├── .github ├── FUNDING.yml └── workflows │ ├── build.yml │ └── release.yml ├── .gitignore ├── go.mod ├── pkg ├── hqurlscann3r │ ├── regex.go │ ├── response.go │ ├── categorize.go │ ├── hqurlscann3r.go │ ├── results.go │ ├── request.go │ ├── bypass4xx.go │ └── params.go └── params │ └── params.go ├── go.sum ├── .goreleaser.yaml ├── LICENSE ├── internal └── configuration │ └── configuration.go ├── README.md ├── cmd └── hqurlscann3r │ └── main.go └── static └── params.json /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | custom: ['https://www.buymeacoffee.com/enenumxela'] 2 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Executable 2 | 3 | cmd/hqurlscann3r/hqurlscann3r 4 | 5 | # Notes 6 | 7 | notes.txt -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/hueristiq/hqurlscann3r 2 | 3 | go 1.18 4 | 5 | require ( 6 | github.com/hueristiq/url v0.0.0-20220804093805-5ca3562ceccd 7 | github.com/logrusorgru/aurora/v3 v3.0.0 8 | ) 9 | 10 | require golang.org/x/net v0.0.0-20220802222814-0bcc04d9c69b // indirect 11 | -------------------------------------------------------------------------------- /pkg/hqurlscann3r/regex.go: -------------------------------------------------------------------------------- 1 | package hqurlscann3r 2 | 3 | import ( 4 | "regexp" 5 | "sync" 6 | ) 7 | 8 | var mutex = &sync.Mutex{} 9 | 10 | func newRegex(pattern string) (*regexp.Regexp, error) { 11 | mutex.Lock() 12 | defer mutex.Unlock() 13 | 14 | extractor, err := regexp.Compile(pattern) 15 | if err != nil { 16 | return nil, err 17 | } 18 | 19 | return extractor, nil 20 | } 21 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | github.com/hueristiq/url v0.0.0-20220804093805-5ca3562ceccd h1:jxn9nInf/VhfwoykQWgBD6Em+0LgzsbOVx4bAQjkC8A= 2 | github.com/hueristiq/url v0.0.0-20220804093805-5ca3562ceccd/go.mod h1:d1KLodOX5JbLj+7Mxf86YXM/5zHJ/ufmI1glC5iuBUE= 3 | github.com/logrusorgru/aurora/v3 v3.0.0 h1:R6zcoZZbvVcGMvDCKo45A9U/lzYyzl5NfYIvznmDfE4= 4 | github.com/logrusorgru/aurora/v3 v3.0.0/go.mod h1:vsR12bk5grlLvLXAYrBsb5Oc/N+LxAlxggSjiwMnCUc= 5 | golang.org/x/net v0.0.0-20220802222814-0bcc04d9c69b h1:3ogNYyK4oIQdIKzTu68hQrr4iuVxF3AxKl9Aj/eDrw0= 6 | golang.org/x/net v0.0.0-20220802222814-0bcc04d9c69b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= 7 | -------------------------------------------------------------------------------- /.goreleaser.yaml: -------------------------------------------------------------------------------- 1 | before: 2 | hooks: 3 | - go mod tidy 4 | 5 | builds: 6 | - 7 | binary: hqurlscann3r 8 | main: cmd/hqurlscann3r/main.go 9 | goos: 10 | - linux 11 | - windows 12 | - darwin 13 | goarch: 14 | - amd64 15 | - 386 16 | - arm 17 | - arm64 18 | 19 | archives: 20 | - 21 | id: tgz 22 | format: tar.gz 23 | replacements: 24 | darwin: macOS 25 | format_overrides: 26 | - 27 | goos: windows 28 | format: zip 29 | -------------------------------------------------------------------------------- /pkg/hqurlscann3r/response.go: -------------------------------------------------------------------------------- 1 | package hqurlscann3r 2 | 3 | import ( 4 | "reflect" 5 | "strings" 6 | ) 7 | 8 | type Response struct { 9 | StatusCode int 10 | ContentType string 11 | ContentLength int 12 | RedirectLocation string 13 | Headers map[string][]string 14 | Body []byte 15 | Raw string 16 | } 17 | 18 | func (response Response) IsEmpty() bool { 19 | return reflect.DeepEqual(response, Response{}) 20 | } 21 | 22 | func (response Response) GetHeaderPart(header, sep string) string { 23 | value, ok := response.Headers[header] 24 | if ok && len(value) > 0 { 25 | tokens := strings.Split(strings.Join(value, " "), sep) 26 | return tokens[0] 27 | } 28 | 29 | return "" 30 | } 31 | -------------------------------------------------------------------------------- /.github/workflows/build.yml: -------------------------------------------------------------------------------- 1 | name: build 🔨 2 | 3 | on: 4 | push: 5 | branches: 6 | - main 7 | workflow_dispatch: 8 | 9 | jobs: 10 | build: 11 | name: build 12 | runs-on: ubuntu-latest 13 | steps: 14 | - 15 | name: Check out code 16 | uses: actions/checkout@v3 17 | with: 18 | fetch-depth: 0 19 | - 20 | name: Set up Go 21 | uses: actions/setup-go@v3 22 | with: 23 | go-version: '>=1.17.0' 24 | - 25 | name: Build 26 | run: go build -v . 