Bambda

The document outlines a script that filters Proxy HTTP history for requests containing vulnerable parameters based on the OWASP Top 25. It defines various groups of vulnerable parameters (e.g., SSRF, SQL, XSS) with associated highlighting colors and implements a mechanism to annotate requests with detected vulnerabilities. The script highlights parameters and provides notes on vulnerabilities found during the request analysis.

Uploaded by

sagardhakal.kaon

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as TXT, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

5 views2 pages

Bambda

Uploaded by

sagardhakal.kaon

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as TXT, PDF, TXT or read online on Scribd

You are on page 1/ 2

/**

* Filters Proxy HTTP history for requests with vulnerable parameters based on the
OWASP Top 25
* using the parameter arrays written by Tur24Tur / BugBountyzip
(https://github.com/BugBountyzip).
* @author Shain Lakin (https://github.com/flamebarke/SkittlesBambda)
* Implements colour highlighting for each class of vulnerability along with
* automatic note annotations detailing the parameter to test and class of
vulnerability.
**/

// Define vulnerable parameter group record

record VulnParamGroup(String title, HighlightColor color, String... parameterNames)
{}

// Vulnerable Parameter Groups

VulnParamGroup ssrf = new VulnParamGroup("SSRF", HighlightColor.GREEN, "dest",
"redirect", "uri", "path", "continue", "url", "window", "next", "data",
"reference", "site", "html", "val", "validate", "domain", "callback", "return",
"page", "feed", "host", "port", "to", "out", "view", "dir");
VulnParamGroup sql = new VulnParamGroup("SQL", HighlightColor.BLUE, "id", "page",
"report", "dir", "search", "category", "file", "class", "url", "news", "item",
"menu", "lang", "name", "ref", "title", "view", "topic", "thread", "type", "date",
"form", "main", "nav", "region");
VulnParamGroup xss = new VulnParamGroup("XSS", HighlightColor.ORANGE, "q", "s",
"search", "id", "lang", "keyword", "query", "page", "keywords", "year", "view",
"email", "type", "name", "p", "month", "image", "list_type", "url", "terms",
"categoryid", "key", "l", "begindate", "enddate");
VulnParamGroup lfi = new VulnParamGroup("LFI", HighlightColor.YELLOW, "cat", "dir",
"action", "board", "date", "detail", "file", "download", "path", "folder",
"prefix", "include", "page", "inc", "locate", "show", "doc", "site", "type",
"view", "content", "document", "layout", "mod", "conf");
VulnParamGroup or = new VulnParamGroup("OR", HighlightColor.PINK, "next", "url",
"target", "rurl", "dest", "destination", "redir", "redirect_uri", "redirect_url",
"redirect", "out", "view", "to", "image_url", "go", "return", "returnTo",
"return_to", "checkout_url", "continue", "return_path");
VulnParamGroup rce = new VulnParamGroup("RCE", HighlightColor.RED, "cmd", "exec",
"command", "execute", "ping", "query", "jump", "code", "reg", "do", "func", "arg",
"option", "load", "process", "step", "read", "feature", "exe", "module", "payload",
"run", "print");

// Toggle for highlighting

boolean highlightEnabled = true;

// Set multi vulnerable parameter group colour

HighlightColor multipleVulnColor = HighlightColor.MAGENTA;
VulnParamGroup[] groups = {ssrf, sql, xss, lfi, or, rce};
Set<String> foundParams = new HashSet<>();
Map<HighlightColor, Integer> colorCounts = new HashMap<>();
String combinedNotes = "";

// Get the request object

var request = requestResponse.request();

// Main loop to check for matches

for (VulnParamGroup group : groups) {
for (String paramName : group.parameterNames()) {
if (request.hasParameter(paramName, HttpParameterType.URL) ||
request.hasParameter(paramName, HttpParameterType.BODY)) {
if (highlightEnabled) {
foundParams.add(group.title() + ": " + paramName);
colorCounts.put(group.color(),
colorCounts.getOrDefault(group.color(), 0) + 1);
}
// Return if only one vulnerability class applies
if (!highlightEnabled) {
requestResponse.annotations().setHighlightColor(group.color());
return true;
}
}
}
}

// If more than one vulnerability class applies set the multi vulnerable parameter
colour
if (!foundParams.isEmpty()) {
HighlightColor highlightColor = multipleVulnColor;
if (colorCounts.size() == 1) {
highlightColor = colorCounts.keySet().iterator().next();
}

requestResponse.annotations().setHighlightColor(highlightColor);
combinedNotes = String.join(", ", foundParams);
requestResponse.annotations().setNotes(combinedNotes);
return true;
}

return false;

