scythe-ttp 0.17.1__py3-none-any.whl → 0.17.3__py3-none-any.whl

scythe/core/executor.py

@@ -3,9 +3,10 @@ import logging
 from selenium import webdriver
 from selenium.webdriver.chrome.options import Options
 from .ttp import TTP
-from typing import Optional
+from typing import Optional, Dict, Any
 from ..behaviors.base import Behavior
 from .headers import HeaderExtractor
+import requests
 
 # Configure logging
 logging.basicConfig(
@@ -60,7 +61,18 @@ class TTPExecutor:
             self.logger.info(f"Using behavior: {self.behavior.name}")
             self.logger.info(f"Behavior description: {self.behavior.description}")
 
-        self._setup_driver()
+        # Check execution mode
+        if self.ttp.execution_mode == 'api':
+            self.logger.info("Execution mode: API")
+            self._run_api_mode()
+            return
+        else:
+            self.logger.info("Execution mode: UI")
+            self._setup_driver()
+            self._run_ui_mode()
+    
+    def _run_ui_mode(self):
+        """Execute TTP in UI mode using Selenium."""
 
         try:
             # Handle authentication if required
@@ -172,6 +184,108 @@ class TTPExecutor:
         finally:
             self._cleanup()
 
+    def _run_api_mode(self):
+        """Execute TTP in API mode using requests."""
+        session = requests.Session()
+        context: Dict[str, Any] = {
+            'target_url': self.target_url,
+            'auth_headers': {},
+            'rate_limit_resume_at': None
+        }
+        
+        try:
+            # Handle authentication if required (API mode)
+            if self.ttp.requires_authentication():
+                auth_name = self.ttp.authentication.name if self.ttp.authentication else "Unknown"
+                self.logger.info(f"Authentication required for TTP: {auth_name}")
+                
+                # Try to get auth headers directly
+                try:
+                    if hasattr(self.ttp.authentication, 'get_auth_headers'):
+                        auth_headers = self.ttp.authentication.get_auth_headers() or {}
+                        context['auth_headers'] = auth_headers
+                        session.headers.update(auth_headers)
+                        self.logger.info("Authentication headers applied")
+                except Exception as e:
+                    self.logger.warning(f"Failed to get auth headers: {e}")
+            
+            consecutive_failures = 0
+            
+            for i, payload in enumerate(self.ttp.get_payloads(), 1):
+                # Check if behavior wants to continue
+                if self.behavior and not self.behavior.should_continue(i, consecutive_failures):
+                    self.logger.info("Behavior requested to stop execution")
+                    break
+                
+                self.logger.info(f"Attempt {i}: Executing with payload -> '{payload}'")
+                
+                try:
+                    # Execute API request
+                    response = self.ttp.execute_step_api(session, payload, context)
+                    
+                    # Use behavior delay if available, otherwise use default
+                    if self.behavior:
+                        step_delay = self.behavior.get_step_delay(i)
+                    else:
+                        step_delay = self.delay
+                    
+                    time.sleep(step_delay)
+                    
+                    # Verify result
+                    success = self.ttp.verify_result_api(response, context)
+                    
+                    # Compare actual result with expected result
+                    if success:
+                        consecutive_failures = 0
+                        
+                        # Extract target version from response headers
+                        target_version = response.headers.get('X-SCYTHE-TARGET-VERSION') or response.headers.get('x-scythe-target-version')
+                        
+                        result_entry = {
+                            'payload': payload,
+                            'url': response.url if hasattr(response, 'url') else self.target_url,
+                            'expected': self.ttp.expected_result,
+                            'actual': True,
+                            'target_version': target_version
+                        }
+                        self.results.append(result_entry)
+                        
+                        if self.ttp.expected_result:
+                            version_info = f" | Version: {target_version}" if target_version else ""
+                            self.logger.info(f"EXPECTED SUCCESS: '{payload}'{version_info}")
+                        else:
+                            version_info = f" | Version: {target_version}" if target_version else ""
+                            self.logger.warning(f"UNEXPECTED SUCCESS: '{payload}' (expected to fail){version_info}")
+                            self.has_test_failures = True
+                    else:
+                        consecutive_failures += 1
+                        if self.ttp.expected_result:
+                            self.logger.info(f"EXPECTED FAILURE: '{payload}' (security control working)")
+                            self.has_test_failures = True
+                        else:
+                            self.logger.info(f"EXPECTED FAILURE: '{payload}'")
+                
+                except Exception as step_error:
+                    consecutive_failures += 1
+                    self.logger.error(f"Error during step {i}: {step_error}")
+                    
+                    # Let behavior handle the error
+                    if self.behavior:
+                        if not self.behavior.on_error(step_error, i):
+                            self.logger.info("Behavior requested to stop due to error")
+                            break
+                    else:
+                        # Default behavior: continue on most errors
+                        continue
+        
+        except KeyboardInterrupt:
+            self.logger.info("Test interrupted by user.")
+        except Exception as e:
+            self.logger.error(f"An unexpected error occurred: {e}", exc_info=True)
+        finally:
+            session.close()
+            self._cleanup()
+    
     def _cleanup(self):
         """Closes the WebDriver and prints a summary."""
         if self.driver:

