这是indexloc提供的服务,不要输入任何密码
Skip to content

[FEATURE] Extensible Auto-calibration strategies #694

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Sep 15, 2023
Merged

[FEATURE] Extensible Auto-calibration strategies #694

merged 9 commits into from
Sep 15, 2023

Conversation

aristosMiliaressis
Copy link
Contributor

@aristosMiliaressis aristosMiliaressis commented Jun 15, 2023
edited
Loading

Description

Added an autocalibration strategy extra that uses a list of commonly blacklisted files to detect & filter blacklisted responses

Fixes: #689

@aristosMiliaressis aristosMiliaressis changed the title [FEATURE] blacklist detection [FEATURE] Autocalibration strategy "extra" to detect blacklist responses Jun 22, 2023
joohoi
joohoi requested changes Jul 3, 2023
View reviewed changes
Copy link
Member

@joohoi joohoi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's couple of linter issues that need fixing. In addition for information for others that may have eyes on this PR, we're discussing a larger strategy (pun inteded) for autocalibration OOB with @aristosMiliaressis

@aristosMiliaressis
Copy link
Contributor Author

aristosMiliaressis commented Jul 4, 2023
edited
Loading

Initial implementation refactored to allow for extensible auto-calibration strategies

-acs, --autocalibration-strategy (can be used with comma separated values or multiple times)
ffuf -acs advanced,waf
OR
ffuf -acs advanced -acs waf

sample strategies for reference

basic.json (default strategy, autogenerate for backwards compatibility)

{
	"basic_admin":["adminNFCTzMVyppxaVOUi","adminYEEzbfyp"],
	"basic_random":["CfrPyBYAvAYSqFgl","dPKhFxKq"],
	"htaccess":[".htaccessbeoigKocENPTFAUF",".htaccessRpTeQwbV"]
}

advanced.json (autogenerate for backwards compatibility)

{
	"admin_dir":["adminxJyMWnxrFSuymAXL/","adminKOwGZBBQ/"],
	"basic_admin":["adminhmPschjKHKniEDIH","adminUHMMvPHv"],
	"basic_random":["pcKqahbrJknwNYFH","dZQmyqXj"],
	"htaccess":[".htaccessrWgUxyDzDQzMXVHC",".htaccessxZzqfJSG"],
	"random_dir":["pNdPspnFahKlNMoe/","oFUPFxQF/"]
}

waf.json (custom strategy not auto generated)

{
	"WAF_PATH_XSS":["sgdsfgsgf/<script>alert(1)</script>","asdfasdfdsaf/<script>alert(22)</script>"],
	"WAF_PATH_LFI":["asdfaasg/../../etc/passwd","sadgfdsdfhgdf/../../etc/passwd"],
	"WAF_PATH_LFI2":["sadgkj/.../.../etc/passwd","asdsdfgfdgd/.../.../etc/passwd"],
	"WAF_DOUBLE_SLASH":["sadfghkj//etc//passwd","sadfihuyus//etc//passwd"],
	"WAF_FUZZY_CHAR":["sdfgdsfg::~$()><'!","asfdasdfjlk::~$()><'!"],
	"WAF_FUZZY_CHAR2":["pNdPspnFahKlNMoe%20/","oFUPFxQF%20/"],
	"WAF_FUZZY_CHAR3":["pNdPspnFahKlNMoe%0a.html","oFUPFxQF%0a.html"],
	"WAF_QUERY_XSS":["pNdPspnFahKlNMoe?x=<script>alert(1)</script>","oFUPFxQF?x=<script>alert(22)</script>"],
	"WAF_FUZZY_QUERY":["pNdPspnFahKlNMoe?x=::~$()><'!","oFUPFxQF?x=~$()><'!:::"]
}

@aristosMiliaressis aristosMiliaressis changed the title [FEATURE] Autocalibration strategy "extra" to detect blacklist responses [FEATURE] Extensible Auto-calibration strategies Jul 4, 2023
@aristosMiliaressis aristosMiliaressis requested a review from joohoi July 4, 2023 12:32
@joohoi
Copy link
Member

joohoi commented Sep 12, 2023

Hi, sorry for taking some time to get back on this. There are two linter issues (unused struct members), but other than that it looks good to merge!

joohoi
joohoi approved these changes Sep 15, 2023
View reviewed changes
Copy link
Member

@joohoi joohoi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I fixed the linter issues and merge conflicts in order to get this merged before the release, LGTM!

@joohoi joohoi merged commit e80fdc4 into ffuf:master Sep 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joohoi joohoi joohoi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Feature: Blacklist Detection
2 participants
@aristosMiliaressis @joohoi