From e49e7d8863dd0a33ad729896f2031af04a690768 Mon Sep 17 00:00:00 2001 From: flamebarke <39644720+flamebarke@users.noreply.github.com> Date: Wed, 6 Dec 2023 14:01:13 +1100 Subject: [PATCH 1/4] Add FilterHighlightAnnotateOWASP.bambda --- .../HTTP/FilterHighlightAnnotateOWASP.bambda | 99 +++++++++++++++++++ 1 file changed, 99 insertions(+) create mode 100644 Proxy/HTTP/FilterHighlightAnnotateOWASP.bambda diff --git a/Proxy/HTTP/FilterHighlightAnnotateOWASP.bambda b/Proxy/HTTP/FilterHighlightAnnotateOWASP.bambda new file mode 100644 index 0000000..39a7428 --- /dev/null +++ b/Proxy/HTTP/FilterHighlightAnnotateOWASP.bambda @@ -0,0 +1,99 @@ +/** +* @author Shain Lakin (https://github.com/flamebarke/SkittlesBambda) +* Filters Proxy HTTP history for requests with vulnerable parameters based on the OWASP Top 25 +* using the parameter arrays written by Tur24Tur / BugBountyzip (https://github.com/BugBountyzip). +* This version includes colour highlighting for each class of vulnerability along with +* automatic note annotations detailing the parameter to test and class of vulnerability. +**/ + +// Vulnerable parameters +String[] ssrfParams = {"dest=", "redirect=", "uri=", "path=", "continue=", "url=", "window=", "next=", "data=", "reference=", "site=", "html=", "val=", "validate=", "domain=", "callback=", "return=", "page=", "feed=", "host=", "port=", "to=", "out=", "view=", "dir="}; +String[] sqlParams = {"id=", "page=", "report=", "dir=", "search=", "category=", "file=", "class=", "url=", "news=", "item=", "menu=", "lang=", "name=", "ref=", "title=", "view=", "topic=", "thread=", "type=", "date=", "form=", "main=", "nav=", "region="}; +String[] xssParams = {"q=", "s=", "search=", "id=", "lang=", "keyword=", "query=", "page=", "keywords=", "year=", "view=", "email=", "type=", "name=", "p=", "month=", "image=", "list_type=", "url=", "terms=", "categoryid=", "key=", "l=", "begindate=", "enddate="}; +String[] lfiParams = {"cat=", "dir=", "action=", "board=", "date=", "detail=", "file=", "download=", "path=", "folder=", "prefix=", "include=", "page=", "inc=", "locate=", "show=", "doc=", "site=", "type=", "view=", "content=", "document=", "layout=", "mod=", "conf="}; +String[] orParams = {"next=", "url=", "target=", "rurl=", "dest=", "destination=", "redir=", "redirect_uri", "redirect_url=", "redirect=", "out=", "view=", "to=", "image_url=", "go=", "return=", "returnTo=", "return_to=", "checkout_url=", "continue=", "return_path="}; +String[] rceParams = {"cmd=", "exec=", "command=", "execute=", "ping=", "query=", "jump=", "code=", "reg=", "do=", "func=", "arg=", "option=", "load=", "process=", "step=", "read=", "feature=", "exe=", "module=", "payload=", "run=", "print="}; + +boolean manualColorHighlightEnabled = true; + +// All parameters and arrays +String[][] allParams = {ssrfParams, sqlParams, xssParams, lfiParams, orParams, rceParams}; +String[] arrayNames = {"SSRF", "SQL", "XSS", "LFI", "OR", "RCE"}; + +// Highlight colours (SSRF/GREEN, SQL/BLUE, XSS/ORANGE, LFI/YELLOW, OR/PINK, RCE/RED) +HighlightColor[] highlightColors = { + HighlightColor.GREEN, + HighlightColor.BLUE, + HighlightColor.ORANGE, + HighlightColor.YELLOW, + HighlightColor.PINK, + HighlightColor.RED +}; + +Map paramColors = new HashMap<>(); + +for (int i = 0; i < allParams.length; i++) { + String[] paramArray = allParams[i]; + HighlightColor color = highlightColors[i % highlightColors.length]; + for (String param : paramArray) { + paramColors.put(param, color); + } +} + +Map firstParamColorMap = new HashMap<>(); +Set foundParams = new HashSet<>(); +boolean multiColorDetected = false; +String inputParam = ""; + +if (requestResponse.request().url() != null) { + String requestUrl = requestResponse.request().url().toString(); + String requestBody = requestResponse.request().bodyToString(); + + int queryStart = requestUrl.indexOf("?"); + String queryString = ""; + if (queryStart != -1 && queryStart < requestUrl.length() - 1) { + queryString = requestUrl.substring(queryStart + 1); + } + + String[] allInputParams = (queryString + "&" + requestBody).split("&"); + // If multiple vulnerable parameters classes apply highlight the request in magenta + HighlightColor multipleVulnColor = HighlightColor.MAGENTA; + + for (String tempParam : allInputParams) { + for (int i = 0; i < allParams.length; i++) { + for (String param : allParams[i]) { + if (tempParam.startsWith(param)) { + inputParam = tempParam; + String arrayName = arrayNames[i]; + HighlightColor color = highlightColors[i % highlightColors.length]; + + if (manualColorHighlightEnabled) { + if (!firstParamColorMap.containsKey(inputParam)) { + firstParamColorMap.put(inputParam, color); + } else if (!firstParamColorMap.get(inputParam).equals(color)) { + multiColorDetected = true; + } + + foundParams.add(arrayName + ": " + inputParam); + } + } + } + } + } + + if (!foundParams.isEmpty()) { + StringBuilder combinedNotes = new StringBuilder(); + HighlightColor highlightColor = multiColorDetected ? multipleVulnColor : firstParamColorMap.get(inputParam); + requestResponse.annotations().setHighlightColor(highlightColor); + + for (String param : foundParams) { + if (combinedNotes.length() != 0) { + combinedNotes.append(", "); + } + combinedNotes.append(param); + } + requestResponse.annotations().setNotes(combinedNotes.toString()); + return true; + } +} +return false; From e48b580b828ae7225ffd50d77432ca72115fad17 Mon Sep 17 00:00:00 2001 From: flamebarke <39644720+flamebarke@users.noreply.github.com> Date: Wed, 6 Dec 2023 14:03:34 +1100 Subject: [PATCH 2/4] Update FilterHighlightAnnotateOWASP.bambda --- Proxy/HTTP/FilterHighlightAnnotateOWASP.bambda | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Proxy/HTTP/FilterHighlightAnnotateOWASP.bambda b/Proxy/HTTP/FilterHighlightAnnotateOWASP.bambda index 39a7428..85c9b81 100644 --- a/Proxy/HTTP/FilterHighlightAnnotateOWASP.bambda +++ b/Proxy/HTTP/FilterHighlightAnnotateOWASP.bambda @@ -2,7 +2,7 @@ * @author Shain Lakin (https://github.com/flamebarke/SkittlesBambda) * Filters Proxy HTTP history for requests with vulnerable parameters based on the OWASP Top 25 * using the parameter arrays written by Tur24Tur / BugBountyzip (https://github.com/BugBountyzip). -* This version includes colour highlighting for each class of vulnerability along with +* Implements colour highlighting for each class of vulnerability along with * automatic note annotations detailing the parameter to test and class of vulnerability. **/ From 19248c8bda2b76af947729a6aa005c5da19e12b0 Mon Sep 17 00:00:00 2001 From: flamebarke <39644720+flamebarke@users.noreply.github.com> Date: Thu, 7 Dec 2023 11:32:09 +1100 Subject: [PATCH 3/4] Update FilterHighlightAnnotateOWASP.bambda --- .../HTTP/FilterHighlightAnnotateOWASP.bambda | 123 +++++++----------- 1 file changed, 44 insertions(+), 79 deletions(-) diff --git a/Proxy/HTTP/FilterHighlightAnnotateOWASP.bambda b/Proxy/HTTP/FilterHighlightAnnotateOWASP.bambda index 85c9b81..14189e7 100644 --- a/Proxy/HTTP/FilterHighlightAnnotateOWASP.bambda +++ b/Proxy/HTTP/FilterHighlightAnnotateOWASP.bambda @@ -1,99 +1,64 @@ /** -* @author Shain Lakin (https://github.com/flamebarke/SkittlesBambda) * Filters Proxy HTTP history for requests with vulnerable parameters based on the OWASP Top 25 * using the parameter arrays written by Tur24Tur / BugBountyzip (https://github.com/BugBountyzip). +* @author Shain Lakin (https://github.com/flamebarke/SkittlesBambda) * Implements colour highlighting for each class of vulnerability along with * automatic note annotations detailing the parameter to test and class of vulnerability. **/ -// Vulnerable parameters -String[] ssrfParams = {"dest=", "redirect=", "uri=", "path=", "continue=", "url=", "window=", "next=", "data=", "reference=", "site=", "html=", "val=", "validate=", "domain=", "callback=", "return=", "page=", "feed=", "host=", "port=", "to=", "out=", "view=", "dir="}; -String[] sqlParams = {"id=", "page=", "report=", "dir=", "search=", "category=", "file=", "class=", "url=", "news=", "item=", "menu=", "lang=", "name=", "ref=", "title=", "view=", "topic=", "thread=", "type=", "date=", "form=", "main=", "nav=", "region="}; -String[] xssParams = {"q=", "s=", "search=", "id=", "lang=", "keyword=", "query=", "page=", "keywords=", "year=", "view=", "email=", "type=", "name=", "p=", "month=", "image=", "list_type=", "url=", "terms=", "categoryid=", "key=", "l=", "begindate=", "enddate="}; -String[] lfiParams = {"cat=", "dir=", "action=", "board=", "date=", "detail=", "file=", "download=", "path=", "folder=", "prefix=", "include=", "page=", "inc=", "locate=", "show=", "doc=", "site=", "type=", "view=", "content=", "document=", "layout=", "mod=", "conf="}; -String[] orParams = {"next=", "url=", "target=", "rurl=", "dest=", "destination=", "redir=", "redirect_uri", "redirect_url=", "redirect=", "out=", "view=", "to=", "image_url=", "go=", "return=", "returnTo=", "return_to=", "checkout_url=", "continue=", "return_path="}; -String[] rceParams = {"cmd=", "exec=", "command=", "execute=", "ping=", "query=", "jump=", "code=", "reg=", "do=", "func=", "arg=", "option=", "load=", "process=", "step=", "read=", "feature=", "exe=", "module=", "payload=", "run=", "print="}; - -boolean manualColorHighlightEnabled = true; +// Define vulnerable parameter group record +record VulnParamGroup(String title, HighlightColor color, String... parameterNames) {} -// All parameters and arrays -String[][] allParams = {ssrfParams, sqlParams, xssParams, lfiParams, orParams, rceParams}; -String[] arrayNames = {"SSRF", "SQL", "XSS", "LFI", "OR", "RCE"}; +// Vulnerable Parameter Groups +VulnParamGroup ssrf = new VulnParamGroup("SSRF", HighlightColor.GREEN, "dest", "redirect", "uri", "path", "continue", "url", "window", "next", "data", "reference", "site", "html", "val", "validate", "domain", "callback", "return", "page", "feed", "host", "port", "to", "out", "view", "dir"); +VulnParamGroup sql = new VulnParamGroup("SQL Injection", HighlightColor.BLUE, "id", "page", "report", "dir", "search", "category", "file", "class", "url", "news", "item", "menu", "lang", "name", "ref", "title", "view", "topic", "thread", "type", "date", "form", "main", "nav", "region"); +VulnParamGroup xss = new VulnParamGroup("XSS", HighlightColor.ORANGE, "q", "s", "search", "id", "lang", "keyword", "query", "page", "keywords", "year", "view", "email", "type", "name", "p", "month", "image", "list_type", "url", "terms", "categoryid", "key", "l", "begindate", "enddate"); +VulnParamGroup lfi = new