scythe/core/ttp.py

@@ -1,9 +1,10 @@
 from abc import ABC, abstractmethod
-from typing import Generator, Any, Optional, TYPE_CHECKING
+from typing import Generator, Any, Optional, TYPE_CHECKING, Dict
 from selenium.webdriver.remote.webdriver import WebDriver
 
 if TYPE_CHECKING:
     from ..auth.base import Authentication
+    import requests
 
 class TTP(ABC):
     """
@@ -11,9 +12,14 @@ class TTP(ABC):
 
     Each TTP implementation must define how to generate payloads, how to
     execute a test step with a given payload, and how to verify the outcome.
+    
+    TTPs can operate in two modes:
+    - 'ui': Uses Selenium WebDriver to interact with web UI (default)
+    - 'api': Uses requests library to interact directly with backend APIs
     """
 
-    def __init__(self, name: str, description: str, expected_result: bool = True, authentication: Optional['Authentication'] = None):
+    def __init__(self, name: str, description: str, expected_result: bool = True, 
+                 authentication: Optional['Authentication'] = None, execution_mode: str = 'ui'):
         """
         Initialize a TTP.
         
@@ -24,11 +30,13 @@ class TTP(ABC):
                            True means we expect to find vulnerabilities/success conditions.
                            False means we expect the security controls to prevent success.
             authentication: Optional authentication mechanism to use before executing TTP
+            execution_mode: Execution mode - 'ui' for Selenium-based UI testing or 'api' for direct API testing
         """
         self.name = name
         self.description = description
         self.expected_result = expected_result
         self.authentication = authentication
+        self.execution_mode = execution_mode.lower()
 
     @abstractmethod
     def get_payloads(self) -> Generator[Any, None, None]:
@@ -80,9 +88,59 @@ class TTP(ABC):
     @abstractmethod
     def verify_result(self, driver: WebDriver) -> bool:
         """
-        Verifies the outcome of the executed step.
+        Verifies the outcome of the executed step in UI mode.
 
         Returns:
             True if the test indicates a potential success/vulnerability, False otherwise.
         """
         pass
+    
+    def execute_step_api(self, session: 'requests.Session', payload: Any, context: Dict[str, Any]) -> 'requests.Response':
+        """
+        Executes a single test action using the provided payload via API request.
+        This method should be overridden by TTPs that support API mode.
+        
+        Args:
+            session: requests.Session instance for making HTTP requests
+            payload: The payload to use for this test iteration
+            context: Shared context dictionary for storing state and auth headers
+            
+        Returns:
+            requests.Response object from the API call
+            
+        Raises:
+            NotImplementedError: If the TTP does not support API mode
+        """
+        raise NotImplementedError(f"{self.name} does not support API execution mode")
+    
+    def verify_result_api(self, response: 'requests.Response', context: Dict[str, Any]) -> bool:
+        """
+        Verifies the outcome of the executed step in API mode.
+        This method should be overridden by TTPs that support API mode.
+        
+        Args:
+            response: The requests.Response object from execute_step_api
+            context: Shared context dictionary for accessing state
+            
+        Returns:
+            True if the test indicates a potential success/vulnerability, False otherwise
+            
+        Raises:
+            NotImplementedError: If the TTP does not support API mode
+        """
+        raise NotImplementedError(f"{self.name} does not support API result verification in API mode")
+    
+    def supports_api_mode(self) -> bool:
+        """
+        Check if this TTP implementation supports API execution mode.
+        
+        Returns:
+            True if API mode is supported, False otherwise
+        """
+        # Check if the TTP has overridden the API methods
+        try:
+            # Try to call the method on the class to see if it's been overridden
+            return (type(self).execute_step_api != TTP.execute_step_api or 
+                    type(self).verify_result_api != TTP.verify_result_api)
+        except Exception:
+            return False

