Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion bbot/core/helpers/interactsh.py
Original file line number Diff line number Diff line change
Expand Up @@ -234,7 +234,9 @@ async def poll(self):

try:
r = await self.parent_helper.request(
f"https://{self.server}/poll?id={self.correlation_id}&secret={self.secret}", headers=headers
f"https://{self.server}/poll?id={self.correlation_id}&secret={self.secret}",
headers=headers,
timeout=15,
)
if r is None:
raise InteractshError("Error polling interact.sh: No response from server")
Expand Down
10 changes: 9 additions & 1 deletion bbot/modules/lightfuzz/lightfuzz.py
Original file line number Diff line number Diff line change
Expand Up @@ -13,11 +13,13 @@ class lightfuzz(BaseModule):
"force_common_headers": False,
"enabled_submodules": ["sqli", "cmdi", "xss", "path", "ssti", "crypto", "serial"],
"disable_post": False,
"avoid_wafs": True,
}
options_desc = {
"force_common_headers": "Force emit commonly exploitable parameters that may be difficult to detect",
"enabled_submodules": "A list of submodules to enable. Empty list enabled all modules.",
"disable_post": "Disable processing of POST parameters, avoiding form submissions.",
"avoid_wafs": "Avoid running against confirmed WAFs, which are likely to block lightfuzz requests",
}

meta = {
Expand All @@ -38,6 +40,7 @@ async def setup(self):
self.disable_post = self.config.get("disable_post", False)
self.enabled_submodules = self.config.get("enabled_submodules")
self.interactsh_disable = self.scan.config.get("interactsh_disable", False)
self.avoid_wafs = self.scan.config.get("avoid_wafs", True)
self.submodules = {}

if not self.enabled_submodules:
Expand Down Expand Up @@ -167,8 +170,13 @@ async def finish(self):
except InteractshError as e:
self.debug(f"Error in interact.sh: {e}")

# If we've disabled fuzzing POST parameters, back out of POSTPARAM WEB_PARAMETER events as quickly as possible
async def filter_event(self, event):
# Unless configured specifically to do so, avoid running against confirmed WAFs
if self.avoid_wafs and any(tag in ["cdn-cloudflare", "cdn-akamai", "cdn-incapsula"] for tag in event.tags):
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we need to track which cloud providers are WAFs, this should be done in cloudcheck

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is that possible now or do we want to hold for a cloudcheck feature?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cloudcheck is about to get rustified so now is a good time to add it

self.debug(f"Skipping WEB_PARAMETER because it is likely to be blocked by a WAF. URL: {event.data['url']}")
return False

# If we've disabled fuzzing POST parameters, back out of POSTPARAM WEB_PARAMETER events as quickly as possible
if event.type == "WEB_PARAMETER" and self.disable_post and event.data["type"] == "POSTPARAM":
return False, "POST parameter disabled in lightfuzz module"
return True
Expand Down
2 changes: 1 addition & 1 deletion bbot/presets/web/lightfuzz-heavy.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
description: Discover web parameters and lightly fuzz them for vulnerabilities, with more intense discovery techniques, including POST parameters, which are more invasive. Uses all lightfuzz modules, and adds paramminer modules for parameter discovery.
description: Discover web parameters and lightly fuzz them for vulnerabilities, with more intense discovery techniques, including POST parameters, which are more invasive. Uses all lightfuzz modules, and adds paramminer modules for parameter discovery. Avoids running against confirmed WAFs.

include:
- lightfuzz-medium
Expand Down
1 change: 1 addition & 0 deletions bbot/presets/web/lightfuzz-light.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ config:
lightfuzz:
enabled_submodules: [path,sqli,xss] # only look for the most common vulnerabilities
disable_post: True # don't send POST requests (less aggressive)
avoid_wafs: True

conditions:
- |
Expand Down
2 changes: 1 addition & 1 deletion bbot/presets/web/lightfuzz-medium.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
description: Discover web parameters and lightly fuzz them for vulnerabilities. Uses all lightfuzz modules, without some of the more intense discovery techniques. Does not send POST requests. This is the default lightfuzz preset; if you're not sure which one to use, this is a good starting point.
description: Discover web parameters and lightly fuzz them for vulnerabilities. Uses all lightfuzz modules, without some of the more intense discovery techniques. Does not send POST requests. This is the default lightfuzz preset; if you're not sure which one to use, this is a good starting point. Avoids running against confirmed WAFs.

include:
- lightfuzz-light
Expand Down
1 change: 1 addition & 0 deletions bbot/presets/web/lightfuzz-superheavy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,5 +9,6 @@ config:
lightfuzz:
force_common_headers: True # Fuzz common headers like X-Forwarded-For even if they're not observed on the target
enabled_submodules: [cmdi,crypto,path,serial,sqli,ssti,xss]
avoid_wafs: False
excavate:
speculate_params: True # speculate potential parameters extracted from JSON/XML web responses
2 changes: 1 addition & 1 deletion bbot/presets/web/lightfuzz-xss.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
description: Discover web parameters and lightly fuzz them, limited to just GET-based xss vulnerabilities. This is an example of a custom lightfuzz preset, selectively enabling a single lightfuzz module.
description: Discover web parameters and lightly fuzz them, limited to just GET-based xss vulnerabilities. Avoids running against confirmed WAFs. This is an example of a custom lightfuzz preset, selectively enabling a single lightfuzz module.

modules:
- httpx
Expand Down