diff --git a/README.md b/README.md index 1f6bbc4e1f..c04d8f9ae1 100644 --- a/README.md +++ b/README.md @@ -387,7 +387,7 @@ For details, see [Configuration](https://www.blacklanternsecurity.com/bbot/Stabl - [List of Modules](https://www.blacklanternsecurity.com/bbot/Stable/modules/list_of_modules) - [Nuclei](https://www.blacklanternsecurity.com/bbot/Stable/modules/nuclei) - [Custom YARA Rules](https://www.blacklanternsecurity.com/bbot/Stable/modules/custom_yara_rules) - - [Lightfuzz](https://www.blacklanternsecurity.com/bbot/Stable/modules/lightfuzz) + - [Lightfuzz (DAST)](https://www.blacklanternsecurity.com/bbot/Stable/modules/lightfuzz) - **Misc** - [Contribution](https://www.blacklanternsecurity.com/bbot/Stable/contribution) - [Release History](https://www.blacklanternsecurity.com/bbot/Stable/release_history) diff --git a/bbot/core/event/base.py b/bbot/core/event/base.py index 1f47c0d65a..a00fd59bf5 100644 --- a/bbot/core/event/base.py +++ b/bbot/core/event/base.py @@ -685,7 +685,7 @@ def parent(self, parent): self.web_spider_distance = getattr(parent, "web_spider_distance", 0) event_has_url = getattr(self, "parsed_url", None) is not None for t in parent.tags: - if t in ("affiliate",): + if t in ("affiliate", "from-lightfuzz"): self.add_tag(t) elif t.startswith("mutation-"): self.add_tag(t) @@ -1135,10 +1135,20 @@ def sanitize_data(self, data): class DictEvent(BaseEvent): + __slots__ = ["url_extension"] + def sanitize_data(self, data): url = data.get("url", "") if url: self.parsed_url = self.validators.validate_url_parsed(url) + # extract url_extension from any dict event with a URL + url_path = self.parsed_url.path + if url_path: + parsed_path_lower = str(url_path).lower() + extension = get_file_extension(parsed_path_lower) + if extension: + self.url_extension = extension + self.add_tag(f"extension-{extension}") return data def _data_load(self, data): @@ -1366,7 +1376,6 @@ class URL_UNVERIFIED(DictHostEvent): __slots__ = [ "web_spider_distance", - "url_extension", "num_redirects", ] @@ -1567,6 +1576,7 @@ def _minimize(self): self._data.pop("original_value", None) self._data.pop("additional_params", None) self._data.pop("assigned_cookies", None) + self._data.pop("same_param_values", None) @property def children(self): diff --git a/bbot/core/helpers/diff.py b/bbot/core/helpers/diff.py index 73aebfa137..9c6e36920b 100644 --- a/bbot/core/helpers/diff.py +++ b/bbot/core/helpers/diff.py @@ -21,6 +21,7 @@ def __init__( headers=None, cookies=None, timeout=10, + on_baseline_ready=None, ): self.parent_helper = parent_helper self.baseline_url = baseline_url @@ -33,6 +34,8 @@ def __init__( self.headers = headers self.cookies = cookies self.timeout = 10 + # Optional async callback fired once with baseline_1 after the baseline is established. + self.on_baseline_ready = on_baseline_ready @staticmethod def merge_dictionaries(headers1, headers2): @@ -130,6 +133,12 @@ async def _baseline(self): self.baseline_ignore_headers += [x.lower() for x in dynamic_headers] self._baselined = True + if self.on_baseline_ready is not None: + try: + await self.on_baseline_ready(baseline_1) + except Exception as e: + log.debug(f"on_baseline_ready callback raised: {e}") + def gen_cache_buster(self): return {self.parent_helper.rand_string(6): "1"} diff --git a/bbot/core/helpers/helper.py b/bbot/core/helpers/helper.py index 0d2a1dbb6b..26840d8211 100644 --- a/bbot/core/helpers/helper.py +++ b/bbot/core/helpers/helper.py @@ -157,6 +157,7 @@ def http_compare( data=None, json=None, timeout=10, + on_baseline_ready=None, ): return HttpCompare( url, @@ -169,6 +170,7 @@ def http_compare( method=method, data=data, json=json, + on_baseline_ready=on_baseline_ready, ) def temp_filename(self, extension=None): diff --git a/bbot/core/helpers/misc.py b/bbot/core/helpers/misc.py index 8ae4238ce7..d84c1d5df8 100644 --- a/bbot/core/helpers/misc.py +++ b/bbot/core/helpers/misc.py @@ -2754,6 +2754,12 @@ def get_waf_strings(): return [ "The requested URL was rejected", "This content has been blocked", + "You don't have permission to access ", + "The URL you requested has been blocked", + "Request unsuccessful. Incapsula incident", + "Access Denied - Sucuri Website Firewall", + "Attention Required! | Cloudflare", + "Microsoft-Azure-Application-Gateway", ] diff --git a/bbot/core/helpers/regexes.py b/bbot/core/helpers/regexes.py index f50ea2519c..ad3cf14780 100644 --- a/bbot/core/helpers/regexes.py +++ b/bbot/core/helpers/regexes.py @@ -157,7 +157,14 @@ re.DOTALL, ) post_form_regex_noaction = re.compile( - r"