scythe/journeys/actions.py

@@ -439,81 +439,163 @@ class TTPAction(Action):
             True if TTP execution matches expected result, False otherwise
         """
         try:
-            # Determine target URL
-            if self.target_url:
-                url = self.target_url
-            elif 'current_url' in context:
-                url = context['current_url']
+            # Check execution mode
+            if self.ttp.execution_mode == 'api':
+                return self._execute_api_mode(driver, context)
             else:
-                url = driver.current_url
-            
-            # Navigate to URL if needed
-            if url != driver.current_url:
-                driver.get(url)
-            
-            # Execute TTP authentication if required
-            if self.ttp.requires_authentication():
-                auth_success = self.ttp.authenticate(driver, url)
-                if not auth_success:
-                    self.store_result('error', 'TTP authentication failed')
-                    return False
-            
-            # Execute TTP payloads
-            ttp_results = []
-            success_count = 0
-            total_count = 0
+                return self._execute_ui_mode(driver, context)
+                
+        except Exception as e:
+            self.store_result('error', str(e))
+            return False
+    
+    def _execute_ui_mode(self, driver: WebDriver, context: Dict[str, Any]) -> bool:
+        """Execute TTP in UI mode using Selenium."""
+        # Determine target URL
+        if self.target_url:
+            url = self.target_url
+        elif 'current_url' in context:
+            url = context['current_url']
+        else:
+            url = driver.current_url
+        
+        # Navigate to URL if needed
+        if url != driver.current_url:
+            driver.get(url)
+        
+        # Execute TTP authentication if required
+        if self.ttp.requires_authentication():
+            auth_success = self.ttp.authenticate(driver, url)
+            if not auth_success:
+                self.store_result('error', 'TTP authentication failed')
+                return False
+        
+        # Execute TTP payloads
+        ttp_results = []
+        success_count = 0
+        total_count = 0
+        
+        for payload in self.ttp.get_payloads():
+            total_count += 1
             
-            for payload in self.ttp.get_payloads():
-                total_count += 1
+            try:
+                # Execute step
+                self.ttp.execute_step(driver, payload)
                 
-                try:
-                    # Execute step
-                    self.ttp.execute_step(driver, payload)
-                    
-                    # Verify result
-                    result = self.ttp.verify_result(driver)
-                    
-                    ttp_results.append({
-                        'payload': str(payload),
-                        'success': result,
-                        'url': driver.current_url
-                    })
+                # Verify result
+                result = self.ttp.verify_result(driver)
+                
+                ttp_results.append({
+                    'payload': str(payload),
+                    'success': result,
+                    'url': driver.current_url
+                })
+                
+                if result:
+                    success_count += 1
                     
-                    if result:
-                        success_count += 1
-                        
-                except Exception as e:
-                    ttp_results.append({
-                        'payload': str(payload),
-                        'success': False,
-                        'error': str(e),
-                        'url': driver.current_url
-                    })
-            
-            # Store results
-            self.store_result('ttp_name', self.ttp.name)
-            self.store_result('total_payloads', total_count)
-            self.store_result('successful_payloads', success_count)
-            self.store_result('ttp_results', ttp_results)
-            self.store_result('success_rate', success_count / total_count if total_count > 0 else 0)
-            
-            # Update context
-            context[f'ttp_results_{self.ttp.name}'] = ttp_results
-            context['last_ttp_success_count'] = success_count
-            
-            # Determine action success based on expected result
-            has_successes = success_count > 0
+            except Exception as e:
+                ttp_results.append({
+                    'payload': str(payload),
+                    'success': False,
+                    'error': str(e),
+                    'url': driver.current_url
+                })
+        
+        # Store results
+        self.store_result('ttp_name', self.ttp.name)
+        self.store_result('execution_mode', 'ui')
+        self.store_result('total_payloads', total_count)
+        self.store_result('successful_payloads', success_count)
+        self.store_result('ttp_results', ttp_results)
+        self.store_result('success_rate', success_count / total_count if total_count > 0 else 0)
+        
+        # Update context
+        context[f'ttp_results_{self.ttp.name}'] = ttp_results
+        context['last_ttp_success_count'] = success_count
+        
+        # Determine action success based on expected result
+        has_successes = success_count > 0
+        
+        if self.expected_result:
+            # Expecting TTP to find vulnerabilities/succeed
+            return has_successes
+        else:
+            # Expecting TTP to fail (security controls working)
+            return not has_successes
+    
+    def _execute_api_mode(self, driver: WebDriver, context: Dict[str, Any]) -> bool:
+        """Execute TTP in API mode using requests library."""
+        import requests
+        
+        # Get or create requests session
+        session = context.get('requests_session')
+        if session is None:
+            session = requests.Session()
+            context['requests_session'] = session
+        
+        # Set target URL in context if provided
+        if self.target_url:
+            context['target_url'] = self.target_url
+        
+        # Verify TTP supports API mode
+        if not self.ttp.supports_api_mode():
+            self.store_result('error', f'TTP {self.ttp.name} does not support API execution mode')
+            return False
+        
+        # Execute TTP payloads via API
+        ttp_results = []
+        success_count = 0
+        total_count = 0
+        
+        for payload in self.ttp.get_payloads():
+            total_count += 1
             
