public byte[] buildBulkRequest(ArrayList<String> params) { String merged = prepBulkParams(params); String replaceKey = "TCZqBcS13SA8QRCpW"; byte[] built = Utilities.addOrReplaceHeader(request, replaceKey, "foo"); if (params.isEmpty() || "".equals(merged)) { return built; } Iterator<String> dupeCheck= params.iterator(); while (dupeCheck.hasNext()) { String param = dupeCheck.next().split("~", 2)[0]; if (present.containsKey(param)) { String toReplace = present.get(param)+": "; built = Utilities.replace(built, toReplace.getBytes(), ("old"+toReplace).getBytes()); } } return Utilities.setHeader(built, replaceKey, "x\r\n"+merged); } }
public byte[] injectPayloads(byte[] request, Integer requestCode) { //request = Utilities.replaceRequestLine(request, "GET @"+collabId + "/"+collabId.split("[.]")[0] + " HTTP/1.1"); //request = Utilities.addOrReplaceHeader(request, "Referer", "http://portswigger-labs.net/redirect.php?url=https://portswigger-labs.net/"+collabId); request = Utilities.addOrReplaceHeader(request, "Cache-Control", "no-transform"); for (String[] injection: injectionPoints) { String payload = injection[2].replace("%s", collab.generateCollabId(requestCode, injection[1])); // replace %h with corresponding Host header (same as with %s for Collaborator) payload = payload.replace("%h", Utilities.getHeader(request, "Host")); switch ( injection[0] ){ case "param": IParameter param = Utilities.helpers.buildParameter(injection[1], payload, IParameter.PARAM_URL); request = Utilities.helpers.removeParameter(request, param); request = Utilities.helpers.addParameter(request, param); break; case "header": request = Utilities.addOrReplaceHeader(request, injection[1], payload); break; default: Utilities.out("Unrecognised injection type: " + injection[0]); } } return request; }
Attack WAFCatcher = new Attack(Utilities.attemptRequest(service, Utilities.addOrReplaceHeader(baseRequestResponse.getRequest(), "junk-header", submission))); WAFCatcher.addAttack(new Attack(Utilities.attemptRequest(service, Utilities.addOrReplaceHeader(baseRequestResponse.getRequest(), "junk-head", submission)))); if (!Utilities.similar(WAFCatcher, confirmParamGuess)){ Probe validParam = new Probe("Found unlinked param: " + submission, 4, submission);