bbot 2.6.0.6840rc0__py3-none-any.whl → 2.7.2.7424rc0__py3-none-any.whl

bbot/test/test_step_2/module_tests/test_module_lightfuzz.py

@@ -608,7 +608,7 @@ class Test_Lightfuzz_urlencoding(Test_Lightfuzz_xss_injs):
         "interactsh_disable": True,
         "modules": {
             "lightfuzz": {
-                "enabled_submodules": ["cmdi", "crypto", "path", "serial", "sqli", "ssti", "xss"],
+                "enabled_submodules": ["cmdi", "crypto", "path", "serial", "sqli", "ssti", "xss", "esi"],
             }
         },
     }
@@ -1723,7 +1723,7 @@ class Test_Lightfuzz_XSS_jsquotecontext(ModuleTestBase):
                     input_value = param.split("=")[1]
                     break
 
-            if input_value:
+            if input_value is not None:
                 # Simulate flawed escaping
                 sanitized_input = input_value.replace('"', '\\"').replace("'", "\\'")
                 sanitized_input = sanitized_input.replace("<", "%3C").replace(">", "%3E")
@@ -1786,7 +1786,7 @@ class Test_Lightfuzz_XSS_jsquotecontext_doublequote(Test_Lightfuzz_XSS_jsquoteco
                     input_value = param.split("=")[1]
                     break
 
-            if input_value:
+            if input_value is not None:
                 # Simulate flawed escaping with opposite quotes
                 sanitized_input = input_value.replace("'", "\\").replace("%22", '\\"')
                 sanitized_input = sanitized_input.replace("<", "%3C").replace(">", "%3E")
@@ -1817,3 +1817,71 @@ class Test_Lightfuzz_XSS_jsquotecontext_doublequote(Test_Lightfuzz_XSS_jsquoteco
 
         assert web_parameter_emitted, "WEB_PARAMETER for was not emitted"
         assert xss_finding_emitted, "XSS FINDING not emitted"
+
+
+class Test_Lightfuzz_esi(ModuleTestBase):
+    targets = ["http://127.0.0.1:8888"]
+    modules_overrides = ["httpx", "lightfuzz", "excavate"]
+    config_overrides = {
+        "interactsh_disable": True,
+        "modules": {
+            "lightfuzz": {
+                "enabled_submodules": ["esi"],
+            }
+        },
+    }
+
+    def request_handler(self, request):
+        qs = str(request.query_string.decode())
+
+        parameter_block = """
+        <section class=search>
+            <form action=/ method=GET>
+                <input type=text placeholder='Search...' name=search>
+                <button type=submit class=button>Search</button>
+            </form>
+        </section>
+        """
+        if "search=" in qs:
+            value = qs.split("=")[1]
+            if "&" in value:
+                value = value.split("&")[0]
+            # Decode the URL-encoded value
+            decoded_value = unquote(value)
+            # Simulate ESI processing: if the payload contains <!--esi-->, remove it
+            if "<!--esi-->" in decoded_value:
+                # ESI processor removes <!--esi--> tag, leaving the rest
+                processed_value = decoded_value.replace("<!--esi-->", "")
+            else:
+                # For non-ESI payloads, just reflect the value as-is
+                processed_value = decoded_value
+
+            esi_block = f"""
+        <section class=blog-header>
+            <h1>Search results for '{processed_value}'</h1>
+            <hr>
+        </section>
+        """
+            return Response(esi_block, status=200)
+
+        return Response(parameter_block, status=200)
+
+    async def setup_after_prep(self, module_test):
+        expect_args = re.compile("/")
+        module_test.set_expect_requests_handler(expect_args=expect_args, request_handler=self.request_handler)
+
+    def check(self, module_test, events):
+        web_parameter_emitted = False
+        esi_finding_emitted = False
+
+        for e in events:
+            if e.type == "WEB_PARAMETER":
+                if "HTTP Extracted Parameter [search]" in e.data["description"]:
+                    web_parameter_emitted = True
+
+            if e.type == "FINDING":
+                if "Edge Side Include. Parameter: [search] Parameter Type: [GETPARAM]" in e.data["description"]:
+                    esi_finding_emitted = True
+
+        assert web_parameter_emitted, "WEB_PARAMETER was not emitted"
+        assert esi_finding_emitted, "ESI FINDING not emitted"

