Ability to Not Print "Not Reflected" Reports of Paramminer on Output.ndjson

blacklanternsecurity / bbot

A recursive internet scanner for hackers.

https://www.blacklanternsecurity.com/bbot/

GNU General Public License v3.0

4.1k stars 375 forks source link

Ability to Not Print "Not Reflected" Reports of Paramminer on Output.ndjson #1330

Open TheTechromancer opened 2 months ago

TheTechromancer commented 2 months ago

Discussed in https://github.com/blacklanternsecurity/bbot/discussions/1329

^{Originally posted by **amiremami** April 29, 2024} That would be great if possible to add a config option for paramminer to not print not reflected items into output.ndjson ![image](https://github.com/blacklanternsecurity/bbot/assets/15929497/80621915-dfd8-4627-a14d-9b2373b3be67) Thanks 🙏

liquidsec commented 2 months ago

I think i'd rather have the generic ability to filter by tags in the output module, rather than something specific just for this one tag in paramminer. @TheTechromancer thoughts?

TheTechromancer commented 2 months ago

Tags are a good idea but we should try and consider users who are only scanning for vulnerabilities and don't plan on doing manual fuzzing. To them I think only the reflected ones would be interesting, so it might make sense to have a filter option on the module.

On the other hand, even the reflected ones sometimes don't result in a vulnerability. So until we have a more complete web scanning family with PARAM events, if we just want to say the paramminer modules are for advanced users only, that's fine too.

liquidsec commented 2 months ago

Lightfuzz branch will change how all of these works, so I am very hesitant to make changes like this now (there will be an entirely new event type, WEB_PARAMETER). This is also why I was leaning towards making a generic option to filter by tags.