27 | working-directory: ./cmd/hqurlscann3r -------------------------------------------------------------------------------- /pkg/params/params.go: -------------------------------------------------------------------------------- 1 | package params 2 | 3 | import ( 4 | "errors" 5 | "io" 6 | "net/http" 7 | "os" 8 | "path" 9 | ) 10 | 11 | func File() (file string) { 12 | userHomeDir, _ := os.UserHomeDir() 13 | return userHomeDir + "/.hqurlscann3r/params.json" 14 | } 15 | 16 | func UpdateOrDownload(file string) (err error) { 17 | directory, filename := path.Split(file) 18 | 19 | if _, err := os.Stat(directory); os.IsNotExist(err) { 20 | if directory != "" { 21 | if err = os.MkdirAll(directory, os.ModePerm); err != nil { 22 | return err 23 | } 24 | } 25 | } 26 | 27 | paramsFile, err := os.Create(directory + filename) 28 | if err != nil { 29 | return err 30 | } 31 | defer paramsFile.Close() 32 | 33 | res, err := http.Get("https://raw.githubusercontent.com/hueristiq/hqurlscann3r/main/static/params.json") 34 | if err != nil { 35 | return err 36 | } 37 | 38 | if res.StatusCode != 200 { 39 | return errors.New("unexpected code") 40 | } 41 | 42 | defer res.Body.Close() 43 | 44 | if _, err = io.Copy(paramsFile, res.Body); err != nil { 45 | return err 46 | } 47 | 48 | return nil 49 | } 50 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 Hueristiq 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | name: release 🎉 2 | 3 | on: 4 | create: 5 | tags: 6 | - v*.*.* 7 | workflow_dispatch: 8 | 9 | jobs: 10 | release: 11 | name: release 12 | runs-on: ubuntu-latest 13 | steps: 14 | - 15 | name: Check out code 16 | uses: actions/checkout@v3 17 | with: 18 | fetch-depth: 0 19 | - 20 | name: Set up Go 21 | uses: actions/setup-go@v3 22 | with: 23 | go-version: '>=1.17.0' 24 | - 25 | name: Get dependencies 26 | run: | 27 | go get -v -t -d ./... 28 | if [ -f Gopkg.toml ]; then 29 | curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh 30 | dep ensure 31 | fi 32 | - 33 | name: "Create release on GitHub" 34 | uses: goreleaser/goreleaser-action@v3 35 | env: 36 | GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" 37 | with: 38 | args: "release --rm-dist" 39 | version: latest 40 | distribution: goreleaser -------------------------------------------------------------------------------- /pkg/hqurlscann3r/categorize.go: -------------------------------------------------------------------------------- 1 | package hqurlscann3r 2 | 3 | func (hqurlscann3r *Sigurlx) initCategories() { 4 | hqurlscann3r.JSRegex, _ = newRegex(`(?m).*?\.(js)(\?.*?|)$`) 5 | hqurlscann3r.DOCRegex, _ = newRegex(`(?m).*?\.(pdf|xlsx|doc|docx|txt)(\?.*?|)$`) 6 | hqurlscann3r.DATARegex, _ = newRegex(`(?m).*?\.(json|xml|csv)(\?.*?|)$`) 7 | hqurlscann3r.STYLERegex, _ = newRegex(`(?m).*?\.(css)(\?.*?|)$`) 8 | hqurlscann3r.MEDIARegex, _ = newRegex(`(?m).*?\.(jpg|jpeg|png|ico|svg|gif|webp|mp3|mp4|woff|woff2|ttf|eot|tif|tiff)(\?.*?|)$`) 9 | hqurlscann3r.ARCHIVERegex, _ = newRegex(`(?m).*?\.(zip|tar|tar\.gz)(\?.*?|)$`) 10 | } 11 | 12 | func (hqurlscann3r *Sigurlx) categorize(URL string) (category string, err error) { 13 | if match := hqurlscann3r.JSRegex.MatchString(URL); match { 14 | category = "js" 15 | } 16 | 17 | if category == "" { 18 | if match := hqurlscann3r.DOCRegex.MatchString(URL); match { 19 | category = "doc" 20 | } 21 | } 22 | 23 | if category == "" { 24 | if match := hqurlscann3r.DATARegex.MatchString(URL); match { 25 | category = "data" 26 | } 27 | } 28 | 29 | if category == "" { 30 | if match := hqurlscann3r.STYLERegex.MatchString(URL); match { 31 | category = "style" 32 | } 33 | } 34 | 35 | if category == "" { 36 | if match := hqurlscann3r.MEDIARegex.MatchString(URL); match { 37 | category = "media" 38 | } 39 | } 40 | 41 | if category == "" { 42 | if match := hqurlscann3r.ARCHIVERegex.MatchString(URL); match { 43 | category = "archive" 44 | } 45 | } 46 | 47 | if category == "" { 48 | category = "endpoint" 49 | } 50 | 51 | return category, nil 52 | } 53 | -------------------------------------------------------------------------------- /internal/configuration/configuration.go: -------------------------------------------------------------------------------- 