From 77830fb5ee171f2e3801f5a9ca02a11648fce0ac Mon Sep 17 00:00:00 2001 From: Bug Bounty Zip <133497067+BugBountyzip@users.noreply.github.com> Date: Sun, 3 Dec 2023 19:42:17 +0300 Subject: [PATCH 1/3] Create OWASPTop25VulnerableParameters.bambda This `.bambda` file serves as a filter for the Burp Suite tool, identifying HTTP requests with parameters listed in the OWASP Top 25 vulnerabilities. It's designed to help security professionals quickly pinpoint potentially risky parameters. --- .../OWASPTop25VulnerableParameters.bambda | 48 +++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 Proxy/HTTP/OWASPTop25VulnerableParameters.bambda diff --git a/Proxy/HTTP/OWASPTop25VulnerableParameters.bambda b/Proxy/HTTP/OWASPTop25VulnerableParameters.bambda new file mode 100644 index 0000000..f675b6b --- /dev/null +++ b/Proxy/HTTP/OWASPTop25VulnerableParameters.bambda @@ -0,0 +1,48 @@ +/** + * Filters Proxy HTTP history for requests with vulnerable parameters based on the OWASP Top 25 + * Author: Tur24Tur + * GitHub: @BugBountyzip BugBountyzip (https://github.com/BugBountyzip) + **/ + +// Lists of vulnerable parameters based on OWASP Top 25 +String[] ssrfParams = {"dest=", "redirect=", "uri=", "path=", "continue=", "url=", "window=", "next=", "data=", "reference=", "site=", "html=", "val=", "validate=", "domain=", "callback=", "return=", "page=", "feed=", "host=", "port=", "to=", "out=", "view=", "dir="}; +String[] sqlParams = {"id=", "page=", "report=", "dir=", "search=", "category=", "file=", "class", "url=", "news=", "item=", "menu=", "lang=", "name=", "ref=", "title=", "view=", "topic=", "thread=", "type=", "date=", "form=", "main=", "nav=", "region="}; +String[] xssParams = {"q=", "s=", "search=", "id=", "lang=", "keyword=", "query=", "page=", "keywords=", "year=", "view=", "email=", "type=", "name=", "p=", "month=", "image=", "list_type=", "url=", "terms=", "categoryid=", "key=", "l=", "begindate=", "enddate="}; +String[] lfiParams = {"cat=", "dir=", "action=", "board=", "date=", "detail=", "file=", "download=", "path", "folder=", "prefix=", "include=", "page=", "inc=", "locate=", "show=", "doc=", "site=", "type=", "view=", "content=", "document=", "layout=", "mod=", "conf="}; +String[] orParams = {"next=", "url=", "target=", "rurl=", "dest=", "destination=", "redir=", "redirect_uri", "redirect_url=", "redirect=", "out=", "view=", "to=", "image_url=", "go=", "return=", "returnTo=", "return_to=", "checkout_url=", "continue=", "return_path="}; +String[] rceParams = {"cmd=", "exec=", "command=", "execute=", "ping=", "query=", "jump=", "code", "reg=", "do=", "func=", "arg=", "option=", "load=", "process=", "step=", "read=", "feature=", "exe=", "module=", "payload=", "run=", "print="}; + + +// Main logic of the Bambda +if (requestResponse.request().url() != null) { + String requestUrl = requestResponse.request().url(); + String requestBody = requestResponse.request().bodyToString(); + +// Consolidate all parameter lists into a single array for easier processing + String[][] allParams = {ssrfParams, sqlParams, xssParams, lfiParams, orParams, rceParams}; + +// Extract the query string from the URL (if any) + int queryStart = requestUrl.indexOf("?"); + String queryString = ""; + if (queryStart != -1 && queryStart < requestUrl.length() - 1) { + queryString = requestUrl.substring(queryStart + 1); + } + +// Combine and split the query string and request body into individual parameters + String[] allInputParams = (queryString + "&" + requestBody).split("&"); + + // Check each parameter against the lists of vulnerable parameters + for (String inputParam : allInputParams) { + for (String[] paramArray : allParams) { + for (String param : paramArray) { + if (inputParam.startsWith(param)) { + return true; + } + } + } + } +} + +return false; + + From 7cf82e23a9427d3c644a816322659bd7acc88f0b Mon Sep 17 00:00:00 2001 From: Bug Bounty Zip <133497067+BugBountyzip@users.noreply.github.com> Date: Mon, 4 Dec 2023 06:27:09 +0300 Subject: [PATCH 2/3] Update OWASPTop25VulnerableParameters.bambda I have utilized a Set to store the list of vulnerable parameters. This approach helps to efficiently manage the parameters and ensures that there are no duplicates, which aligns with the best practices for handling collections in Java. I have carefully reviewed the list of parameters and removed any duplicates that were previously present. This step was necessary to resolve the IllegalArgumentException caused by duplicate elements in the Set. I have implemented the hasParameter method as per your guidance. This method enhances the code by streamlining the process of checking for the presence of vulnerable parameters in both the URL and the body of the HTTP request. --- .../OWASPTop25VulnerableParameters.bambda | 74 +++++++++---------- 1 file changed, 36 insertions(+), 38 deletions(-) diff --git a/Proxy/HTTP/OWASPTop25VulnerableParameters.bambda b/Proxy/HTTP/OWASPTop25VulnerableParameters.bambda index f675b6b..fd30178 100644 --- a/Proxy/HTTP/OWASPTop25VulnerableParameters.bambda +++ b/Proxy/HTTP/OWASPTop25VulnerableParameters.bambda @@ -4,45 +4,43 @@ * GitHub: @BugBountyzip BugBountyzip (https://github.com/BugBountyzip) **/ -// Lists of vulnerable parameters based on OWASP Top 25 -String[] ssrfParams = {"dest=", "redirect=", "uri=", "path=", "continue=", "url=", "window=", "next=", "data=", "reference=", "site=", "html=", "val=", "validate=", "domain=", "callback=", "return=", "page=", "feed=", "host=", "port=", "to=", "out=", "view=", "dir="}; -String[] sqlParams = {"id=", "page=", "report=", "dir=", "search=", "category=", "file=", "class", "url=", "news=", "item=", "menu=", "lang=", "name=", "ref=", "title=", "view=", "topic=", "thread=", "type=", "date=", "form=", "main=", "nav=", "region="}; -String[] xssParams = {"q=", "s=", "search=", "id=", "lang=", "keyword=", "query=", "page=", "keywords=", "year=", "view=", "email=", "type=", "name=", "p=", "month=", "image=", "list_type=", "url=", "terms=", "categoryid=", "key=", "l=", "begindate=", "enddate="}; -String[] lfiParams = {"cat=", "dir=", "action=", "board=", "date=", "detail=", "file=", "download=", "path", "folder=", "prefix=", "include=", "page=", "inc=", "locate=", "show=", "doc=", "site=", "type=", "view=", "content=", "document=", "layout=", "mod=", "conf="}; -String[] orParams = {"next=", "url=", "target=", "rurl=", "dest=", "destination=", "redir=", "redirect_uri", "redirect_url=", "redirect=", "out=", "view=", "to=", "image_url=", "go=", "return=", "returnTo=", "return_to=", "checkout_url=", "continue=", "return_path="}; -String[] rceParams = {"cmd=", "exec=", "command=", "execute=", "ping=", "query=", "jump=", "code", "reg=", "do=", "func=", "arg=", "option=", "load=", "process=", "step=", "read=", "feature=", "exe=", "module=", "payload=", "run=", "print="}; - - -// Main logic of the Bambda -if (requestResponse.request().url() != null) { - String requestUrl = requestResponse.request().url(); - String requestBody = requestResponse.request().bodyToString(); - -// Consolidate all parameter lists into a single array for easier processing - String[][] allParams = {ssrfParams, sqlParams, xssParams, lfiParams, orParams, rceParams}; - -// Extract the query string from the URL (if any) - int queryStart = requestUrl.indexOf("?"); - String queryString = ""; - if (queryStart != -1 && queryStart < requestUrl.length() - 1) { - queryString = requestUrl.substring(queryStart + 1); - } - -// Combine and split the query string and request body into individual parameters - String[] allInputParams = (queryString + "&" + requestBody).split("&"); - - // Check each parameter against the lists of vulnerable parameters - for (String inputParam : allInputParams) { - for (String[] paramArray : allParams) { - for (String param : paramArray) { - if (inputParam.startsWith(param)) { - return true; - } - } - } +// Define the vulnerable parameters as a Set based on OWASP Top 25 +Set parameterNames = Set.of( + // SSRF parameters + "dest", "redirect", "uri", "continue", "url", "window", "data", + "reference", "site", "html", "val", "validate", "domain", "callback", "return", + "page", "feed", "host", "port", "to", "out", "dir", + // SQL injection parameters + "id", "select", "report", "search", "category", "file", "class", "news", + "item", "menu", "ref", "title", "topic", "thread", + "form", "main", "nav", "region", + // XSS parameters + "q", "s", "lang", "keyword", "keywords", "year", "email", + "type", "name", "p", "month", "image", "list_type", "terms", "categoryid", "key", + "l", "begindate", "enddate", + // LFI parameters + "cat", "action", "board", "date", "detail", "download", "path", "folder", + "prefix", "include", "inc", "locate", "show", "doc", "view", + "content", "document", "layout", "mod", "conf", + // Open Redirect parameters + "next", "target", "rurl", "destination", "redir", "redirect_uri", + "redirect_url", "image_url", "go", + "returnTo", "return_to", "checkout_url", "return_path", + // RCE parameters + "cmd", "exec", "command", "execute", "ping", "query", "jump", "code", "reg", "do", + "func", "arg", "option", "load", "process", "step", "read", "feature", "exe", + "module", "payload", "run", "print" +); + +// Get the request object +var request = requestResponse.request(); + +// Iterate through each parameter name and check if it exists in the request URL or body +for (String param : parameterNames) { + if (request.hasParameter(param, HttpParameterType.URL) || + request.hasParameter(param, HttpParameterType.BODY)) { + return true; } } return false; - - From 88b5cf3128d93b304d671c7bb94aca227ec3c555 Mon Sep 17 00:00:00 2001 From: ps-porpoise <152162390+ps-porpoise@users.noreply.github.com> Date: Mon, 4 Dec 2023 09:00:33 +0000 Subject: [PATCH 3/3] Format author tag to work with BambdaChecker --- Proxy/HTTP/OWASPTop25VulnerableParameters.bambda | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Proxy/HTTP/OWASPTop25VulnerableParameters.bambda b/Proxy/HTTP/OWASPTop25VulnerableParameters.bambda index fd30178..dc6cf40 100644 --- a/Proxy/HTTP/OWASPTop25VulnerableParameters.bambda +++ b/Proxy/HTTP/OWASPTop25VulnerableParameters.bambda @@ -1,7 +1,6 @@ /** * Filters Proxy HTTP history for requests with vulnerable parameters based on the OWASP Top 25 - * Author: Tur24Tur - * GitHub: @BugBountyzip BugBountyzip (https://github.com/BugBountyzip) + * @author Tur24Tur / BugBountyzip (https://github.com/BugBountyzip) **/ // Define the vulnerable parameters as a Set based on OWASP Top 25