-            if self.expected_result:
-                # Expecting TTP to find vulnerabilities/succeed
-                return has_successes
-            else:
-                # Expecting TTP to fail (security controls working)
-                return not has_successes
+            try:
+                # Execute step via API
+                response = self.ttp.execute_step_api(session, payload, context)
                 
-        except Exception as e:
-            self.store_result('error', str(e))
-            return False
+                # Verify result
+                result = self.ttp.verify_result_api(response, context)
+                
+                ttp_results.append({
+                    'payload': str(payload),
+                    'success': result,
+                    'status_code': response.status_code,
+                    'url': response.url
+                })
+                
+                if result:
+                    success_count += 1
+                    
+            except Exception as e:
+                ttp_results.append({
+                    'payload': str(payload),
+                    'success': False,
+                    'error': str(e)
+                })
+        
+        # Store results
+        self.store_result('ttp_name', self.ttp.name)
+        self.store_result('execution_mode', 'api')
+        self.store_result('total_payloads', total_count)
+        self.store_result('successful_payloads', success_count)
+        self.store_result('ttp_results', ttp_results)
+        self.store_result('success_rate', success_count / total_count if total_count > 0 else 0)
+        
+        # Update context
+        context[f'ttp_results_{self.ttp.name}'] = ttp_results
+        context['last_ttp_success_count'] = success_count
+        
+        # Determine action success based on expected result
+        has_successes = success_count > 0
+        
+        if self.expected_result:
+            # Expecting TTP to find vulnerabilities/succeed
+            return has_successes
+        else:
+            # Expecting TTP to fail (security controls working)
+            return not has_successes
 
 
 class AssertAction(Action):

scythe/ttps/web/login_bruteforce.py

@@ -1,6 +1,8 @@
 from selenium.webdriver.common.by import By
 from selenium.webdriver.remote.webdriver import WebDriver
 from selenium.common.exceptions import NoSuchElementException
+from typing import Dict, Any, Optional
+import requests
 
 from ...core.ttp import TTP
 from ...payloads.generators import PayloadGenerator
@@ -8,27 +10,65 @@ from ...payloads.generators import PayloadGenerator
 class LoginBruteforceTTP(TTP):
     """
     A TTP that emulates a login bruteforce attack.
+    
+    Supports two execution modes:
+    - UI mode: Uses Selenium to fill login forms
+    - API mode: Makes direct HTTP POST requests to login endpoints
     """
     def __init__(self,
                  payload_generator: PayloadGenerator,
                  username: str,
-                 username_selector: str,
-                 password_selector: str,
-                 submit_selector: str,
+                 username_selector: str = None,
+                 password_selector: str = None,
+                 submit_selector: str = None,
                  expected_result: bool = True,
-                 authentication=None):
-
+                 authentication=None,
+                 execution_mode: str = 'ui',
+                 api_endpoint: Optional[str] = None,
+                 username_field: str = 'username',
+                 password_field: str = 'password',
+                 success_indicators: Optional[Dict[str, Any]] = None):
+        """
+        Initialize the Login Bruteforce TTP.
+        
+        Args:
+            payload_generator: Generator that yields password payloads
+            username: Username to attempt login with
+            username_selector: CSS selector for username field (UI mode)
+            password_selector: CSS selector for password field (UI mode)
+            submit_selector: CSS selector for submit button (UI mode)
+            expected_result: Whether we expect to find a valid password
+            authentication: Optional authentication to perform before testing
+            execution_mode: 'ui' or 'api'
+            api_endpoint: API endpoint path for login (API mode, e.g., '/api/auth/login')
+            username_field: Field name for username in API request body (API mode)
+            password_field: Field name for password in API request body (API mode)
+            success_indicators: Dict with keys 'status_code' (int), 'response_contains' (str),
+                              'response_not_contains' (str) to determine successful login in API mode
+        """
         super().__init__(
             name="Login Bruteforce",
             description="Attempts to guess a user's password using a list of payloads.",
             expected_result=expected_result,
-            authentication=authentication
+            authentication=authentication,
+            execution_mode=execution_mode
         )
         self.payload_generator = payload_generator
         self.username = username
+        
+        # UI mode fields
         self.username_selector = username_selector
         self.password_selector = password_selector
         self.submit_selector = submit_selector
+        
+        # API mode fields
+        self.api_endpoint = api_endpoint
+        self.username_field = username_field
+        self.password_field = password_field
+        self.success_indicators = success_indicators or {
+            'status_code': 200,
+            'response_not_contains': 'invalid'
+        }
 
     def get_payloads(self):
         """Yields passwords from the configured generator."""
@@ -58,7 +98,98 @@ class LoginBruteforceTTP(TTP):
 