Apis Fuzzing For Bug Bounty: Tools
No ratings yet
Apis Fuzzing For Bug Bounty: Tools
7 pages
Error
No ratings yet
Error
125 pages
100 Vulnerabilities
0% (1)
100 Vulnerabilities
4 pages
Comprehensive Vulnerability Checklist
No ratings yet
Comprehensive Vulnerability Checklist
4 pages
07 Security1
No ratings yet
07 Security1
52 pages
Attacking Golang 1719376200
No ratings yet
Attacking Golang 1719376200
61 pages
AntCTFxD3CTF 2023 Official Writeups
100% (1)
AntCTFxD3CTF 2023 Official Writeups
125 pages
Detailed Steps For Building A Web Application Vulnerability Scanner
100% (1)
Detailed Steps For Building A Web Application Vulnerability Scanner
10 pages
API Pentesting Techniques and Vulnerabilities
No ratings yet
API Pentesting Techniques and Vulnerabilities
1 page
100 Web Vulnerabilities List (Categorized) - Checklist
No ratings yet
100 Web Vulnerabilities List (Categorized) - Checklist
10 pages
Source Code Analysis Scenarios 1714376612
No ratings yet
Source Code Analysis Scenarios 1714376612
29 pages
Vuln Impacts Mitigations
No ratings yet
Vuln Impacts Mitigations
3 pages
Test Portal: Vulnerability Assessment & Penetration Testing
No ratings yet
Test Portal: Vulnerability Assessment & Penetration Testing
12 pages
Network Trace
No ratings yet
Network Trace
2,149 pages
Document2 1
No ratings yet
Document2 1
27 pages
Vulnhub Darkhole 2 Write UP
No ratings yet
Vulnhub Darkhole 2 Write UP
13 pages
Strutted
No ratings yet
Strutted
10 pages
API Pentesting Mindmap ATTACK
No ratings yet
API Pentesting Mindmap ATTACK
1 page
Static Vulnerabilities Findings
No ratings yet
Static Vulnerabilities Findings
2 pages
Slides Insecure Direct Object Reference
No ratings yet
Slides Insecure Direct Object Reference
35 pages
Comprehensive Web Hacking Guide
No ratings yet
Comprehensive Web Hacking Guide
2 pages
Abusing HTTP Misconfigurations
No ratings yet
Abusing HTTP Misconfigurations
61 pages
Offensive Approach To Hunt Bugs
No ratings yet
Offensive Approach To Hunt Bugs
7 pages
API Testing Checklist
No ratings yet
API Testing Checklist
7 pages
Github Rcon Exploit
No ratings yet
Github Rcon Exploit
10 pages
Web Vulns Cheat Sheet HOF
No ratings yet
Web Vulns Cheat Sheet HOF
2 pages
Web App Security: HDIV Guide
No ratings yet
Web App Security: HDIV Guide
88 pages
Lab 1
No ratings yet
Lab 1
14 pages
Recon Methdology and Notes....
No ratings yet
Recon Methdology and Notes....
4 pages
API Scenario Checklist - Latest
No ratings yet
API Scenario Checklist - Latest
5 pages
Hackanythingfor Blogspot Com 2020 07 Api Testing Checklist HTML
No ratings yet
Hackanythingfor Blogspot Com 2020 07 Api Testing Checklist HTML
5 pages
Prepare To BSCP
No ratings yet
Prepare To BSCP
2 pages
Abusing HTTP Misconfigurations - @CyberFreeCourses
No ratings yet
Abusing HTTP Misconfigurations - @CyberFreeCourses
61 pages
Log Version 1 2 Browser
No ratings yet
Log Version 1 2 Browser
115 pages
Apache HTTP Server Vulnerabilities Report
No ratings yet
Apache HTTP Server Vulnerabilities Report
3 pages
Nikto Data-Disinfo - Json
No ratings yet
Nikto Data-Disinfo - Json
458 pages
Web Checklist
No ratings yet
Web Checklist
4 pages
Web Pentesting Course Slides
No ratings yet
Web Pentesting Course Slides
63 pages
Cve 2022 22965
No ratings yet
Cve 2022 22965
8 pages
Client-Side and Server-Side Vulnerabilities
No ratings yet
Client-Side and Server-Side Vulnerabilities
6 pages
Web Traffic Data Analysis
No ratings yet
Web Traffic Data Analysis
4 pages
Payment Result Filter Guide
No ratings yet
Payment Result Filter Guide
6 pages
Java Servlet API Overview
No ratings yet
Java Servlet API Overview
2 pages
Tips Notes
No ratings yet
Tips Notes
5 pages
Bug Hunting
No ratings yet
Bug Hunting
27 pages
100 Web Vulnerabilities
No ratings yet
100 Web Vulnerabilities
7 pages
Smart Scan Practise Vulweb1
No ratings yet
Smart Scan Practise Vulweb1
163 pages
Pentest Qna 68
No ratings yet
Pentest Qna 68
12 pages
Pentest Book: Pentesting Web Checklist Recon Phase
No ratings yet
Pentest Book: Pentesting Web Checklist Recon Phase
9 pages
Different Types of Vulnerabilities
No ratings yet
Different Types of Vulnerabilities
7 pages
Input 8 To 10
No ratings yet
Input 8 To 10
6 pages
