Arjun/arjun/plugins/heuristic.py

import re

from arjun.core.utils import extract_js

re_not_junk = re.compile(r'^[A-Za-z0-9_]+$')
def is_not_junk(param):
    return re_not_junk.match(param)

# TODO: for map keys, javascript tolerates { param: "value" }
re_input_names = re.compile(r'''(?i)<input.+?name=["']?([^"'\s>]+)''')
re_input_ids = re.compile(r'''(?i)<input.+?id=["']?([^"'\s>]+)''')
re_empty_vars = re.compile(r'''([^\s!=<>]+)\s*=\s*(?:['"`]{2}|true|false|null)''')
re_map_keys = re.compile(r'''([^'"]+)['"]:\s?['"`]''')
def heuristic(response, wordlist):
    potential_params = []

    # Parse Inputs
    input_names = re_input_names.findall(response)
    potential_params += input_names

    input_ids = re_input_ids.findall(response)
    potential_params += input_ids

    # Parse Scripts
    for script in extract_js(response):
        empty_vars = re_empty_vars.findall(script)
        potential_params += empty_vars

        map_keys = re_map_keys.findall(script)
        potential_params += map_keys

    if len(potential_params) == 0:
        return []

    found = set()
    for word in potential_params:
        if is_not_junk(word) and (word not in found):
            found.add(word)

            if word in wordlist:
                wordlist.remove(word)
            wordlist.insert(0, word)

    return list(found)
added plugins for passive parameter collection 2020-12-06 15:03:58 +05:30			`import re`

2.1.0 build 2021-02-07 19:43:30 +05:30			`from arjun.core.utils import extract_js`
added plugins for passive parameter collection 2020-12-06 15:03:58 +05:30
heueristic: added input ids, improved speed 2021-06-10 13:03:46 +03:00			`re_not_junk = re.compile(r'^[A-Za-z0-9_]+$')`
			`def is_not_junk(param):`
			`return re_not_junk.match(param)`
2.1.0 build 2021-02-07 19:43:30 +05:30
heueristic: added input ids, improved speed 2021-06-10 13:03:46 +03:00			`# TODO: for map keys, javascript tolerates { param: "value" }`
			`re_input_names = re.compile(r'''(?i)<input.+?name=["']?([^"'\s>]+)''')`
			`re_input_ids = re.compile(r'''(?i)<input.+?id=["']?([^"'\s>]+)''')`
			re_empty_vars = re.compile(r'''([^\s!=<>]+)\s=\s(?:['"`]{2}\|true\|false\|null)''')
			re_map_keys = re.compile(r'''([^'"]+)['"]:\s?['"`]''')
2.1.0 build 2021-02-07 19:43:30 +05:30			`def heuristic(response, wordlist):`
heueristic: added input ids, improved speed 2021-06-10 13:03:46 +03:00			`potential_params = []`

			`# Parse Inputs`
			`input_names = re_input_names.findall(response)`
			`potential_params += input_names`

			`input_ids = re_input_ids.findall(response)`
			`potential_params += input_ids`

			`# Parse Scripts`
added plugins for passive parameter collection 2020-12-06 15:03:58 +05:30			`for script in extract_js(response):`
heueristic: added input ids, improved speed 2021-06-10 13:03:46 +03:00			`empty_vars = re_empty_vars.findall(script)`
			`potential_params += empty_vars`

			`map_keys = re_map_keys.findall(script)`
			`potential_params += map_keys`

			`if len(potential_params) == 0:`
			`return []`

			`found = set()`
			`for word in potential_params:`
			`if is_not_junk(word) and (word not in found):`
			`found.add(word)`

			`if word in wordlist:`
			`wordlist.remove(word)`
			`wordlist.insert(0, word)`

			`return list(found)`