bbot/test/test_step_2/module_tests/test_module_nuclei.py

@@ -12,7 +12,6 @@ class TestNucleiManual(ModuleTestBase):
         },
         "modules": {
             "nuclei": {
-                "version": "2.9.4",
                 "mode": "manual",
                 "concurrency": 2,
                 "ratelimit": 10,
@@ -67,7 +66,7 @@ class TestNucleiSevere(TestNucleiManual):
             "nuclei": {
                 "mode": "severe",
                 "concurrency": 1,
-                "templates": "/tmp/.bbot_test/tools/nuclei-templates/vulnerabilities/generic/generic-env.yaml",
+                "templates": "/tmp/.bbot_test/tools/nuclei-templates/http/vulnerabilities/generic/generic-env.yaml",
             }
         },
         "interactsh_disable": True,

bbot/test/test_step_2/module_tests/test_module_otx.py

@@ -2,6 +2,8 @@ from .base import ModuleTestBase
 
 
 class TestOTX(ModuleTestBase):
+    config_overrides = {"modules": {"otx": {"api_key": "test"}}}
+
     async def setup_after_prep(self, module_test):
         module_test.httpx_mock.add_response(
             url="https://otx.alienvault.com/api/v1/indicators/domain/blacklanternsecurity.com/passive_dns",
@@ -21,6 +23,7 @@ class TestOTX(ModuleTestBase):
                     }
                 ]
             },
+            headers={"X-OTX-API-KEY": "test"},
         )
 
     def check(self, module_test, events):

bbot/test/test_step_2/module_tests/test_module_portfilter.py

@@ -43,6 +43,8 @@ class TestPortfilter_enabled(TestPortfilter_disabled):
     modules_overrides = ["portfilter"]
 
     def check(self, module_test, events):
+        # even though portfilter listens for URLs, enabling it should not automatically enable httpx
+        assert "httpx" not in module_test.scan.modules
         open_ports = {event.data for event in events if event.type == "OPEN_TCP_PORT"}
         # we should be missing the 8080 port because it's a CDN and not in portfilter's allowed list of open ports
         assert open_ports == {"www.blacklanternsecurity.com:443", "www.blacklanternsecurity.com:21"}

