Merge pull request PortSwigger#76 from GangGreenTemperTatum/ads/creat…

…ebambdaforparamminer feat: highlight easy param miner requests
NetSPI · Jul 19, 2024 · 2d01566 · 2d01566
2 parents c82938e + 002c0b6
commit 2d01566
Showing 1 changed file with 54 additions and 0 deletions.
diff --git a/Filter/Proxy/HTTP/HighlightParamMinerTargets.bambda b/Filter/Proxy/HTTP/HighlightParamMinerTargets.bambda
@@ -0,0 +1,54 @@
+/**
+ * Filters non-empty 200 json-based response classes which can be used to find easy routes to attack with the paramminer guess json params and a custom wordlist, ie:
+ * 
+ // $ cat your-oas-api-spec-doc.json | jq -r '.components.schemas.[].properties? | keys? | .[]' | sort -u > json-wordlist.txt 
+ * 
+ * @author GangGreenTemperTatum (https://github.com/GangGreenTemperTatum)
+ **/
+
+ var configNoFilter = false;        // if set to false, won't show JS, GIF, JPG, PNG, CSS.
+ var configInScopeOnly = true;      // if set to true, won't show out-of-scope items
+
+ if (!requestResponse.hasResponse() || (configInScopeOnly && !requestResponse.request().isInScope()) || !requestResponse.response().isStatusCodeClass(StatusCodeClass.CLASS_2XX_SUCCESS))  
+{  
+    return false;  
+}  
+
+var request = requestResponse.request();  
+var response = requestResponse.response();  
+
+ // Process path and mimeType for filtering
+ var path = request.pathWithoutQuery().toLowerCase();
+ var mimeType = requestResponse.mimeType();
+ var filterDenyList = mimeType != MimeType.CSS
+  && mimeType != MimeType.IMAGE_UNKNOWN
+  && mimeType != MimeType.IMAGE_JPEG
+  && mimeType != MimeType.IMAGE_GIF
+  && mimeType != MimeType.IMAGE_PNG
+  && mimeType != MimeType.IMAGE_BMP
+  && mimeType != MimeType.IMAGE_TIFF
+  && mimeType != MimeType.UNRECOGNIZED
+  && mimeType != MimeType.SOUND
+  && mimeType != MimeType.VIDEO
+  && mimeType != MimeType.FONT_WOFF
+  && mimeType != MimeType.FONT_WOFF2
+  && mimeType != MimeType.APPLICATION_UNKNOWN
+  && !path.endsWith(".js")
+  && !path.endsWith(".gif")
+  && !path.endsWith(".jpg")
+  && !path.endsWith(".png")
+  && !path.endsWith(".css");
+
+ // If filtering is not applied or the deny list conditions are met, proceed to check content type
+ if (configNoFilter || filterDenyList) {
+     // verify that the request is a POST, PUT, or PATCH and that the response is json
+     if (request.method().equals("POST") || request.method().equals("PATCH") || request.method().equals("PUT")) {
+         var contentType = response.headerValue("Content-Type");
+         // verify the content-type is json
+         if (contentType != null && contentType.contains("application/json")) {
+             return true;
+         }
+     }
+ }
+
+ return false; // Ensure method returns a boolean in all cases