Skip to content

geeknik/Gf-Patterns

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

110 Commits
.github
.github
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
License.md
License.md
 
 
README.md
README.md
 
 
activemq.json
activemq.json
 
 
base64.json
base64.json
 
 
citrix.json
citrix.json
 
 
coldfusion.json
coldfusion.json
 
 
cors.json
cors.json
 
 
cve-2021-44278.json
cve-2021-44278.json
 
 
debug_logic.json
debug_logic.json
 
 
deserialization.json
deserialization.json
 
 
docker.json
docker.json
 
 
dotnet-serialized.json
dotnet-serialized.json
 
 
errors.json
errors.json
 
 
exchange.json
exchange.json
 
 
firebase.json
firebase.json
 
 
fw.json
fw.json
 
 
go-functions.json
go-functions.json
 
 
graphql.json
graphql.json
 
 
http-auth.json
http-auth.json
 
 
idor.json
idor.json
 
 
img-traversal.json
img-traversal.json
 
 
interestingEXT.json
interestingEXT.json
 
 
interestingparams.json
interestingparams.json
 
 
interestingsubs.json
interestingsubs.json
 
 
ip-addresses.json
ip-addresses.json
 
 
java-serialized.json
java-serialized.json
 
 
json-sec.json
json-sec.json
 
 
jsvar.json
jsvar.json
 
 
jwt.json
jwt.json
 
 
kubernetes.json
kubernetes.json
 
 
laravel.json
laravel.json
 
 
lfi.json
lfi.json
 
 
log4j.json
log4j.json
 
 
meg-headers.json
meg-headers.json
 
 
nosql.json
nosql.json
 
 
oauth.json
oauth.json
 
 
pdf.json
pdf.json
 
 
php-curl.json
php-curl.json
 
 
php-errors.json
php-errors.json
 
 
php-serialized.json
php-serialized.json
 
 
php-sinks.json
php-sinks.json
 
 
php-sources.json
php-sources.json
 
 
prototype-pollution.json
prototype-pollution.json
 
 
rce.json
rce.json
 
 
redirect.json
redirect.json
 
 
s3-buckets.json
s3-buckets.json
 
 
saml.json
saml.json
 
 
secrets.json
secrets.json
 
 
servers.json
servers.json
 
 
smuggling.json
smuggling.json
 
 
spring.json
spring.json
 
 
sqli.json
sqli.json
 
 
ssrf.json
ssrf.json
 
 
ssti.json
ssti.json
 
 
strings.json
strings.json
 
 
struts.json
struts.json
 
 
takeovers.json
takeovers.json
 
 
upload.json
upload.json
 
 
urls-extract.json
urls-extract.json
 
 
validate.sh
validate.sh
 
 
websocket.json
websocket.json
 
 
xss.json
xss.json
 
 
xxe.json
xxe.json
 
 
yii.json
yii.json
 
 

Repository files navigation

Gf-Patterns V 2.0

New GF by Twitter

gf is a wrapper around grep to help you grep for things. These patterns aid in security research, bug bounty hunting, and vulnerability assessments.

Installation

Go Path Setup

Go Path Setup

Install gf with Go:

go install github.com/tomnomnom/gf@latest

Enable Auto-completion

For go install:

echo 'source $GOPATH/pkg/mod/github.com/tomnomnom/gf@*/gf-completion.bash' >> ~/.bashrc

For go get:

echo 'source $GOPATH/src/github.com/tomnomnom/gf/gf-completion.bash' >> ~/.bashrc

Restart your terminal or run source ~/.bashrc.

Install Patterns

Clone and install patterns:

git clone https://github.com/geeknik/Gf-Patterns
mkdir -p ~/.gf
mv ~/Gf-Patterns/*.json ~/.gf

Usage

# Find SSRF parameters in URLs
cat urls.txt | gf ssrf

# Find redirect parameters
cat urls.txt | gf redirect

# Chain with other tools
cat subdomains.txt | waybackurls | gf sqli | tee -a sqli_params.txt

Pattern File Format

Patterns are JSON files with grep flags and pattern arrays:

{
    "flags": "-iE",
    "patterns": [
        "param1=",
        "param2=",
        "param3="
    ]
}

Available flags:

  • -i : Case insensitive
  • -E : Extended regex
  • -v : Invert match
  • -o : Output only matched part

