Closed nrathaus closed 7 months ago
Ahh, I'm aware of this issue.
GET
methods without any query params this will fix generating unnecessary tests and using bandwidth.-pr
tag for verifying vulnerability in specific endpoint.Maybe a good idea (generally speaking) would be to add this https://github.com/ofw/curlify
To the results? It will allow easier recreation of the finding outside of the tool?
On Mon, 6 May 2024 at 16:55, dmdhrumilmistry @.***> wrote:
Ahh, I'm aware of this issue.
- I'll need to filter out GET methods without any query params this will fix generating unnecessary tests and using bandwidth.
- Currently, re-sending payload will require extra handling, I want to implement another class function which can be used for verifying vulnerability. For now, I'm transferring this problem at the moment to the user, until I figure a long term solution. For now users can use -pr tag for verifying vulnerability in specific endpoint.
— Reply to this email directly, view it on GitHub https://github.com/OWASP/OFFAT/issues/96#issuecomment-2096077132, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAPQE3UAR7PSFZXS57JRTBDZA6DVFAVCNFSM6AAAAABHIO5EUGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJWGA3TOMJTGI . You are receiving this because you authored the thread.Message ID: @.***>
Maybe a good idea (generally speaking) would be to add this https://github.com/ofw/curlify To the results? It will allow easier recreation of the finding outside of the tool? … On Mon, 6 May 2024 at 16:55, dmdhrumilmistry @.> wrote: Ahh, I'm aware of this issue. - I'll need to filter out GET methods without any query params this will fix generating unnecessary tests and using bandwidth. - Currently, re-sending payload will require extra handling, I want to implement another class function which can be used for verifying vulnerability. For now, I'm transferring this problem at the moment to the user, until I figure a long term solution. For now users can use -pr tag for verifying vulnerability in specific endpoint. — Reply to this email directly, view it on GitHub <#96 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAPQE3UAR7PSFZXS57JRTBDZA6DVFAVCNFSM6AAAAABHIO5EUGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJWGA3TOMJTGI . You are receiving this because you authored the thread.Message ID: @.>
Nice suggestion, I would also love this kinda feature in the tool. I'll need find an alternative for this since OFFAT uses aiohttp instead of requests. Additionally, curlify doesn't seem to be maintained anymore.
Not sure what the status of this: https://github.com/vzhirnov/asyncurlify
Even if its not maintained the code base seems pretty easy to integrate/use/assimilate
Not sure what the status of this: https://github.com/vzhirnov/asyncurlify
Even if its not maintained the code base seems pretty easy to integrate/use/assimilate
ohh great, thanks for sharing. Before I saw your comment, I've already written a custom util function to curlify the result.
Hopefully, #101 should reduce false positives for most of the test cases.
curl command can be found in exported JSON
results
Broken Crystals is a demo site (listed here: https://owasp.org/www-project-vulnerable-web-applications-directory/ ) that can be used for testing your skills/software
The site highlights a few false positives that the engine generates, the most notable one is this one:
A few issues here:
{7*7}
is not sent - this test should have been skipped or at the very least: A. Check if the 49 appears without sending anything B. If it appears because of our payload, try another similar payload like {8*8} and if that also matches - return it as vulnerable