING"
+            and e.data["description"]
+            == "[BODYJSON] Parameter value reflected in response body. Name: [username] Source Module: [excavate]"
+            for e in events
+        )

bbot/wordlists/paramminer_parameters.txt

@@ -100,7 +100,6 @@ modify
 rename
 reset
 shell
-utm_content
 toggle
 adm
 cfg
@@ -616,7 +615,6 @@ replace
 read
 project
 Post
-PHPSESSID
 nid
 md5
 map
@@ -1532,10 +1530,6 @@ unstick
 unsecuresubmit
 unbookmark
 ua
-utm_source
-utm_campaign
-utm_medium
-utm_term
 typ
 tv
 tree
@@ -4754,7 +4748,6 @@ pPage
 pName
 pMail
 pDesc
-p4ssw0rD
 p3
 p2p
 p2index
@@ -5701,7 +5694,6 @@ dstendport
 dstbeginport
 dscp
 dryrun
-droptables
 drilldown
 dragtable
 dragdroporder

{bbot-2.4.2.dist-info → bbot-2.4.2.6590rc0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: bbot
-Version: 2.4.2
+Version: 2.4.2.6590rc0
 Summary: OSINT automation for hackers.
 License: GPL-3.0
 Keywords: python,cli,automation,osint,threat-intel,intelligence,neo4j,scanner,python-library,hacking,recursion,pentesting,recon,command-line-tool,bugbounty,subdomains,security-tools,subdomain-scanner,osint-framework,attack-surface,subdomain-enumeration,osint-tool
@@ -438,6 +438,7 @@ For details, see [Configuration](https://www.blacklanternsecurity.com/bbot/Stabl
         - [List of Modules](https://www.blacklanternsecurity.com/bbot/Stable/modules/list_of_modules)
         - [Nuclei](https://www.blacklanternsecurity.com/bbot/Stable/modules/nuclei)
         - [Custom YARA Rules](https://www.blacklanternsecurity.com/bbot/Stable/modules/custom_yara_rules)
+        - [Lightfuzz](https://www.blacklanternsecurity.com/bbot/Stable/modules/lightfuzz)
     - **Misc**
         - [Contribution](https://www.blacklanternsecurity.com/bbot/Stable/contribution)
         - [Release History](https://www.blacklanternsecurity.com/bbot/Stable/release_history)