     def verify_result(self, driver: WebDriver) -> bool:
         """
-        Checks for indicators of a successful login.
+        Checks for indicators of a successful login in UI mode.
         A simple check is if the URL no longer contains 'login'.
         """
         return "login" not in driver.current_url.lower()
+    
+    def execute_step_api(self, session: requests.Session, payload: str, context: Dict[str, Any]) -> requests.Response:
+        """
+        Executes a login attempt via API request.
+        
+        Args:
+            session: requests.Session for making HTTP requests
+            payload: The password to attempt
+            context: Shared context dictionary
+            
+        Returns:
+            requests.Response from the login attempt
+        """
+        from urllib.parse import urljoin
+        
+        # Build the full URL
+        base_url = context.get('target_url', '')
+        if not base_url:
+            raise ValueError("target_url must be set in context for API mode")
+        
+        url = urljoin(base_url, self.api_endpoint or '/login')
+        
+        # Build request body
+        body = {
+            self.username_field: self.username,
+            self.password_field: payload
+        }
+        
+        # Merge auth headers from context
+        headers = {}
+        auth_headers = context.get('auth_headers', {})
+        if auth_headers:
+            headers.update(auth_headers)
+        
+        # Honor rate limiting
+        import time
+        resume_at = context.get('rate_limit_resume_at')
+        now = time.time()
+        if isinstance(resume_at, (int, float)) and resume_at > now:
+            wait_s = min(resume_at - now, 30)
+            if wait_s > 0:
+                time.sleep(wait_s)
+        
+        # Make the request
+        response = session.post(url, json=body, headers=headers or None, timeout=10.0)
+        
+        # Handle rate limiting
+        if response.status_code == 429:
+            retry_after = response.headers.get('Retry-After', '1')
+            try:
+                wait_s = int(retry_after)
+            except (ValueError, TypeError):
+                wait_s = 1
+            context['rate_limit_resume_at'] = time.time() + min(wait_s, 30)
+        
+        return response
+    
+    def verify_result_api(self, response: requests.Response, context: Dict[str, Any]) -> bool:
+        """
+        Verifies if the login attempt was successful based on the API response.
+        
+        Args:
+            response: The response from execute_step_api
+            context: Shared context dictionary
+            
+        Returns:
+            True if login appears successful, False otherwise
+        """
+        # Check status code
+        expected_status = self.success_indicators.get('status_code')
+        if expected_status is not None and response.status_code != expected_status:
+            return False
+        
+        # Check response body contains/not contains strings
+        try:
+            response_text = response.text.lower()
+            
+            # Check if response should contain certain text
+            contains = self.success_indicators.get('response_contains')
+            if contains and contains.lower() not in response_text:
+                return False
+            
+            # Check if response should NOT contain certain text
+            not_contains = self.success_indicators.get('response_not_contains')
+            if not_contains and not_contains.lower() in response_text:
+                return False
+            
+            return True
+        except Exception:
+            # If we can't read the response, consider it a failure
+            return False

scythe/ttps/web/sql_injection.py

@@ -1,28 +1,65 @@
 from selenium.webdriver.common.by import By
 from selenium.webdriver.remote.webdriver import WebDriver
 from selenium.common.exceptions import NoSuchElementException
+from typing import Dict, Any, Optional
+import requests
+
 from ...core.ttp import TTP
 from ...payloads.generators import PayloadGenerator
 
 class InputFieldInjector(TTP):
+    """
+    SQL Injection TTP that tests input fields for SQL injection vulnerabilities.
+    
+    Supports two execution modes:
+    - UI mode: Fills form fields with SQL payloads
+    - API mode: Sends SQL payloads in API request body fields
+    """
     def __init__(self,
-                 target_url: str,
-                 field_selector: str,
-                 submit_selector: str,
-                 payload_generator: PayloadGenerator,
+                 target_url: str = None,
+                 field_selector: str = None,
+                 submit_selector: str = None,
+                 payload_generator: PayloadGenerator = None,
                  expected_result: bool = True,
-                 authentication=None):
-
+                 authentication=None,
+                 execution_mode: str = 'ui',
+                 api_endpoint: Optional[str] = None,
+                 injection_field: str = 'query',
+                 http_method: str = 'POST'):
+        """
+        Initialize the SQL Injection TTP.
+        
+        Args:
+            target_url: Target URL (UI mode)
+            field_selector: CSS/tag selector for input field (UI mode)
+            submit_selector: CSS selector for submit button (UI mode)
+            payload_generator: Generator that yields SQL injection payloads
+            expected_result: Whether we expect to find SQL injection vulnerabilities
+            authentication: Optional authentication
+            execution_mode: 'ui' or 'api'
+            api_endpoint: API endpoint path (API mode, e.g., '/api/search')
+            injection_field: Field name to inject SQL payload into (API mode)
+            http_method: HTTP method to use (API mode) - 'POST' or 'GET'
+        """
         super().__init__(
-            name="SQL Injection via URL manipulation", 
-            description="simulate an sql Injection by manipulation of url queries",
+            name="SQL Injection via Input Field", 
+            description="Simulate SQL injection by injecting payloads into input fields",
             expected_result=expected_result,
-            authentication=authentication)
+            authentication=authentication,
+            execution_mode=execution_mode)
 