VulnParamGroup("LFI", HighlightColor.YELLOW, "cat", "dir", "action", "board", "date", "detail", "file", "download", "path", "folder", "prefix", "include", "page", "inc", "locate", "show", "doc", "site", "type", "view", "content", "document", "layout", "mod", "conf"); +VulnParamGroup or = new VulnParamGroup("OR", HighlightColor.PINK, "next", "url", "target", "rurl", "dest", "destination", "redir", "redirect_uri", "redirect_url", "redirect", "out", "view", "to", "image_url", "go", "return", "returnTo", "return_to", "checkout_url", "continue", "return_path"); +VulnParamGroup rce = new VulnParamGroup("RCE", HighlightColor.RED, "cmd", "exec", "command", "execute", "ping", "query", "jump", "code", "reg", "do", "func", "arg", "option", "load", "process", "step", "read", "feature", "exe", "module", "payload", "run", "print"); -// Highlight colours (SSRF/GREEN, SQL/BLUE, XSS/ORANGE, LFI/YELLOW, OR/PINK, RCE/RED) -HighlightColor[] highlightColors = { - HighlightColor.GREEN, - HighlightColor.BLUE, - HighlightColor.ORANGE, - HighlightColor.YELLOW, - HighlightColor.PINK, - HighlightColor.RED -}; +// Toggle for highlighting +boolean highlightEnabled = true; -Map paramColors = new HashMap<>(); - -for (int i = 0; i < allParams.length; i++) { - String[] paramArray = allParams[i]; - HighlightColor color = highlightColors[i % highlightColors.length]; - for (String param : paramArray) { - paramColors.put(param, color); - } -} - -Map firstParamColorMap = new HashMap<>(); +// Set multi vulnerable parameter group colour +HighlightColor multipleVulnColor = HighlightColor.MAGENTA; +VulnParamGroup[] groups = {ssrf, sql, xss, lfi, or, rce}; Set foundParams = new HashSet<>(); -boolean multiColorDetected = false; -String inputParam = ""; - -if (requestResponse.request().url() != null) { - String requestUrl = requestResponse.request().url().toString(); - String requestBody = requestResponse.request().bodyToString(); - - int queryStart = requestUrl.indexOf("?"); - String queryString = ""; - if (queryStart != -1 && queryStart < requestUrl.length() - 1) { - queryString = requestUrl.substring(queryStart + 1); - } - - String[] allInputParams = (queryString + "&" + requestBody).split("&"); - // If multiple vulnerable parameters classes apply highlight the request in magenta - HighlightColor multipleVulnColor = HighlightColor.MAGENTA; - - for (String tempParam : allInputParams) { - for (int i = 0; i < allParams.length; i++) { - for (String param : allParams[i]) { - if (tempParam.startsWith(param)) { - inputParam = tempParam; - String arrayName = arrayNames[i]; - HighlightColor color = highlightColors[i % highlightColors.length]; +Map colorCounts = new HashMap<>(); +String combinedNotes = ""; - if (manualColorHighlightEnabled) { - if (!firstParamColorMap.containsKey(inputParam)) { - firstParamColorMap.put(inputParam, color); - } else if (!firstParamColorMap.get(inputParam).equals(color)) { - multiColorDetected = true; - } +// Get the request object +var request = requestResponse.request(); - foundParams.add(arrayName + ": " + inputParam); - } - } +// Main loop to check for matches +for (VulnParamGroup group : groups) { + for (String paramName : group.parameterNames()) { + if (request.hasParameter(paramName, HttpParameterType.URL) || + request.hasParameter(paramName, HttpParameterType.BODY)) { + if (highlightEnabled) { + foundParams.add(group.title() + ": " + paramName); + colorCounts.put(group.color(), colorCounts.getOrDefault(group.color(), 0) + 1); + } + // Return if only one vulnerability class applies + if (!highlightEnabled) { + requestResponse.annotations().setHighlightColor(group.color()); + return true; } } } +} - if (!foundParams.isEmpty()) { - StringBuilder combinedNotes = new StringBuilder(); - HighlightColor highlightColor = multiColorDetected ? multipleVulnColor : firstParamColorMap.get(inputParam); - requestResponse.annotations().setHighlightColor(highlightColor); - - for (String param : foundParams) { - if (combinedNotes.length() != 0) { - combinedNotes.append(", "); - } - combinedNotes.append(param); - } - requestResponse.annotations().setNotes(combinedNotes.toString()); - return true; +// If more than one vulnerability class applies set the multi vulnerable parameter colour +if (!foundParams.isEmpty()) { + HighlightColor highlightColor = multipleVulnColor; + if (colorCounts.size() == 1) { + highlightColor = colorCounts.keySet().iterator().next(); } + + requestResponse.annotations().setHighlightColor(highlightColor); + combinedNotes = String.join(", ", foundParams); + requestResponse.annotations().setNotes(combinedNotes); + return true; } + return false; From f38c34c1a438f9d33cdcf253c506d93484aae535 Mon Sep 17 00:00:00 2001 From: flamebarke <39644720+flamebarke@users.noreply.github.com> Date: Thu, 7 Dec 2023 11:51:38 +1100 Subject: [PATCH 4/4] Update FilterHighlightAnnotateOWASP.bambda --- Proxy/HTTP/FilterHighlightAnnotateOWASP.bambda | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Proxy/HTTP/FilterHighlightAnnotateOWASP.bambda b/Proxy/HTTP/FilterHighlightAnnotateOWASP.bambda index 14189e7..675defb 100644 --- a/Proxy/HTTP/FilterHighlightAnnotateOWASP.bambda +++ b/Proxy/HTTP/FilterHighlightAnnotateOWASP.bambda @@ -11,7 +11,7 @@ record VulnParamGroup(String title, HighlightColor color, String... parameterNam // Vulnerable Parameter Groups VulnParamGroup ssrf = new VulnParamGroup("SSRF", HighlightColor.GREEN, "dest", "redirect", "uri", "path", "continue", "url", "window", "next", "data", "reference", "site", "html", "val", "validate", "domain", "callback", "return", "page", "feed", "host", "port", "to", "out", "view", "dir"); -VulnParamGroup sql = new VulnParamGroup("SQL Injection", HighlightColor.BLUE, "id", "page", "report", "dir", "search", "category", "file", "class", "url", "news", "item", "menu", "lang", "name", "ref", "title", "view", "topic", "thread", "type", "date", "form", "main", "nav", "region"); +VulnParamGroup sql = new VulnParamGroup("SQL", HighlightColor.BLUE, "id", "page", "report", "dir", "search", "category", "file", "class", "url", "news", "item", "menu", "lang", "name", "ref", "title", "view", "topic", "thread", "type", "date", "form", "main", "nav", "region"); VulnParamGroup xss = new VulnParamGroup("XSS", HighlightColor.ORANGE, "q", "s", "search", "id", "lang", "keyword", "query", "page", "keywords", "year", "view", "email", "type", "name", "p", "month", "image", "list_type", "url", "terms", "categoryid", "key", "l", "begindate", "enddate"); VulnParamGroup lfi = new VulnParamGroup("LFI", HighlightColor.YELLOW, "cat", "dir", "action", "board", "date", "detail", "file", "download", "path", "folder", "prefix", "include", "page", "inc", "locate", "show", "doc", "site", "type", "view", "content", "document", "layout", "mod", "conf"); VulnParamGroup or = new VulnParamGroup("OR", HighlightColor.PINK, "next", "url", "target", "rurl", "dest", "destination", "redir", "redirect_uri", "redirect_url", "redirect", "out", "view", "to", "image_url", "go", "return", "returnTo", "return_to", "checkout_url", "continue", "return_path");