Message
No ratings yet
Message
3 pages
Memory
No ratings yet
Memory
5 pages
Java Servlet Examples and Tutorials
No ratings yet
Java Servlet Examples and Tutorials
59 pages
Web PenTest Techniques Guide
No ratings yet
Web PenTest Techniques Guide
1 page
PentestTools WebsiteScanner Report
No ratings yet
PentestTools WebsiteScanner Report
7 pages
Wapiti Vulnerability Report: Target: Http://123.231.148.147:8081/webservice
No ratings yet
Wapiti Vulnerability Report: Target: Http://123.231.148.147:8081/webservice
7 pages
API Security Testing Checklist
No ratings yet
API Security Testing Checklist
2 pages
Juicy Files
No ratings yet
Juicy Files
3,202 pages
Fuzz PHP Special
No ratings yet
Fuzz PHP Special
2,349 pages
Admin
No ratings yet
Admin
131 pages
Cgi Bin
No ratings yet
Cgi Bin
2 pages
Directory Traversal
No ratings yet
Directory Traversal
22 pages
Directory Traversal Unix
No ratings yet
Directory Traversal Unix
23 pages
Config
No ratings yet
Config
1 page
Xss
No ratings yet
Xss
62 pages
Fuzz
No ratings yet
Fuzz
91 pages
Apac
No ratings yet
Apac
225 pages
TOCL-Series SM RevF Ocr
No ratings yet
TOCL-Series SM RevF Ocr
127 pages
CS Discs Msys51 Maguyon - A H 2023 2
No ratings yet
CS Discs Msys51 Maguyon - A H 2023 2
6 pages
WS - All 1.0
No ratings yet
WS - All 1.0
6 pages
CN 1
No ratings yet
CN 1
42 pages
Maglev Courseware Sample For MATLAB Users
100% (1)
Maglev Courseware Sample For MATLAB Users
12 pages
Aloe Vera Cosmetics Social Media Strategy by Slidesgo
No ratings yet
Aloe Vera Cosmetics Social Media Strategy by Slidesgo
40 pages
11 Sorting
No ratings yet
11 Sorting
103 pages
Assistant Manager Exam Syllabus Overview
No ratings yet
Assistant Manager Exam Syllabus Overview
2 pages
Datasheet System 1 Condition Monitoring and Diagnostic Software-108m5214
No ratings yet
Datasheet System 1 Condition Monitoring and Diagnostic Software-108m5214
7 pages
5 Pen PC Technology Overview
100% (1)
5 Pen PC Technology Overview
16 pages
E740ENG
No ratings yet
E740ENG
332 pages
Oracle EBS Upgrade Guide
No ratings yet
Oracle EBS Upgrade Guide
27 pages
Bs Degree
No ratings yet
Bs Degree
9 pages
CPU Registers and Organization
No ratings yet
CPU Registers and Organization
9 pages
B Tech Ece Vlsi Curriculum 2021
No ratings yet
B Tech Ece Vlsi Curriculum 2021
4 pages
Evidence Evaluation Guide
67% (3)
Evidence Evaluation Guide
44 pages
WWW Rittmanmead Com 2012 05 Obiee Performance Tuning Myth Bi
No ratings yet
WWW Rittmanmead Com 2012 05 Obiee Performance Tuning Myth Bi
4 pages
Enterprise Digital Transformation Technology, Tools, and Use Cases (Sathyan Munirathinam (Editor) Etc.) (Z-Library)
No ratings yet
Enterprise Digital Transformation Technology, Tools, and Use Cases (Sathyan Munirathinam (Editor) Etc.) (Z-Library)
447 pages
Development of A Material Databook For Api STD 530
100% (1)
Development of A Material Databook For Api STD 530
10 pages
GUK Leaflet Folding Machine Overview
No ratings yet
GUK Leaflet Folding Machine Overview
2 pages
Winlink 1000: Product Overview
No ratings yet
Winlink 1000: Product Overview
4 pages
Install GeoNode with Docker on Ubuntu
No ratings yet
Install GeoNode with Docker on Ubuntu
2 pages
SOP Writing Guide for Interoperability
No ratings yet
SOP Writing Guide for Interoperability
28 pages
Locally Weighted Regression Explained
No ratings yet
Locally Weighted Regression Explained
3 pages
Abstract Prototype Developement Document Olabs Hackathon
No ratings yet
Abstract Prototype Developement Document Olabs Hackathon
2 pages
Transient Stability in Power Systems
No ratings yet
Transient Stability in Power Systems
25 pages
Smartflo Brochure
No ratings yet
Smartflo Brochure
7 pages
Class 12 Phy Hindi
87% (23)
Class 12 Phy Hindi
20 pages
Estes User Guide Index - Rev20241112 - Ecwr
No ratings yet
Estes User Guide Index - Rev20241112 - Ecwr
1 page
Lufthansa Travel Itinerary
No ratings yet
Lufthansa Travel Itinerary
4 pages

Bambda

Uploaded by

Bambda

Uploaded by

/**

// Define vulnerable parameter group record

// Vulnerable Parameter Groups

// Toggle for highlighting

// Set multi vulnerable parameter group colour

// Get the request object

// Main loop to check for matches

You might also like