bbot/test/test_step_2/module_tests/test_module_retirejs.py

@@ -0,0 +1,161 @@
+from .base import ModuleTestBase
+
+
+class TestRetireJS(ModuleTestBase):
+    targets = ["http://127.0.0.1:8888"]
+    modules_overrides = ["httpx", "excavate", "retirejs"]
+
+    # HTML page with vulnerable JavaScript libraries
+    vulnerable_html = """<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8" />
+  <title>retire.js test page</title>
+</head>
+<body>
+  <h1>retire.js test page</h1>
+  <p>This page includes JavaScript libraries for testing.</p>
+
+  <!-- jQuery 3.4.1 -->
+  <script src="/jquery-3.4.1.min.js"></script>
+
+  <!-- Lodash 4.17.11 -->
+  <script src="/lodash.min.js"></script>
+
+  <!-- Handlebars 4.0.5 -->
+  <script src="/handlebars.min.js"></script>
+
+  <script>
+    console.log('Libraries loaded');
+  </script>
+</body>
+</html>"""
+
+    # Sample jQuery 3.4.1 content
+    jquery_content = """/*!
+ * jQuery JavaScript Library v3.4.1
+ * https://jquery.com/
+ */
+(function( global, factory ) {
+    "use strict";
+    factory( global );
+})(typeof window !== "undefined" ? window : this, function( window, noGlobal ) {
+    var jQuery = function( selector, context ) {
+        return new jQuery.fn.init( selector, context );
+    };
+    jQuery.fn = jQuery.prototype = {};
+    jQuery.fn.jquery = "3.4.1";
+    if ( typeof noGlobal === "undefined" ) {
+        window.jQuery = window.$ = jQuery;
+    }
+    return jQuery;
+});"""
+
+    # Sample Lodash 4.17.11 content
+    lodash_content = """/**
+ * @license
+ * Lodash lodash.com/license | Underscore.js 1.8.3 underscorejs.org/LICENSE
+ */
+;(function(){
+var i="4.17.11";
+var Mn={VERSION:i};
+if(typeof define=="function"&&define.amd)define(function(){return Mn});else if(typeof module=="object"&&module.exports)module.exports=Mn;else this._=Mn}());"""
+
+    # Sample Handlebars 4.0.5 content
+    handlebars_content = """/*!
+ handlebars v4.0.5
+*/
+!function(a,b){"object"==typeof exports&&"object"==typeof module?module.exports=b():"function"==typeof define&&define.amd?define([],b):"object"==typeof exports?exports.Handlebars=b():a.Handlebars=b()}(this,function(){
+var Handlebars={};
+Handlebars.VERSION="4.0.5";
+return Handlebars;
+});"""
+
+    async def setup_after_prep(self, module_test):
+        expect_args = {"uri": "/"}
+        respond_args = {"response_data": self.vulnerable_html}
+        module_test.set_expect_requests(expect_args, respond_args)
+
+        expect_args = {"uri": "/jquery-3.4.1.min.js"}
+        respond_args = {"response_data": self.jquery_content}
+        module_test.set_expect_requests(expect_args, respond_args)
+
+        expect_args = {"uri": "/lodash.min.js"}
+        respond_args = {"response_data": self.lodash_content}
+        module_test.set_expect_requests(expect_args, respond_args)
+
+        expect_args = {"uri": "/handlebars.min.js"}
+        respond_args = {"response_data": self.handlebars_content}
+        module_test.set_expect_requests(expect_args, respond_args)
+
+    def check(self, module_test, events):
+        # Check that excavate found the JavaScript URLs
+        url_unverified_events = [e for e in events if e.type == "URL_UNVERIFIED"]
+        js_url_events = [e for e in url_unverified_events if "extension-js" in e.tags]
+
+        # Two out of the three URLs should be in the output
+        # The third, non-vulnerable URL (lodash.min.js) is not output because it's a "special URL", and
+        # nothing interesting has been discovered from it.
+        vuln_urls = {"http://127.0.0.1:8888/handlebars.min.js", "http://127.0.0.1:8888/jquery-3.4.1.min.js"}
+        assert {e.data for e in js_url_events} == vuln_urls, "Expected to find the vulnerable URLs in the output"
+
+        # Check for FINDING events generated by retirejs
+        finding_events = [e for e in events if e.type == "FINDING"]
+        retirejs_findings = [
+            e
+            for e in finding_events
+            if "vulnerable javascript library detected:" in e.data.get("description", "").lower()
+        ]
+
+        # We should have at least some findings from our vulnerable libraries
+        assert len(retirejs_findings) > 0, (
+            f"Expected retirejs to find vulnerabilities, but got {len(retirejs_findings)} findings"
+        )
+
+        # Check for specific expected vulnerability descriptions
+        descriptions = [finding.data.get("description", "") for finding in retirejs_findings]
+        all_descriptions = "\n".join(descriptions)
+
+        # Look for specific vulnerabilities we expect to find
+        expected_handlebars_vuln = "Vulnerable JavaScript library detected: handlebars v4.0.5 Severity: HIGH Summary: Regular Expression Denial of Service in Handlebars JavaScript URL: http://127.0.0.1:8888/handlebars.min.js CVE(s): CVE-2019-20922 Affected versions: [4.0.0 to 4.4.5)"
+        expected_jquery_vuln = "Vulnerable JavaScript library detected: jquery v3.4.1 Severity: MEDIUM Summary: Regex in its jQuery.htmlPrefilter sometimes may introduce XSS JavaScript URL: http://127.0.0.1:8888/jquery-3.4.1.min.js CVE(s): CVE-2020-11022 Affected versions: [1.2.0 to 3.5.0)"
+
+        # Verify at least one of the expected vulnerabilities is found
+        handlebars_found = expected_handlebars_vuln in all_descriptions
+        jquery_found = expected_jquery_vuln in all_descriptions
+
+        assert handlebars_found and jquery_found, (
+            f"Expected to find specific vulnerabilities but didn't find them. Found descriptions:\n{all_descriptions}"
+        )
+
+        # Basic validation of findings structure
+        for finding in retirejs_findings:
+            assert "description" in finding.data, "Finding should have description"
+            assert "url" in finding.data, "Finding should have url"
+            assert finding.parent.type == "URL_UNVERIFIED", "Parent should be URL_UNVERIFIED"
+
+
+class TestRetireJSNoExcavate(ModuleTestBase):
+    targets = ["http://127.0.0.1:8888"]
+    modules_overrides = ["httpx", "retirejs"]
+    force_start = True  # Allow scan to continue even if modules fail setup
+    config_overrides = {
+        "excavate": False,
+    }
+
+    def check(self, module_test, events):
+        # When excavate is disabled, retirejs should fail setup but scan should still run
+        retirejs_module = module_test.scan.modules.get("retirejs")
+
+        if retirejs_module:
+            # Check that the module exists but setup failed
+            setup_status = getattr(retirejs_module, "_setup_status", None)
+            if setup_status is not None:
+                success, error_msg = setup_status
+                assert success is False, "retirejs setup should have failed without excavate"
+                expected_error = "retirejs will not function without excavate enabled"
+                assert error_msg == expected_error, f"Expected error message '{expected_error}', but got '{error_msg}'"
+
+        # No retirejs findings should be generated since setup failed
+        retirejs_findings = [e for e in events if e.type == "FINDING" and getattr(e, "module", None) == "retirejs"]
+        assert len(retirejs_findings) == 0, "retirejs should not generate findings when setup fails"