Available Pattern Files

Web Vulnerabilities

Pattern File Description
sqli.json SQL Injection parameters
xss.json Cross-Site Scripting parameters
rce.json Remote Code Execution parameters and command separators
ssrf.json Server-Side Request Forgery (includes cloud metadata)
lfi.json Local File Inclusion (includes Windows paths)
ssti.json Server-Side Template Injection
xxe.json XML External Entity vulnerabilities
idor.json Insecure Direct Object Reference (includes UUID/hash)
redirect.json Open redirect parameters
nosql.json NoSQL Injection (MongoDB, etc.)
deserialization.json Insecure deserialization patterns
smuggling.json HTTP request smuggling patterns
upload.json File upload vulnerabilities

API & Authentication

Pattern File Description
jwt.json JWT/JWE token detection
oauth.json OAuth and SSO parameters
saml.json SAML parameters
graphql.json GraphQL endpoints and injection
cors.json CORS misconfiguration
api-keys.json API key detection patterns

Client-Side

Pattern File Description
prototype-pollution.json JavaScript prototype pollution
websocket.json WebSocket endpoints

Discovery & Recon

Pattern File Description
debug_logic.json Debug parameters and config endpoints
interestingparams.json Interesting URL parameters (combined)
interestingsubs.json Interesting subdomain keywords
interestingEXT.json Interesting file extensions
img-traversal.json Image file extensions for traversal
jsvar.json JavaScript variable assignments

Infrastructure & Cloud

Pattern File Description
s3-buckets.json AWS S3 bucket detection
secrets.json Secrets, credentials, and leaked keys
takeovers.json Subdomain takeover signatures
errors.json Debug pages, stack traces, error messages
docker.json Docker-related patterns
kubernetes.json Kubernetes API patterns

CVE-Specific

Pattern File Description
log4j.json Log4Shell / Log4j detection
cve-2021-44228.json Log4j JNDI injection patterns
struts.json Apache Struts vulnerabilities
spring.json Spring Framework vulnerabilities
exchange.json Microsoft Exchange (ProxyLogon, ProxyShell)
citrix.json Citrix ADC/NetScaler vulnerabilities
coldfusion.json Adobe ColdFusion vulnerabilities
yii.json Yii framework vulnerabilities
laravel.json Laravel framework vulnerabilities

Utility Patterns

Pattern File Description
urls-extract.json Extract URLs from text
base64.json Detect base64 encoded strings
ip-addresses.json IP address detection (IPv4, IPv6)
http-auth.json HTTP authentication patterns
servers.json Server software detection
firebase.json Firebase database detection
fw.json Firewall and WAF detection

PHP-Specific

Pattern File Description
php-sources.json PHP input sources ($_GET, $_POST, etc.)
php-sinks.json PHP dangerous functions
php-errors.json PHP error and warning detection
php-curl.json PHP curl/exec patterns
php-serialized.json PHP serialized objects

Other

Pattern File Description
pdf.json PDF-related parameters (XXE via PDF)
activemq.json Apache ActiveMQ patterns
go-functions.json Go language functions
strings.json String literals in code
json-sec.json JSON security patterns
meg-headers.json HTTP response headers

Pattern Categories by Use Case

Bug Bounty / URL Parameter Hunting

  • sqli, xss, rce, ssrf, lfi, ssti, xxe, idor, redirect, upload
  • debug_logic, interestingparams, oauth, jwt, cors, graphql

Code Auditing

  • secrets, php-sources, php-sinks, php-curl
  • jsvar, strings, base64, urls-extract

Reconnaissance

  • s3-buckets, takeovers, errors, interestingsubs, interestingEXT
  • servers, http-auth, ip-addresses, firebase, fw

Vulnerability Scanning

  • log4j, cve-2021-44228, struts, spring, exchange, citrix
  • coldfusion, yii, laravel, docker, kubernetes

Contributing

See CONTRIBUTING.md for guidelines.

Validation

Validate pattern files:

bash validate.sh

Credits

License

MIT License - See LICENSE or License.md

About

gf patterns for security research

deepforkcyber.com/

Topics

security rce sqli ssrf lfi security-research gf ssti idor tomnomnom grep-for

Resources

Readme

License

View license

Contributing

Contributing
Activity

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Sponsor this project

 
Learn more about GitHub Sponsors

Languages

  • Shell 100.0%