search

GerbenJavado / LinkFinder

A python script that finds endpoints in JavaScript files
https://gerbenjavado.com/discovering-hidden-content-using-linkfinder
MIT License
3.7k stars 595 forks source link

Reduce false positives by setting minlength #47

Open GerbenJavado opened 5 years ago

GerbenJavado commented 5 years ago

In some testing I noticed we might be able to reduce a lot of false positives by introducing a min length for a URL. Now stuff like ./zh-tw or even /./ are valid. If we set a min-length of 5-7 characters this would limit a lot of them.

What do you think of this @EdOverflow and @Bankde? What would be the ideal tradeoff here? maybe even more than 7 characters min?

GerbenJavado commented 5 years ago

Another possible improvement is to delete the context if it exceeds a certain amount of characters. This is sometimes a problem now because there is too much on one line.

EdOverflow commented 5 years ago

Setting limits sounds like a reasonable way of tackling this problem to me. :+1:

Bankde commented 5 years ago

For minlength, I have seen some jquery like this

path = "api/" + endpoint;

Length limit would miss these findings. I'm still ok with length limit; however, it's good idea to make it an option/configurable.

For delete context, I think the root cause comes from jsbeautifier somehow not splitting the line as it should. I don't know why but I'll look into it. Delete very long context looks good for a preliminary solution. If I find a better solution, will open PR later.