bbot/test/test_step_2/module_tests/test_module_telerik.py

@@ -11,7 +11,7 @@ class TestTelerik(ModuleTestBase):
         # Simulate Telerik.Web.UI.WebResource.axd?type=rau detection
         expect_args = {"method": "GET", "uri": "/Telerik.Web.UI.WebResource.axd", "query_string": "type=rau"}
         respond_args = {
-            "response_data": '{ "message" : "RadAsyncUpload handler is registered successfully, however, it may not be accessed directly." }'
+            "response_data": '{ "message" : "RadAsyncUpload handler is registered succesfully, however, it may not be accessed directly." }'
         }
         module_test.set_expect_requests(expect_args=expect_args, respond_args=respond_args)
 

bbot/test/test_step_2/module_tests/test_module_trufflehog.py

@@ -16,6 +16,7 @@ class TestTrufflehog(ModuleTestBase):
         "modules": {
             "postman_download": {"api_key": "asdf", "output_folder": str(download_dir)},
             "docker_pull": {"output_folder": str(download_dir)},
+            "github_org": {"api_key": "asdf"},
             "git_clone": {"output_folder": str(download_dir)},
         }
     }
@@ -34,7 +35,9 @@ class TestTrufflehog(ModuleTestBase):
     file_content = "Verifiable Secret:\nhttps://admin:admin@the-internet.herokuapp.com/basic_auth\n\nUnverifiable Secret:\nhttps://admin:admin@internal.host.com"
 