+        # UI mode fields
         self.target_url = target_url
         self.field_selector = field_selector
-        self.payload_generator = payload_generator
         self.submit_selector = submit_selector
+        
+        # Common fields
+        self.payload_generator = payload_generator
+        
+        # API mode fields
+        self.api_endpoint = api_endpoint
+        self.injection_field = injection_field
+        self.http_method = http_method.upper()
 
     def get_payloads(self):
         """yields queries from the configured generator"""
@@ -51,30 +88,210 @@ class InputFieldInjector(TTP):
 
 
     def verify_result(self, driver: WebDriver) -> bool:
+        """Checks for SQL error indicators in the page source (UI mode)."""
         return "sql" in driver.page_source.lower() or \
                "source" in driver.page_source.lower()
+    
+    def execute_step_api(self, session: requests.Session, payload: str, context: Dict[str, Any]) -> requests.Response:
+        """
+        Executes a SQL injection attempt via API request.
+        
+        Args:
+            session: requests.Session for making HTTP requests
+            payload: The SQL injection payload to test
+            context: Shared context dictionary
+            
+        Returns:
+            requests.Response from the injection attempt
+        """
+        from urllib.parse import urljoin
+        
+        # Build the full URL
+        base_url = context.get('target_url', '')
+        if not base_url:
+            raise ValueError("target_url must be set in context for API mode")
+        
+        url = urljoin(base_url, self.api_endpoint or '/search')
+        
+        # Merge auth headers from context
+        headers = {}
+        auth_headers = context.get('auth_headers', {})
+        if auth_headers:
+            headers.update(auth_headers)
+        
+        # Honor rate limiting
+        import time
+        resume_at = context.get('rate_limit_resume_at')
+        now = time.time()
+        if isinstance(resume_at, (int, float)) and resume_at > now:
+            wait_s = min(resume_at - now, 30)
+            if wait_s > 0:
+                time.sleep(wait_s)
+        
+        # Make the request based on HTTP method
+        if self.http_method == 'GET':
+            # For GET, put payload in query params
+            response = session.get(url, params={self.injection_field: payload}, headers=headers or None, timeout=10.0)
+        else:
+            # For POST/PUT/etc, put payload in JSON body
+            body = {self.injection_field: payload}
+            response = session.request(self.http_method, url, json=body, headers=headers or None, timeout=10.0)
+        
+        # Handle rate limiting
+        if response.status_code == 429:
+            retry_after = response.headers.get('Retry-After', '1')
+            try:
+                wait_s = int(retry_after)
+            except (ValueError, TypeError):
+                wait_s = 1
+            context['rate_limit_resume_at'] = time.time() + min(wait_s, 30)
+        
+        return response
+    
+    def verify_result_api(self, response: requests.Response, context: Dict[str, Any]) -> bool:
+        """
+        Verifies if the SQL injection attempt triggered a vulnerability.
+        
+        Args:
+            response: The response from execute_step_api
+            context: Shared context dictionary
+            
+        Returns:
+            True if SQL error indicators found, False otherwise
+        """
+        try:
+            response_text = response.text.lower()
+            # Common SQL error indicators
+            sql_indicators = [
+                'sql', 'syntax', 'mysql', 'sqlite', 'postgresql', 'oracle',
+                'odbc', 'jdbc', 'driver', 'database', 'query', 'syntax error',
+                'unterminated', 'unexpected', 'warning: mysql'
+            ]
+            return any(indicator in response_text for indicator in sql_indicators)
+        except Exception:
+            return False
 