1 | package configuration 2 | 3 | import ( 4 | "fmt" 5 | "math/rand" 6 | "time" 7 | ) 8 | 9 | type Options struct { 10 | FollowRedirects bool 11 | FollowHostRedirects bool 12 | HTTPProxy string 13 | Timeout int 14 | UserAgent string 15 | } 16 | 17 | const ( 18 | VERSION = "1.0.0" 19 | ) 20 | 21 | var ( 22 | BANNER string = fmt.Sprintf(` 23 | _ _ _____ 24 | | |__ __ _ _ _ _ __| |___ ___ __ _ _ __ _ __ |___ / _ __ 25 | | '_ \ / _`+"`"+` | | | | '__| / __|/ __/ _`+"`"+` | '_ \| '_ \ |_ \| '__| 26 | | | | | (_| | |_| | | | \__ \ (_| (_| | | | | | | |___) | | 27 | |_| |_|\__, |\__,_|_| |_|___/\___\__,_|_| |_|_| |_|____/|_| v%s 28 | |_| 29 | `, VERSION) 30 | ) 31 | 32 | func (options *Options) Parse() { 33 | if options.UserAgent == "" { 34 | payload := []string{ 35 | "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36", 36 | "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36", 37 | "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0", 38 | "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36", 39 | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1 Safari/605.1.15", 40 | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36", 41 | "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0", 42 | "Mozilla/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H321 Safari/600.1.4", 43 | "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko", 44 | "Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53", 45 | "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)", 46 | } 47 | 48 | rand.Seed(time.Now().UnixNano()) 49 | randomIndex := rand.Intn(len(payload)) 50 | 51 | options.UserAgent = payload[randomIndex] 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /pkg/hqurlscann3r/hqurlscann3r.go: -------------------------------------------------------------------------------- 1 | package hqurlscann3r 2 | 3 | import ( 4 | "net/http" 5 | "regexp" 6 | 7 | "github.com/hueristiq/hqurlscann3r/internal/configuration" 8 | "github.com/hueristiq/url" 9 | ) 10 | 11 | type Sigurlx struct { 12 | Client *http.Client 13 | Params []CommonVulnerableParameters 14 | Options *configuration.Options 15 | JSRegex *regexp.Regexp 16 | DOCRegex *regexp.Regexp 17 | DATARegex *regexp.Regexp 18 | STYLERegex *regexp.Regexp 19 | MEDIARegex *regexp.Regexp 20 | ARCHIVERegex *regexp.Regexp 21 | DOMXSSRegex *regexp.Regexp 22 | } 23 | 24 | func New(options *configuration.Options) (Sigurlx, error) { 25 | hqurlscann3r := Sigurlx{} 26 | hqurlscann3r.Options = options 27 | hqurlscann3r.initCategories() 28 | hqurlscann3r.initParams() 29 | hqurlscann3r.initClient() 30 | 31 | return hqurlscann3r, nil 32 | } 33 | 34 | func (hqurlscann3r *Sigurlx) Process(URL string) (result Result, err error) { 35 | var res Response 36 | 37 | parsedURL, err := url.Parse(url.Options{URL: URL}) 38 | if err != nil { 39 | return result, err 40 | } 41 | 42 | result.URL = parsedURL.String() 43 | 44 | if result.Category, err = hqurlscann3r.categorize(URL); err != nil { 45 | return result, err 46 | } 47 | 48 | if res, err = hqurlscann3r.DoHTTP(parsedURL.String()); err != nil { 49 | return result, err 50 | } 51 | 52 | result.StatusCode = res.StatusCode 53 | result.ContentType = res.ContentType 54 | result.ContentLength = res.ContentLength 55 | result.RedirectLocation = res.RedirectLocation 56 | 57 | query, err := getQuery(parsedURL.String()) 58 | if err != nil { 59 | return result, err 60 | } 61 | 62 | if len(query) > 0 { 63 | if result.Category == "endpoint" { 64 | if res.IsEmpty() { 65 | res, _ = hqurlscann3r.DoHTTP(parsedURL.String()) 66 | } 67 | 68 | if result.StatusCode == http.StatusForbidden { 69 | if result.ClietErrorBypass, err = hqurlscann3r.bypass4xx(parsedURL); err != nil { 70 | return result, err 71 | } 72 | } 73 | 74 | if result.ReflectedParameters, err = hqurlscann3r.ReflectedParamsProbe(parsedURL, query, res); err != nil { 75 | return result, err 76 | } 77 | 78 | if result.CommonVulnerableParameters, err = hqurlscann3r.CommonVulnParamsProbe(query); err != nil { 79 | return result, err 80 | } 81 | } 82 | } 83 | 84 | return result, nil 85 | } 86 | -------------------------------------------------------------------------------- /pkg/hqurlscann3r/results.go: -------------------------------------------------------------------------------- 