If the application processes parameter names using a pattern, then x8 continues iterating without defining a pattern and assigns each found parameter that matches this pattern the status of a new found parameter.
Expected Behavior:
Determine the substring to which the server responds and stop brute force of words in the wordlist that have this substring if the parameter names on the page are retrieved using a pattern.
x8 version:
[INF] Current Version: 4.2.0
Current Behavior:
If the application processes parameter names using a pattern, then x8 continues iterating without defining a pattern and assigns each found parameter that matches this pattern the status of a new found parameter.
Expected Behavior:
Determine the substring to which the server responds and stop brute force of words in the wordlist that have this substring if the parameter names on the page are retrieved using a pattern.
Steps To Reproduce:
x8 -u "https://mobi.yandex.com/support/direct/strategies/priority-goals.html"Output Found: document, forgotpassword,formParams, form_token, format, formatdistribution, formatdown, formats, formatted_date, formatup,formautosave,formbuildertestmodel,formdata,formfactor,formid,formname,formsubmit,formtoken,formtype_db,formtype_db_x,formtype_mail,formtype_mail_x,lang,query,serviceHere the substring is a prefix containing the word "form"
The server generates a response on the page for the keyword form by issuing an array for js called formParams:
You can find the formParams array in the response by following the link below:
https://mobi.yandex.com/support/direct/strategies/priority-goals.html?form_token=ttt&format=ttt&formatdistribution=ttt&formatdown=ttt&formats=ttt&formatted_date=ttt&formatup=ttt&formautosave=ttt&formbuildertestmodel=ttt&formdata=ttt&formfactor=ttt&formid=ttt&formname=ttt&formsubmit=ttt&formtoken=ttt&formtype_db=ttt&formtype_db_x=ttt&formtype_mail=ttt&formtype_mail_x=ttt&lann=ttt
OS: Windows 10, Ubuntu 18.04