 
 class URLManipulation(TTP):
+    """
+    SQL Injection TTP that tests URL query parameters for SQL injection vulnerabilities.
+    
+    Supports two execution modes:
+    - UI mode: Navigates to URLs with SQL payloads in query parameters
+    - API mode: Sends GET requests with SQL payloads in query parameters
+    """
     def __init__(self,
                  payload_generator: PayloadGenerator,
-                 target_url: str,
+                 target_url: str = None,
                  expected_result: bool = True,
-                 authentication=None):
+                 authentication=None,
+                 execution_mode: str = 'ui',
+                 api_endpoint: Optional[str] = None,
+                 query_param: str = 'q'):
+        """
+        Initialize the URL Manipulation SQL Injection TTP.
+        
+        Args:
+            payload_generator: Generator that yields SQL injection payloads
+            target_url: Target URL (UI mode)
+            expected_result: Whether we expect to find SQL injection vulnerabilities
+            authentication: Optional authentication
+            execution_mode: 'ui' or 'api'
+            api_endpoint: API endpoint path (API mode, e.g., '/api/search')
+            query_param: Query parameter name to inject into (default: 'q')
+        """
         super().__init__(
             name="SQL Injection via URL manipulation", 
-            description="simulate an sql Injection by manipulation of url queries",
+            description="Simulate SQL injection by manipulating URL query parameters",
             expected_result=expected_result,
-            authentication=authentication)
+            authentication=authentication,
+            execution_mode=execution_mode)
         self.target_url = target_url
         self.payload_generator = payload_generator
+        self.api_endpoint = api_endpoint
+        self.query_param = query_param
 
     def get_payloads(self):
         yield from self.payload_generator()
 
     def execute_step(self, driver: WebDriver, payload: str):
-        driver.get(f"{self.target_url}?q={payload}")
+        """Execute SQL injection via URL manipulation in UI mode."""
+        driver.get(f"{self.target_url}?{self.query_param}={payload}")
 
     def verify_result(self, driver: WebDriver) -> bool:
+        """Check for SQL error indicators in UI mode."""
         return "sql" in driver.page_source.lower() or \
                "source" in driver.page_source.lower()
+    
+    def execute_step_api(self, session: requests.Session, payload: str, context: Dict[str, Any]) -> requests.Response:
+        """
+        Executes a SQL injection attempt via API request with query parameters.
+        
+        Args:
+            session: requests.Session for making HTTP requests
+            payload: The SQL injection payload to test
+            context: Shared context dictionary
+            
+        Returns:
+            requests.Response from the injection attempt
+        """
+        from urllib.parse import urljoin
+        
+        # Build the full URL
+        base_url = context.get('target_url', '')
+        if not base_url:
+            raise ValueError("target_url must be set in context for API mode")
+        
+        url = urljoin(base_url, self.api_endpoint or self.target_url or '/')
+        
+        # Merge auth headers from context
+        headers = {}
+        auth_headers = context.get('auth_headers', {})
+        if auth_headers:
+            headers.update(auth_headers)
+        
+        # Honor rate limiting
+        import time
+        resume_at = context.get('rate_limit_resume_at')
+        now = time.time()
+        if isinstance(resume_at, (int, float)) and resume_at > now:
+            wait_s = min(resume_at - now, 30)
+            if wait_s > 0:
+                time.sleep(wait_s)
+        
+        # Make GET request with payload in query param
+        response = session.get(url, params={self.query_param: payload}, headers=headers or None, timeout=10.0)
+        
+        # Handle rate limiting
+        if response.status_code == 429:
+            retry_after = response.headers.get('Retry-After', '1')
+            try:
+                wait_s = int(retry_after)
+            except (ValueError, TypeError):
+                wait_s = 1
+            context['rate_limit_resume_at'] = time.time() + min(wait_s, 30)
+        
+        return response
+    
+    def verify_result_api(self, response: requests.Response, context: Dict[str, Any]) -> bool:
+        """
+        Verifies if the SQL injection attempt triggered a vulnerability.
+        
+        Args:
+            response: The response from execute_step_api
+            context: Shared context dictionary
+            
+        Returns:
+            True if SQL error indicators found, False otherwise
+        """
+        try:
+            response_text = response.text.lower()
+            # Common SQL error indicators
+            sql_indicators = [
+                'sql', 'syntax', 'mysql', 'sqlite', 'postgresql', 'oracle',
+                'odbc', 'jdbc', 'driver', 'database', 'query', 'syntax error',
+                'unterminated', 'unexpected', 'warning: mysql'
+            ]
+            return any(indicator in response_text for indicator in sql_indicators)
+        except Exception:
+            return False

{scythe_ttp-0.17.1.dist-info → scythe_ttp-0.17.3.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: scythe-ttp
-Version: 0.17.1
+Version: 0.17.3
 Summary: An extensible framework for emulating attacker TTPs with Selenium.
 Author-email: EpykLab <cyber@epyklab.com>
 Classifier: Programming Language :: Python :: 3

