static String generateCanary() { return randomString(4+rnd.nextInt(7)) + Integer.toString(rnd.nextInt(9)); }
static String generateCanary() { return randomString(4+rnd.nextInt(7)) + Integer.toString(rnd.nextInt(9)); }
static String generateCanary() { return randomString(4+rnd.nextInt(7)) + Integer.toString(rnd.nextInt(9)); }
Attack updateBaseline() { this.base = this.injector.probeAttack(Utilities.randomString(6)); for(int i=0; i<4; i++) { base.addAttack(this.injector.probeAttack(Utilities.randomString((i+1)*(i+1)))); } if (bucketSize > 1) { base.addAttack(this.injector.probeAttack(Utilities.randomString(6) + "|" + Utilities.randomString(12))); } return base; }
static String permute(String fullparam, boolean allowValueChange) { String[] params = fullparam.split("[|]"); ArrayList<String> out = new ArrayList<>(); for (String eachparam: params) { if (allowValueChange && eachparam.contains("~") && !eachparam.contains("%")) { String[] param = eachparam.split("~", 2); out.add(param[0] + "~" + Utilities.invert(param[1])); } else { String[] keys = eachparam.split(":"); String[] param = null; if (eachparam.contains("~")) { param = eachparam.split("~", 2); keys = param[0].split(":"); } for (int i = keys.length - 1; i >= 0; i--) { if (Utilities.parseArrayIndex(keys[i]) == -1) { keys[i] += Utilities.randomString(6); break; } } String tempOut = String.join(":", keys); if (eachparam.contains("~")) { tempOut += "~" + param[1]; } out.add(tempOut); } } return String.join("|", out); }
private HashSet<String> recordHandling(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint, String probe) { String leftAnchor = Utilities.randomString(3); String middleAnchor = "z"+Integer.toString(Utilities.rnd.nextInt(9)); String rightAnchor = "z"+Utilities.randomString(3); String payload = leftAnchor + "\\\\" + middleAnchor + probe + rightAnchor; IHttpRequestResponse attack = callbacks.makeHttpRequest( baseRequestResponse.getHttpService(), insertionPoint.buildRequest(payload.getBytes())); // Utilities.buildRequest(baseRequestResponse, insertionPoint, payload) return getTransformationResults(leftAnchor + "\\" + middleAnchor, rightAnchor, helpers.stringToBytes(helpers.bytesToString(Utilities.filterResponse(attack.getResponse())))); }
Utilities.log("Trying bucket size: "+ bucketSize); StringBuilder trialPayload = new StringBuilder(); trialPayload.append(Utilities.randomString(longest)); for (int i = 0; i < bucketSize; i++) { trialPayload.append("|"); trialPayload.append(Utilities.randomString(longest));
public IScanIssue findTransformationIssues(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { String leftAnchor = Utilities.randomString(5); String rightAnchor = "z" + Utilities.randomString(2); Attack basicAttack = Utilities.buildTransformationAttack(baseRequestResponse, insertionPoint, leftAnchor, "\\\\", rightAnchor); if (Utilities.getMatches(Utilities.filterResponse(basicAttack.getFirstRequest().getResponse()), (leftAnchor + "\\" + rightAnchor).getBytes(), -1).isEmpty()) {
String targetURL = baseRequestResponse.getHttpService().getHost(); Utilities.out("Initiating parameter name bruteforce on "+ targetURL); Attack base = injector.buildAttack(baseValue+"&"+Utilities.randomString(6)+"=%3c%61%60%27%22%24%7b%7b%5c", false); base.addAttack(injector.buildAttack(baseValue+"&"+Utilities.randomString((i+1)*(i+1))+"=%3c%61%60%27%22%24%7b%7b%5c", false)); if (!Utilities.similar(base, confirmParamGuess)) { Probe validParam = new Probe("Backend param: " + candidate, 4, "&" + candidate + "=%3c%61%60%27%22%24%7b%7b%5c", "&" + candidate + "=%3c%62%60%27%22%24%7b%7b%5c"); validParam.setEscapeStrings("&" + Utilities.randomString(candidate.length()) + "=%3c%61%60%27%22%24%7b%7b%5c", "&" + candidate + "z=%3c%61%60%27%22%24%7b%7b%5c"); validParam.setRandomAnchor(false); ArrayList<Attack> confirmed = injector.fuzz(base, validParam);
for (int i = 1; i < min(8, bucketSize); i++) { basePayload.append("|"); basePayload.append(Utilities.randomString(longest)); if(i % 4 == 0) { base.addAttack(injector.probeAttack(basePayload.toString()));