1 | package hqurlscann3r 2 | 3 | import ( 4 | "encoding/json" 5 | "os" 6 | "path" 7 | "strings" 8 | ) 9 | 10 | type ClietErrorBypass struct { 11 | URL string `json:"url,omitempty"` 12 | Header string `json:"header,omitempty"` 13 | } 14 | 15 | type ReflectedParameters struct { 16 | Param string `json:"param,omitempty"` 17 | Characters []string `json:"characters,omitempty"` 18 | } 19 | 20 | type CommonVulnerableParameters struct { 21 | Param string `json:"param,omitempty"` 22 | Risks []string `json:"risks,omitempty"` 23 | } 24 | 25 | type Result struct { 26 | URL string `json:"url,omitempty"` 27 | Category string `json:"category,omitempty"` 28 | StatusCode int `json:"status_code,omitempty"` 29 | ContentType string `json:"content_type,omitempty"` 30 | ContentLength int `json:"content_length,omitempty"` 31 | RedirectLocation string `json:"redirect_location,omitempty"` 32 | ClietErrorBypass []ClietErrorBypass `json:"cliet_errors_bypass,omitempty"` 33 | ReflectedParameters []ReflectedParameters `json:"reflected_parameters,omitempty"` 34 | CommonVulnerableParameters []CommonVulnerableParameters `json:"common_vulnerable_parameters,omitempty"` 35 | DOM []string `json:"dom,omitempty"` 36 | } 37 | 38 | type Results []Result 39 | 40 | func (results Results) SaveToJSON(PATH string) error { 41 | if PATH != "" { 42 | if _, err := os.Stat(PATH); os.IsNotExist(err) { 43 | directory, filename := path.Split(PATH) 44 | 45 | if _, err := os.Stat(directory); os.IsNotExist(err) { 46 | if directory != "" { 47 | if err = os.MkdirAll(directory, os.ModePerm); err != nil { 48 | return err 49 | } 50 | } 51 | } 52 | 53 | if strings.ToLower(path.Ext(filename)) != ".json" { 54 | PATH = PATH + ".json" 55 | } 56 | } 57 | 58 | JSON, err := json.MarshalIndent(results, "", "\t") 59 | if err != nil { 60 | return err 61 | } 62 | 63 | file, err := os.Create(PATH) 64 | if err != nil { 65 | return err 66 | } 67 | 68 | defer file.Close() 69 | 70 | _, err = file.WriteString(string(JSON)) 71 | if err != nil { 72 | return err 73 | } 74 | } 75 | 76 | return nil 77 | } 78 | -------------------------------------------------------------------------------- /pkg/hqurlscann3r/request.go: -------------------------------------------------------------------------------- 1 | package hqurlscann3r 2 | 3 | import ( 4 | "crypto/tls" 5 | "io/ioutil" 6 | "net" 7 | "net/http" 8 | "net/url" 9 | "time" 10 | "unicode/utf8" 11 | ) 12 | 13 | func (hqurlscann3r *Sigurlx) initClient() error { 14 | tr := &http.Transport{ 15 | DialContext: (&net.Dialer{ 16 | Timeout: time.Duration(hqurlscann3r.Options.Timeout) * time.Second, 17 | KeepAlive: time.Second, 18 | }).DialContext, 19 | TLSClientConfig: &tls.Config{ 20 | InsecureSkipVerify: true, 21 | }, 22 | } 23 | 24 | if hqurlscann3r.Options.HTTPProxy != "" { 25 | if proxyURL, err := url.Parse(hqurlscann3r.Options.HTTPProxy); err == nil { 26 | tr.Proxy = http.ProxyURL(proxyURL) 27 | } 28 | } 29 | 30 | re := func(_ *http.Request, _ []*http.Request) error { 31 | return http.ErrUseLastResponse 32 | } 33 | 34 | if hqurlscann3r.Options.FollowRedirects { 35 | re = nil 36 | } 37 | 38 | if hqurlscann3r.Options.FollowHostRedirects { 39 | re = func(redirectedRequest *http.Request, previousRequest []*http.Request) error { 40 | newHost := redirectedRequest.URL.Host 41 | oldHost := previousRequest[0].URL.Host 42 | 43 | if newHost != oldHost { 44 | return http.ErrUseLastResponse 45 | } 46 | 47 | return nil 48 | } 49 | } 50 | 51 | hqurlscann3r.Client = &http.Client{ 52 | Timeout: time.Duration(hqurlscann3r.Options.Timeout) * time.Second, 53 | Transport: tr, 54 | CheckRedirect: re, 55 | } 56 | 57 | return nil 58 | } 59 | 60 | func (hqurlscann3r *Sigurlx) DoHTTP(URL string) (Response, error) { 61 | var response Response 62 | 63 | headers := map[string]string{ 64 | "User-Agent": hqurlscann3r.Options.UserAgent, 65 | } 66 | 67 | res, err := hqurlscann3r.httpRequest(http.MethodGet, URL, headers) 68 | if err != nil { 69 | return response, err 70 | } 71 | 72 | response.Headers = res.Header.Clone() 73 | 74 | // websockets don't have a readable body 75 | if res.StatusCode != http.StatusSwitchingProtocols { 76 | // always read the full body so we can re-use the tcp connection 77 | if