     async def setup_before_prep(self, module_test):
-        module_test.httpx_mock.add_response(url="https://api.github.com/zen")
+        module_test.httpx_mock.add_response(
+            url="https://api.github.com/zen", match_headers={"Authorization": "token asdf"}
+        )
         module_test.httpx_mock.add_response(
             url="https://api.getpostman.com/me",
             json={
@@ -68,6 +71,7 @@ class TestTrufflehog(ModuleTestBase):
         )
         module_test.httpx_mock.add_response(
             url="https://api.github.com/orgs/blacklanternsecurity",
+            match_headers={"Authorization": "token asdf"},
             json={
                 "login": "blacklanternsecurity",
                 "id": 25311592,
@@ -103,6 +107,7 @@ class TestTrufflehog(ModuleTestBase):
         )
         module_test.httpx_mock.add_response(
             url="https://api.github.com/orgs/blacklanternsecurity/repos?per_page=100&page=1",
+            match_headers={"Authorization": "token asdf"},
             json=[
                 {
                     "id": 459780477,
@@ -310,6 +315,7 @@ class TestTrufflehog(ModuleTestBase):
         )
         module_test.httpx_mock.add_response(
             url="https://api.github.com/repos/blacklanternsecurity/bbot/actions/workflows?per_page=100&page=1",
+            match_headers={"Authorization": "token asdf"},
             json={
                 "total_count": 3,
                 "workflows": [
@@ -330,6 +336,7 @@ class TestTrufflehog(ModuleTestBase):
         )
         module_test.httpx_mock.add_response(
             url="https://api.github.com/repos/blacklanternsecurity/bbot/actions/workflows/22452226/runs?status=success&per_page=1",
+            match_headers={"Authorization": "token asdf"},
             json={
                 "total_count": 2993,
                 "workflow_runs": [
@@ -576,6 +583,7 @@ class TestTrufflehog(ModuleTestBase):
         )
         module_test.httpx_mock.add_response(
             url="https://api.github.com/repos/blacklanternsecurity/bbot/actions/runs/8839360698/logs",
+            match_headers={"Authorization": "token asdf"},
             headers={
                 "location": "https://productionresultssa10.blob.core.windows.net/actions-results/7beb304e-f42c-4830-a027-4f5dec53107d/workflow-job-run-3a559e2a-952e-58d2-b8db-2e604a9266d7/logs/steps/step-logs-0e34a19a-18b0-4208-b27a-f8c031db2d17.txt?rsct=text%2Fplain&se=2024-04-26T16%3A25%3A39Z&sig=a%2FiN8dOw0e3tiBQZAfr80veI8OYChb9edJ1eFY136B4%3D&sp=r&spr=https&sr=b&st=2024-04-26T16%3A15%3A34Z&sv=2021-12-02"
             },
@@ -1221,6 +1229,7 @@ class TestTrufflehog_NonVerified(TestTrufflehog):
             "trufflehog": {"only_verified": False},
             "docker_pull": {"output_folder": str(download_dir)},
             "postman_download": {"api_key": "asdf", "output_folder": str(download_dir)},
+            "github_org": {"api_key": "asdf"},
             "git_clone": {"output_folder": str(download_dir)},
         }
     }

{bbot-2.6.0.6840rc0.dist-info → bbot-2.7.2.7424rc0.dist-info}/METADATA

@@ -1,8 +1,9 @@
-Metadata-Version: 2.3
+Metadata-Version: 2.4
 Name: bbot
-Version: 2.6.0.6840rc0
+Version: 2.7.2.7424rc0
 Summary: OSINT automation for hackers.
 License: GPL-3.0
+License-File: LICENSE
 Keywords: python,cli,automation,osint,threat-intel,intelligence,neo4j,scanner,python-library,hacking,recursion,pentesting,recon,command-line-tool,bugbounty,subdomains,security-tools,subdomain-scanner,osint-framework,attack-surface,subdomain-enumeration,osint-tool
 Author: TheTechromancer
 Requires-Python: >=3.9,<4.0
@@ -14,14 +15,15 @@ Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
 Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
 Classifier: Topic :: Security
 Requires-Dist: ansible-core (>=2.15.13,<3.0.0)
 Requires-Dist: ansible-runner (>=2.3.2,<3.0.0)
 Requires-Dist: beautifulsoup4 (>=4.12.2,<5.0.0)
 Requires-Dist: cachetools (>=5.3.2,<7.0.0)
-Requires-Dist: cloudcheck (>=7.2.11,<8.0.0)
+Requires-Dist: cloudcheck (>=8.6.0,<9.0.0)
 Requires-Dist: deepdiff (>=8.0.0,<9.0.0)
-Requires-Dist: dnspython (>=2.4.2,<3.0.0)
+Requires-Dist: dnspython (>=2.7.0,<2.8.0)
 Requires-Dist: httpx (>=0.28.1,<0.29.0)
 Requires-Dist: idna (>=3.4,<4.0)
 Requires-Dist: jinja2 (>=3.1.3,<4.0.0)
@@ -34,9 +36,9 @@ Requires-Dist: puremagic (>=1.28,<2.0)
 Requires-Dist: pycryptodome (>=3.17,<4.0)
 Requires-Dist: pydantic (>=2.9.2,<3.0.0)
 Requires-Dist: pyjwt (>=2.7.0,<3.0.0)
-Requires-Dist: pyzmq (>=26.0.3,<27.0.0)
+Requires-Dist: pyzmq (>=26.0.3,<28.0.0)
 Requires-Dist: radixtarget (>=3.0.13,<4.0.0)
-Requires-Dist: regex (>=2024.4.16,<2025.0.0)
+Requires-Dist: regex (>=2024.4.16,<2026.0.0)
 Requires-Dist: setproctitle (>=1.3.3,<2.0.0)
 Requires-Dist: socksio (>=1.0.0,<2.0.0)
 Requires-Dist: tabulate (==0.8.10)
@@ -45,6 +47,7 @@ Requires-Dist: unidecode (>=1.3.8,<2.0.0)
 Requires-Dist: websockets (>=14.0.0,<16.0.0)
 Requires-Dist: wordninja (>=2.0.0,<3.0.0)
 Requires-Dist: xmltojson (>=2.0.2,<3.0.0)
+Requires-Dist: xxhash (>=3.5.0,<4.0.0)
 Requires-Dist: yara-python (>=4.5.1,<5.0.0)
 Project-URL: Documentation, https://www.blacklanternsecurity.com/bbot/
 Project-URL: Discord, https://discord.com/invite/PZqkgxu5SA
@@ -55,7 +58,7 @@ Description-Content-Type: text/markdown
 