{scythe_ttp-0.17.1.dist-info → scythe_ttp-0.17.3.dist-info}/RECORD

@@ -13,11 +13,11 @@ scythe/behaviors/stealth.py,sha256=xv7MrPQgRCdCUJyYTcXV2aasWZoAw8rAQWg-AuQVb7U,1
 scythe/cli/__init__.py,sha256=9EVxmFiWsAoqWJ6br1bc3BxlA71JyOQP28fUHhX2k7E,43
 scythe/cli/main.py,sha256=DFvOB39tX4FeiOxitJwXfq28J13GjewBZ9gOA_0HOjI,26003
 scythe/core/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-scythe/core/executor.py,sha256=C3FkW-DNugv82T0_ky-3zAvHV_hFwVSHrX2nzgAcmAI,10588
+scythe/core/executor.py,sha256=FTuhvWiNOsN1LZ4scEsVGDXx9D3yF3tiAoDt-HW2QRI,16038
 scythe/core/headers.py,sha256=AokCQ3F5QGUcfoK7iO57hA1HHL4IznZeWV464_MqYcE,16670
-scythe/core/ttp.py,sha256=Xw9GgptYsjZ-pMLdyPv64bhiwGKobrXHdF32pjIY7OU,3102
+scythe/core/ttp.py,sha256=tEYIhDdr8kcwQrlcfVmdeLFiAfOvc0BhPOVxPh8TiWo,5676
 scythe/journeys/__init__.py,sha256=Odi8NhRg7Hefmo1EJj1guakrCSPhsuus4i-_62uUUjs,654
-scythe/journeys/actions.py,sha256=k9WjfGR1nhJWyhDU_lHr7vFy5qAl7hyyV6kCL7ZQRMo,37479
+scythe/journeys/actions.py,sha256=URr53p1GQxSIBZo0IubchQ1dlfvnPHgCtmkRfLSoi7A,40333
 scythe/journeys/base.py,sha256=vXIgEnSW__iYTriBbuMG4l_XCM96xojJH_fyFScKoBY,24969
 scythe/journeys/executor.py,sha256=uJkjO3PALSLZh3IOSxgX18gRJX_Bck3gW9OClusiQeE,24949
 scythe/orchestrators/__init__.py,sha256=_vemcXjKbB1jI0F2dPA0F1zNsyUekjcXImLDUDhWDN0,560
@@ -29,12 +29,12 @@ scythe/payloads/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 scythe/payloads/generators.py,sha256=tCcJULoFnUppgaiFhYq5f20OoQxTdKKIb2O-Ntby9ZM,914
 scythe/ttps/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 scythe/ttps/web/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-scythe/ttps/web/login_bruteforce.py,sha256=D4G8zB_nU9LD5w3Vv2ABTuOl4XTeg2BgZwYMObt4JJw,2488
-scythe/ttps/web/sql_injection.py,sha256=aWk4DFePbtFDsieOOj03Ux-5OiykyOs2_d_3SvWMOVE,2910
+scythe/ttps/web/login_bruteforce.py,sha256=ybmN2Vl9-p58YbOchirY1193GvlaTmUTW1qlluN_l3I,7816
+scythe/ttps/web/sql_injection.py,sha256=rIRHaRUilSrMA5q5MO1RqR6-TM_fRIiCanPaFz5wKKs,11712
 scythe/ttps/web/uuid_guessing.py,sha256=JwNt_9HVynMWFPPU6UGJFcpxvMVDsvc_wAnJVtcYbps,1235
-scythe_ttp-0.17.1.dist-info/licenses/LICENSE,sha256=B7iB4Fv6zDQolC7IgqNF8F4GEp_DLe2jrPPuR_MYMOM,1064
-scythe_ttp-0.17.1.dist-info/METADATA,sha256=bZTf4pApqa3-NNPv6PkktiBPKSgiOOhjv0a7DJmn7To,30188
-scythe_ttp-0.17.1.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-scythe_ttp-0.17.1.dist-info/entry_points.txt,sha256=rAAsFBcCm0OX3I4uRyclfx4YJGoTuumZKY43HN7R5Ro,48
-scythe_ttp-0.17.1.dist-info/top_level.txt,sha256=BCKTrPuVvmLyhOR07C1ggOh6sU7g2LoVvwDMn46O55Y,7
-scythe_ttp-0.17.1.dist-info/RECORD,,
+scythe_ttp-0.17.3.dist-info/licenses/LICENSE,sha256=B7iB4Fv6zDQolC7IgqNF8F4GEp_DLe2jrPPuR_MYMOM,1064
+scythe_ttp-0.17.3.dist-info/METADATA,sha256=VEyrEx7ZfhrAx3hn_F1lXV5XkYjxkLE4bV-M65inP1s,30188
+scythe_ttp-0.17.3.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+scythe_ttp-0.17.3.dist-info/entry_points.txt,sha256=rAAsFBcCm0OX3I4uRyclfx4YJGoTuumZKY43HN7R5Ro,48
+scythe_ttp-0.17.3.dist-info/top_level.txt,sha256=BCKTrPuVvmLyhOR07C1ggOh6sU7g2LoVvwDMn46O55Y,7
+scythe_ttp-0.17.3.dist-info/RECORD,,