From d505ac42b62b8f9a503f57bdd82beda326202416 Mon Sep 17 00:00:00 2001 From: GangGreenTemperTatum <104169244+GangGreenTemperTatum@users.noreply.github.com> Date: Wed, 17 Jul 2024 16:47:15 -0400 Subject: [PATCH 1/5] feat: highlight easy param miner requests --- .../HTTP/HighlightParamMinerTargets.bambda | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 Filter/Proxy/HTTP/HighlightParamMinerTargets.bambda diff --git a/Filter/Proxy/HTTP/HighlightParamMinerTargets.bambda b/Filter/Proxy/HTTP/HighlightParamMinerTargets.bambda new file mode 100644 index 0000000..4903f34 --- /dev/null +++ b/Filter/Proxy/HTTP/HighlightParamMinerTargets.bambda @@ -0,0 +1,33 @@ +/** + * Filters non-empty 200 response classes + * + * // Use `cat your-oas-api-spec-doc.json | jq -r '.components.schemas.[].properties? | keys? | .[]' | sort -u > json-wordlist.txt` to create a wordlist prior to attacking endpoints with paramminer + * + * @author GangGreenTemperTatum (https://github.com/GangGreenTemperTatum) + **/ + +var configNoFilter = false; // if set to false, won't show JS, GIF, JPG, PNG, CSS. +var configInScopeOnly = true; // if set to true, won't show out-of-scope items +var request = requestResponse.request(); // create a var for request +var response = requestResponse.response(); // create a var for response + +if (configInScopeOnly && !request.isInScope()) { + return false; +} + +if (response == null || !response.isStatusCodeClass(StatusCodeClass.CLASS_2XX_SUCCESS)) { + return false; // return only status codes of 2xx +} + +// verify that the request is a POST, PUT, or PATCH +if (!requestResponse.hasResponse() || request.method().equals("POST") || request.method().equals("PATCH") || request.method().equals("PUT")) { + // verify that the response is json + var contentType = response.headerValue("Content-Type"); + + // verify the content-type is json + if (contentType != null && contentType.contains("application/json")) { + return true; + } +} + +return false; // This line ensures the method returns a boolean value \ No newline at end of file From 9d6c7e3acf36067b9a9dea1cf6cbaae433e28154 Mon Sep 17 00:00:00 2001 From: GangGreenTemperTatum <104169244+GangGreenTemperTatum@users.noreply.github.com> Date: Thu, 18 Jul 2024 07:22:51 -0400 Subject: [PATCH 2/5] feat: exclude mime types --- .../HTTP/HighlightParamMinerTargets.bambda | 74 ++++++++++++------- 1 file changed, 49 insertions(+), 25 deletions(-) diff --git a/Filter/Proxy/HTTP/HighlightParamMinerTargets.bambda b/Filter/Proxy/HTTP/HighlightParamMinerTargets.bambda index 4903f34..92caa5b 100644 --- a/Filter/Proxy/HTTP/HighlightParamMinerTargets.bambda +++ b/Filter/Proxy/HTTP/HighlightParamMinerTargets.bambda @@ -6,28 +6,52 @@ * @author GangGreenTemperTatum (https://github.com/GangGreenTemperTatum) **/ -var configNoFilter = false; // if set to false, won't show JS, GIF, JPG, PNG, CSS. -var configInScopeOnly = true; // if set to true, won't show out-of-scope items -var request = requestResponse.request(); // create a var for request -var response = requestResponse.response(); // create a var for response - -if (configInScopeOnly && !request.isInScope()) { - return false; -} - -if (response == null || !response.isStatusCodeClass(StatusCodeClass.CLASS_2XX_SUCCESS)) { - return false; // return only status codes of 2xx -} - -// verify that the request is a POST, PUT, or PATCH -if (!requestResponse.hasResponse() || request.method().equals("POST") || request.method().equals("PATCH") || request.method().equals("PUT")) { - // verify that the response is json - var contentType = response.headerValue("Content-Type"); - - // verify the content-type is json - if (contentType != null && contentType.contains("application/json")) { - return true; - } -} - -return false; // This line ensures the method returns a boolean value \ No newline at end of file + var configNoFilter = false; // if set to false, won't show JS, GIF, JPG, PNG, CSS. + var configInScopeOnly = true; // if set to true, won't show out-of-scope items + var request = requestResponse.request(); // create a var for request + var response = requestResponse.response(); // create a var for response + + // Early return conditions + if (configInScopeOnly && !request.isInScope()) { + return false; + } + + if (response == null || !response.isStatusCodeClass(StatusCodeClass.CLASS_2XX_SUCCESS)) { + return false; // return only status codes of 2xx + } + + // Process path and mimeType for filtering + var path = request.pathWithoutQuery().toLowerCase(); + var mimeType = requestResponse.mimeType(); + var filterDenyList = mimeType != MimeType.CSS + && mimeType != MimeType.IMAGE_UNKNOWN + && mimeType != MimeType.IMAGE_JPEG + && mimeType != MimeType.IMAGE_GIF + && mimeType != MimeType.IMAGE_PNG + && mimeType != MimeType.IMAGE_BMP + && mimeType != MimeType.IMAGE_TIFF + && mimeType != MimeType.UNRECOGNIZED + && mimeType != MimeType.SOUND + && mimeType != MimeType.VIDEO + && mimeType != MimeType.FONT_WOFF + && mimeType != MimeType.FONT_WOFF2 + && mimeType != MimeType.APPLICATION_UNKNOWN + && !path.endsWith(".js") + && !path.endsWith(".gif") + && !path.endsWith(".jpg") + && !path.endsWith(".png") + && !path.endsWith(".css"); + + // If filtering is not applied or the deny list conditions are met, proceed to check content type + if (configNoFilter || filterDenyList) { + // verify that the request is a POST, PUT, or PATCH and that the response is json + if (!requestResponse.hasResponse() || request.method().equals("POST") || request.method().equals("PATCH") || request.method().equals("PUT")) { + var contentType = response.headerValue("Content-Type"); + // verify the content-type is json + if (contentType != null && contentType.contains("application/json")) { + return true; + } + } + } + + return false; // Ensure method returns a boolean in all cases \ No newline at end of file From 58f901c2ac28c2fb698523429bc4076d224fa8a1 Mon Sep 17 00:00:00 2001 From: GangGreenTemperTatum <104169244+GangGreenTemperTatum@users.noreply.github.com> Date: Thu, 18 Jul 2024 07:25:06 -0400 Subject: [PATCH 3/5] docs: tidy up intro comments --- Filter/Proxy/HTTP/HighlightParamMinerTargets.bambda | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Filter/Proxy/HTTP/HighlightParamMinerTargets.bambda b/Filter/Proxy/HTTP/HighlightParamMinerTargets.bambda index 92caa5b..c9ff5e8 100644 --- a/Filter/Proxy/HTTP/HighlightParamMinerTargets.bambda +++ b/Filter/Proxy/HTTP/HighlightParamMinerTargets.bambda @@ -1,7 +1,7 @@ /** - * Filters non-empty 200 response classes + * Filters non-empty 200 json-based response classes which can be used to find easy routes to attack with the paramminer guess json params and a custom wordlist, ie: * - * // Use `cat your-oas-api-spec-doc.json | jq -r '.components.schemas.[].properties? | keys? | .[]' | sort -u > json-wordlist.txt` to create a wordlist prior to attacking endpoints with paramminer + // $ cat your-oas-api-spec-doc.json | jq -r '.components.schemas.[].properties? | keys? | .[]' | sort -u > json-wordlist.txt * * @author GangGreenTemperTatum (https://github.com/GangGreenTemperTatum) **/ From 285d97bfad96580260331c5c0ebf8f81e33deeb0 Mon Sep 17 00:00:00 2001 From: GangGreenTemperTatum <104169244+GangGreenTemperTatum@users.noreply.github.com> Date: Fri, 19 Jul 2024 07:46:10 -0400 Subject: [PATCH 4/5] chore: single early return tidy code feedback --- .../HTTP/HighlightParamMinerTargets.bambda | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/Filter/Proxy/HTTP/HighlightParamMinerTargets.bambda b/Filter/Proxy/HTTP/HighlightParamMinerTargets.bambda index c9ff5e8..ec5b121 100644 --- a/Filter/Proxy/HTTP/HighlightParamMinerTargets.bambda +++ b/Filter/Proxy/HTTP/HighlightParamMinerTargets.bambda @@ -8,17 +8,14 @@ var configNoFilter = false; // if set to false, won't show JS, GIF, JPG, PNG, CSS. var configInScopeOnly = true; // if set to true, won't show out-of-scope items - var request = requestResponse.request(); // create a var for request - var response = requestResponse.response(); // create a var for response - - // Early return conditions - if (configInScopeOnly && !request.isInScope()) { - return false; - } - - if (response == null || !response.isStatusCodeClass(StatusCodeClass.CLASS_2XX_SUCCESS)) { - return false; // return only status codes of 2xx - } + + if (!requestResponse.hasResponse() || (configInScopeOnly && !requestResponse.request().isInScope()) || !requestResponse.response().isStatusCodeClass(StatusCodeClass.CLASS_2XX_SUCCESS)) +{ + return false; +} + +var request = requestResponse.request(); +var response = requestResponse.response(); // Process path and mimeType for filtering var path = request.pathWithoutQuery().toLowerCase(); From 002c0b694a4334a8a8a24a5db1f5817f3586134c Mon Sep 17 00:00:00 2001 From: GangGreenTemperTatum <104169244+GangGreenTemperTatum@users.noreply.github.com> Date: Fri, 19 Jul 2024 08:05:18 -0400 Subject: [PATCH 5/5] chore: rm redundant code has response earlier clause --- Filter/Proxy/HTTP/HighlightParamMinerTargets.bambda | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Filter/Proxy/HTTP/HighlightParamMinerTargets.bambda b/Filter/Proxy/HTTP/HighlightParamMinerTargets.bambda index ec5b121..7557a40 100644 --- a/Filter/Proxy/HTTP/HighlightParamMinerTargets.bambda +++ b/Filter/Proxy/HTTP/HighlightParamMinerTargets.bambda @@ -42,7 +42,7 @@ var response = requestResponse.response(); // If filtering is not applied or the deny list conditions are met, proceed to check content type if (configNoFilter || filterDenyList) { // verify that the request is a POST, PUT, or PATCH and that the response is json - if (!requestResponse.hasResponse() || request.method().equals("POST") || request.method().equals("PATCH") || request.method().equals("PUT")) { + if (request.method().equals("POST") || request.method().equals("PATCH") || request.method().equals("PUT")) { var contentType = response.headerValue("Content-Type"); // verify the content-type is json if (contentType != null && contentType.contains("application/json")) {