 [![bbot_banner](https://github.com/user-attachments/assets/f02804ce-9478-4f1e-ac4d-9cf5620a3214)](https://github.com/blacklanternsecurity/bbot)
 
-[![Python Version](https://img.shields.io/badge/python-3.9+-FF8400)](https://www.python.org) [![License](https://img.shields.io/badge/license-GPLv3-FF8400.svg)](https://github.com/blacklanternsecurity/bbot/blob/dev/LICENSE) [![DEF CON Recon Village 2024](https://img.shields.io/badge/DEF%20CON%20Demo%20Labs-2023-FF8400.svg)](https://www.reconvillage.org/talks) [![PyPi Downloads](https://static.pepy.tech/personalized-badge/bbot?right_color=orange&left_color=grey)](https://pepy.tech/project/bbot) [![Ruff](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/ruff/main/assets/badge/v2.json)](https://github.com/astral-sh/ruff) [![Tests](https://github.com/blacklanternsecurity/bbot/actions/workflows/tests.yml/badge.svg?branch=stable)](https://github.com/blacklanternsecurity/bbot/actions?query=workflow%3A"tests") [![Codecov](https://codecov.io/gh/blacklanternsecurity/bbot/branch/dev/graph/badge.svg?token=IR5AZBDM5K)](https://codecov.io/gh/blacklanternsecurity/bbot) [![Discord](https://img.shields.io/discord/859164869970362439)](https://discord.com/invite/PZqkgxu5SA)
+[![Python Version](https://img.shields.io/badge/python-3.9+-FF8400)](https://www.python.org) [![License](https://img.shields.io/badge/license-AGPLv3-FF8400.svg)](https://github.com/blacklanternsecurity/bbot/blob/dev/LICENSE) [![DEF CON Recon Village 2024](https://img.shields.io/badge/DEF%20CON%20Demo%20Labs-2023-FF8400.svg)](https://www.reconvillage.org/talks) [![PyPi Downloads](https://static.pepy.tech/personalized-badge/bbot?right_color=orange&left_color=grey)](https://pepy.tech/project/bbot) [![Ruff](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/ruff/main/assets/badge/v2.json)](https://github.com/astral-sh/ruff) [![Tests](https://github.com/blacklanternsecurity/bbot/actions/workflows/tests.yml/badge.svg?branch=stable)](https://github.com/blacklanternsecurity/bbot/actions?query=workflow%3A"tests") [![Codecov](https://codecov.io/gh/blacklanternsecurity/bbot/branch/dev/graph/badge.svg?token=IR5AZBDM5K)](https://codecov.io/gh/blacklanternsecurity/bbot) [![Discord](https://img.shields.io/discord/859164869970362439)](https://discord.com/invite/PZqkgxu5SA)
 
 ### **BEE·bot** is a multipurpose scanner inspired by [Spiderfoot](https://github.com/smicallef/spiderfoot), built to automate your **Recon**, **Bug Bounties**, and **ASM**!