response.Body, err = ioutil.ReadAll(res.Body); err != nil { 78 | return response, err 79 | } 80 | } 81 | 82 | if err := res.Body.Close(); err != nil { 83 | return response, err 84 | } 85 | 86 | response.StatusCode = res.StatusCode 87 | response.ContentType = response.GetHeaderPart("Content-Type", ";") 88 | response.ContentLength = utf8.RuneCountInString(string(response.Body)) 89 | response.RedirectLocation = response.GetHeaderPart("Location", ";") 90 | 91 | return response, nil 92 | } 93 | 94 | func (hqurlscann3r *Sigurlx) httpRequest(method, URL string, headers map[string]string) (res *http.Response, err error) { 95 | req, err := http.NewRequest(method, URL, nil) 96 | if err != nil { 97 | return 98 | } 99 | 100 | for header, value := range headers { 101 | req.Header.Set(header, value) 102 | } 103 | 104 | res, err = hqurlscann3r.Client.Do(req) 105 | if err != nil { 106 | return 107 | } 108 | 109 | return 110 | } 111 | -------------------------------------------------------------------------------- /pkg/hqurlscann3r/bypass4xx.go: -------------------------------------------------------------------------------- 1 | package hqurlscann3r 2 | 3 | import ( 4 | "fmt" 5 | "net/http" 6 | "strings" 7 | 8 | "github.com/hueristiq/url" 9 | ) 10 | 11 | func (hqurlscann3r *Sigurlx) bypass4xx(parsedURL *url.URL) ([]ClietErrorBypass, error) { 12 | var clietErrorBypass []ClietErrorBypass 13 | 14 | // Trim the trailing slash 15 | parsedURL.Path = strings.TrimRight(parsedURL.Path, "/") 16 | 17 | bypasses := []string{} 18 | 19 | payloads := []string{"?", "??", "???", "&", "#", "%", "%20", "%20/", "%09", "/", "//", "/.", "/~", ";/", "/..;/", "../", "..%2f", "..;/", "../", "\\..\\.\\", ".././", "..%00", "..%0d/", "..5c", "..\\", "..%ff/", "%2e%2e%2f", ".%2e/", "%3f", "%26", "%23", ".json"} 20 | 21 | for _, payload := range payloads { 22 | bypasses = append(bypasses, fmt.Sprintf("%s%s", parsedURL.String(), payload)) 23 | } 24 | 25 | headers := [][]string{ 26 | {"Forwarded", "127.0.0.1"}, 27 | {"Forwarded", "localhost"}, 28 | {"Forwarded-For", "127.0.0.1"}, 29 | {"Forwarded-For", "localhost"}, 30 | {"Forwarded-For-Ip", "127.0.0.1"}, 31 | {"X-Client-IP", "127.0.0.1"}, 32 | {"X-Custom-IP-Authorization", "127.0.0.1"}, 33 | {"X-Forward", "127.0.0.1"}, 34 | {"X-Forward", "localhost"}, 35 | {"X-Forwarded", "127.0.0.1"}, 36 | {"X-Forwarded", "localhost"}, 37 | {"X-Forwarded-By", "127.0.0.1"}, 38 | {"X-Forwarded-By", "localhost"}, 39 | {"X-Forwarded-For", "127.0.0.1"}, 40 | {"X-Forwarded-For", "localhost"}, 41 | {"X-Forwarded-For-Original", "127.0.0.1"}, 42 | {"X-Forwarded-For-Original", "localhost"}, 43 | {"X-Forwared-Host", "127.0.0.1"}, 44 | {"X-Forwared-Host", "localhost"}, 45 | {"X-Host", "127.0.0.1"}, 46 | {"X-Host", "localhost"}, 47 | {"X-Originating-IP", "127.0.0.1"}, 48 | {"X-Remote-IP", "127.0.0.1"}, 49 | {"X-Remote-Addr", "127.0.0.1"}, 50 | {"X-Remote-Addr", "localhost"}, 51 | {"X-Forwarded-Server", "127.0.0.1"}, 52 | {"X-Forwarded-Server", "localhost"}, 53 | {"X-HTTP-Host-Override", "127.0.0.1"}, 54 | } 55 | 56 | if parsedURL.Path != "" && parsedURL.Path != "/" { 57 | bypasses = append(bypasses, parsedURL.Scheme+"://"+parsedURL.Domain+"/%2e"+parsedURL.Path) 58 | bypasses = append(bypasses, fmt.Sprintf("%s://%s/%s//", parsedURL.Scheme, parsedURL.Domain, parsedURL.Path)) 59 | bypasses = append(bypasses, fmt.Sprintf("%s://%s/.%s/./", parsedURL.Scheme, parsedURL.Domain, parsedURL.Path)) 60 | } 61 | 62 | for _, bypass := range bypasses { 63 | // time.Sleep(time.Duration(o.delay) * time.Millisecond) 64 | 65 | res, err := hqurlscann3r.DoHTTP(bypass) 66 | if err != nil { 67 | continue 68 | } 69 | 70 | if res.StatusCode >= http.StatusOK && res.StatusCode < http.StatusMultipleChoices { 71 | clietErrorBypass = append(clietErrorBypass, ClietErrorBypass{URL: bypass}) 72 | } 73 | } 74 | 75 | for j := 0; j < len(headers); j++ { 76 | // time.Sleep(time.Duration(o.delay) * time.Millisecond) 77 | 78 | res, err := hqurlscann3r.httpRequest(http.MethodGet, parsedURL.String(), map[string]string{headers[j][0]: headers[j][1]}) 79 | if err != nil { 80 | continue 81 | } 82 | 83 | if res.StatusCode >= http.StatusOK && res.StatusCode < http.StatusMultipleChoices { 84 | clietErrorBypass = append(clietErrorBypass, ClietErrorBypass{URL: parsedURL.String(), Header: headers[j][0] + ":" + headers[j][1]}) 85 | } 86 | } 87 | 88 | return clietErrorBypass, nil 89 | } 90 | -------------------------------------------------------------------------------- /pkg/hqurlscann3r/params.go: -------------------------------------------------------------------------------- 1 | package hqurlscann3r 2 | 3 | import ( 4 | "encoding/json" 5 | "io/ioutil" 6 | "net/http" 7 | urlz "net/url" 8 | "strings" 9 | 10 | "github.com/hueristiq/hqurlscann3r/pkg/params" 11 | "github.com/hueristiq/url" 12 | ) 13 | 14 | func (hqurlscann3r *Sigurlx) initParams() error { 15 | raw, err := ioutil.ReadFile(params.File()) 16 | if err != nil { 17 | return err 18 | } 19 | 20 | if err = json.Unmarshal(raw, &hqurlscann3r.Params); err != nil { 21 | return err 22 | } 23 | 24 | return nil 25 | } 26 | 27 | func (hqurlscann3r *Sigurlx) CommonVulnParamsProbe(query urlz.Values) ([]CommonVulnerableParameters, error) { 28 | var commonVulnParams []CommonVulnerableParameters 29 | 30 | for parameter := range query { 31 | for i := range hqurlscann3r.Params { 32 | if strings.ToLower(hqurlscann3r.Params[i].Param) == strings.ToLower(parameter) { 33 | commonVulnParams = append(commonVulnParams, hqurlscann3r.Params[i]) 34 | 35 | break 36 | } 37 | } 38 | } 39 | 40 | return commonVulnParams, nil 41 | } 42 | 43 | func (hqurlscann3r *Sigurlx) ReflectedParamsProbe(parsedURL *url.URL, query urlz.Values, res Response) ([]ReflectedParameters, error) { 44 | var reflectedParams []ReflectedParameters 45 | 46 | reflected, err := hqurlscann3r.checkReflection(parsedURL.String(), query, res) 47 | if err != nil { 48 | return reflectedParams, err 49 | } 50 | 51 | if len(reflected) > 0 { 52 | for _, parameter := range reflected { 53 | characters := []string{"\"", "'", "<", ">", "/"} 54 | 55 | var reflectedCharacters []string 56 | 57 | for _, char := range characters { 58 | wasReflected, err := hqurlscann3r.checkAppend(parsedURL, query, parameter, "aprefix"+char+"asuffix") 59 | if err != nil { 60 | continue 61 | } 62 | 63 | if wasReflected { 64 | reflectedCharacters = append(reflectedCharacters, char) 65 | } 66 | } 67 | 68 | if len(reflectedCharacters) > 2 { 69 | reflectedParams = append(reflectedParams, ReflectedParameters{Param: parameter, Characters: reflectedCharacters}) 70 | } 71 | } 72 | } 73 | 74 | return reflectedParams, nil 75 | } 76 | 77 | func getQuery(URL string) (urlz.Values, error) { 78 | var query urlz.Values 79 | 80 | queryUnescaped, err := urlz.QueryUnescape(URL) 81 | if err != nil { 82 | return query, err 83 | } 84 | 85 | parsedURL, err := urlz.Parse(queryUnescaped) 86 | if err != nil { 87 | return query, err 88 | } 89 | 90 | query, err = urlz.ParseQuery(parsedURL.RawQuery) 91 | if err != nil { 92 | return query, err 93 | } 94 | 95 | return query, nil 96 | } 97 | 98 | func (hqurlscann3r *Sigurlx) checkReflection(URL string, query urlz.Values, res Response) ([]string, error) { 99 | var reflected []string 100 | 101 | if res.IsEmpty() { 102 | res, _ = hqurlscann3r.DoHTTP(URL) 103 | } 104 | 105 | if res.StatusCode >= http.StatusMultipleChoices && res.StatusCode < http.StatusBadRequest { 106 | return reflected, nil 107 | } 108 | 109 | if res.ContentType != "" && !strings.Contains(res.ContentType, "html") { 110 | return reflected, nil 111 | } 112 | 113 | for param, value := range query { 114 | for _, v := range value { 115 | if !strings.Contains(string(res.Body), v) { 116 | continue 117 | } 118 | 119 | reflected = append(reflected, param) 120 | } 121 | } 122 | 123 | return reflected, nil 124 | } 125 | 126 | func (hqurlscann3r *Sigurlx) checkAppend(parsedURL *url.URL, query urlz.Values, param, suffix string) (bool, error) { 127 | val := query.Get(param) 128 | 129 | query.Set(param, val+suffix) 130 | parsedURL.RawQuery = query.Encode() 131 | 132 | reflected, err := hqurlscann3r.checkReflection(parsedURL.String(), query, Response{}) 133 | if err != nil { 134 | return false, err 135 | } 136 | 137 | for _, r := range reflected { 138 | if r == param { 139 | return true, nil 140 | } 141 | } 142 | 143 | query.Set(param, val) 144 | 145 | return false, nil 146 | } 147 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # hqurlscann3r 2 | 3 | [![release](https://img.shields.io/github/release/hueristiq/hqurlscann3r?style=flat&color=0040ff)](https://github.com/hueristiq/hqurlscann3r/releases) ![maintenance](https://img.shields.io/badge/maintained%3F-yes-0040ff.svg) [![open issues](https://img.shields.io/github/issues-raw/hueristiq/hqurlscann3r.svg?style=flat&color=0040ff)](https://github.com/hueristiq/hqurlscann3r/issues?q=is:issue+is:open) [![closed issues](https://img.shields.io/github/issues-closed-raw/hueristiq/hqurlscann3r.svg?style=flat&color=0040ff)](https://github.com/hueristiq/hqurlscann3r/issues?q=is:issue+is:closed) [![license](https://img.shields.io/badge/license-MIT-gray.svg?colorB=0040FF)](https://github.com/hueristiq/hqurlscann3r/blob/master/LICENSE) [![twitter](https://img.shields.io/badge/twitter-@itshueristiq-0040ff.svg)](https://twitter.com/itshueristiq) 4 | 5 | A web application attack surface mapping tool. It takes in a list of urls then performs numerous probes 6 | 7 | ## Resources 8 | 9 | * [Features](#features) 10 | * [Installation](#installation) 11 | * [From Binary](#from-binary) 12 | * [From source](#from-source) 13 | * [From github](#from-github) 14 | * [Usage](#usage) 15 | * [Contribution](#contribution) 16 | 17 | ## Features 18 | 19 | * Categorize URLs 20 | 21 |
22 | URLs' categories 23 | 24 | ``` 25 | - endpoint 26 | - js {js} 27 | - style {css} 28 | - data {json|xml|csv} 29 | - archive {zip|tar|tar.gz} 30 | - doc {pdf|xlsx|doc|docx|txt} 31 | - media {jpg|jpeg|png|ico|svg|gif|webp|mp3|mp4|woff|woff2|ttf|eot|tif|tiff} 32 | ``` 33 | 34 |
35 | 36 | * Probe HTTP requests for `status_code`, `content_type`, e.t.c 37 | * For every URL of category `endpoint` with a query: 38 | * Probe for commonly vulnerable parameters (inspired by [Somdev Sangwan](https://github.com/s0md3v)'s [Parth](https://github.com/s0md3v/Parth)). 39 | * Probe for reflected parameters (inspired by [Tom Hudson](https://github.com/tomnomnom)'s [kxss](https://github.com/tomnomnom/hacks/tree/master/kxss)). 40 | 41 | ## Installation 42 | 43 | ### From Binary 44 | 45 | You can download the pre-built binary for your platform from this repository's [releases](https://github.com/hueristiq/hqurlscann3r/releases/) page, extract, then move it to your `$PATH`and you're ready to go. 46 | 47 | ### From Source 48 | 49 | hqurlscann3r requires **go1.17+** to install successfully. Run the following command to get the repo 50 | 51 | ```bash 52 | go install -v github.com/hueristiq/hqurlscann3r/cmd/hqurlscann3r@latest 53 | ``` 54 | 55 | ### From Github 56 | 57 | ```bash 58 | git clone https://github.com/hueristiq/hqurlscann3r.git && \ 59 | cd hqurlscann3r/cmd/hqurlscann3r/ && \ 60 | go build . && \ 61 | mv hqurlscann3r /usr/local/bin/ && \ 62 | hqurlscann3r -h 63 | ``` 64 | 65 | ## Usage 66 | 67 | To display help message for hqurlscann3r use the `-h` flag: 68 | 69 | ```bash 70 | hqurlscann3r -h 71 | ``` 72 | 73 | ```text 74 | _ _ _____ 75 | | |__ __ _ _ _ _ __| |___ ___ __ _ _ __ _ __ |___ / _ __ 76 | | '_ \ / _` | | | | '__| / __|/ __/ _` | '_ \| '_ \ |_ \| '__| 77 | | | | | (_| | |_| | | | \__ \ (_| (_| | | | | | | |___) | | 78 | |_| |_|\__, |\__,_|_| |_|___/\___\__,_|_| |_|_| |_|____/|_| v1.0.0 79 | |_| 80 | 81 | USAGE: 82 | hqurlscann3r [OPTIONS] 83 | 84 | OPTIONS: 85 | -c, --concurrency concurrency level (default: 20) 86 | -d, --delay delay between requests (default: 100ms) 87 | --follow-redirects follow redirects (default: false) 88 | --follow-host-redirects follow internal redirects i.e, same host redirects (default: false) 89 | --http-proxy HTTP Proxy URL 90 | -iL, --input-list input urls list 91 | -nC, --no-color no color mode 92 | -o, --output JSON output file (default: ./hqurlscann3r.json) 93 | -t, --timeout HTTP request timeout (default: 10s) 94 | -ua, --user-agent HTTP user agent 95 | --update-params update params file 96 | -v, --verbose verbose mode 97 | ``` 98 | 99 | ## Contribution 100 | 101 | [Issues](https://github.com/hueristiq/hqurlscann3r/issues) and [Pull Requests](https://github.com/hueristiq/hqurlscann3r/pulls) are welcome! -------------------------------------------------------------------------------- /cmd/hqurlscann3r/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bufio" 5 | "flag" 6 | "fmt" 7 | "log" 8 | "os" 9 | "sync" 10 | "time" 11 | 12 | "github.com/hueristiq/hqurlscann3r/internal/configuration" 13 | "github.com/hueristiq/hqurlscann3r/pkg/hqurlscann3r" 14 | "github.com/hueristiq/hqurlscann3r/pkg/params" 15 | "github.com/logrusorgru/aurora/v3" 16 | ) 17 | 18 | type options struct { 19 | delay int 20 | concurrency int 21 | output string 22 | noColor bool 23 | URLs string 24 | updateParams bool 25 | verbose bool 26 | } 27 | 28 | var ( 29 | co options 30 | au aurora.Aurora 31 | ro configuration.Options 32 | ) 33 | 34 | func banner() { 35 | fmt.Fprintln(os.Stderr, aurora.BrightBlue(configuration.BANNER).Bold()) 36 | } 37 | 38 | func init() { 39 | // general options 40 | flag.StringVar(&co.URLs, "iL", "", "") 41 | flag.IntVar(&co.concurrency, "c", 20, "") 42 | flag.IntVar(&co.concurrency, "concurrency", 20, "") 43 | flag.BoolVar(&co.updateParams, "update-params", false, "") 44 | // http options 45 | flag.IntVar(&co.delay, "d", 100, "") 46 | flag.IntVar(&co.delay, "delay", 100, "") 47 | flag.BoolVar(&ro.FollowRedirects, "follow-redirects", false, "") 48 | flag.BoolVar(&ro.FollowHostRedirects, "follow-host-redirects", false, "") 49 | flag.StringVar(&ro.HTTPProxy, "http-proxy ", "", "") 50 | flag.IntVar(&ro.Timeout, "t", 10, "") 51 | flag.IntVar(&ro.Timeout, "timeout", 10, "") 52 | flag.StringVar(&ro.UserAgent, "ua", "", "") 53 | flag.StringVar(&ro.UserAgent, "user-agent", "", "") 54 | // output options 55 | flag.BoolVar(&co.noColor, "nC", false, "") 56 | flag.BoolVar(&co.noColor, "no-color", false, "") 57 | flag.StringVar(&co.output, "o", "./hqurlscann3r.json", "") 58 | flag.StringVar(&co.output, "output", "./hqurlscann3r.json", "") 59 | flag.BoolVar(&co.verbose, "v", false, "") 60 | flag.BoolVar(&co.verbose, "verbose", false, "") 61 | 62 | flag.Usage = func() { 63 | banner() 64 | 65 | h := "USAGE:\n" 66 | h += " hqurlscann3r [OPTIONS]\n" 67 | 68 | h += "\nOPTIONS:\n" 69 | h += " -c, --concurrency concurrency level (default: 20)\n" 70 | h += " -d, --delay delay between requests (default: 100ms)\n" 71 | h += " --follow-redirects follow redirects (default: false)\n" 72 | h += " --follow-host-redirects follow internal redirects i.e, same host redirects (default: false)\n" 73 | h += " --http-proxy HTTP Proxy URL\n" 74 | h += " -iL, --input-list input urls list\n" 75 | h += " -nC, --no-color no color mode\n" 76 | h += " -o, --output JSON output file (default: ./hqurlscann3r.json)\n" 77 | h += " -t, --timeout HTTP request timeout (default: 10s)\n" 78 | h += " -ua, --user-agent HTTP user agent\n" 79 | h += " --update-params update params file\n" 80 | h += " -v, --verbose verbose mode\n" 81 | 82 | fmt.Fprint(os.Stderr, h) 83 | } 84 | 85 | flag.Parse() 86 | ro.Parse() 87 | 88 | au = aurora.NewAurora(!co.noColor) 89 | } 90 | 91 | func main() { 92 | banner() 93 | 94 | if co.updateParams { 95 | if err := params.UpdateOrDownload(params.File()); err != nil { 96 | log.Fatalln(err) 97 | } 98 | 99 | fmt.Println("[", au.BrightBlue("INF"), "] params file updated successfully :)") 100 | 101 | os.Exit(0) 102 | } 103 | 104 | URLs := make(chan string, co.concurrency) 105 | 106 | go func() { 107 | defer close(URLs) 108 | 109 | var ( 110 | f *os.File 111 | err error 112 | ) 113 | 114 | switch { 115 | case hasStdin(): 116 | f = os.Stdin 117 | case co.URLs != "": 118 | f, err = os.Open(co.URLs) 119 | if err != nil { 120 | log.Fatalln(err) 121 | } 122 | default: 123 | log.Fatalln("hqurlscann3r takes input from stdin or file using '-d' flag") 124 | } 125 | 126 | scanner := bufio.NewScanner(f) 127 | 128 | for scanner.Scan() { 129 | URL := scanner.Text() 130 | 131 | if URL != "" { 132 | URLs <- URL 133 | } 134 | } 135 | 136 | if scanner.Err() != nil { 137 | log.Fatalln(scanner.Err()) 138 | } 139 | }() 140 | 141 | mutex := &sync.Mutex{} 142 | wg := &sync.WaitGroup{} 143 | 144 | var output hqurlscann3r.Results 145 | 146 | for i := 0; i < co.concurrency; i++ { 147 | wg.Add(1) 148 | 149 | time.Sleep(time.Duration(co.delay) * time.Millisecond) 150 | 151 | go func() { 152 | defer wg.Done() 153 | 154 | runner, err := hqurlscann3r.New(&ro) 155 | if err != nil { 156 | log.Fatalln(err) 157 | } 158 | 159 | for URL := range URLs { 160 | results, err := runner.Process(URL) 161 | if err != nil { 162 | // fmt.Println(au.BrightRed(" -"), results.URL, au.BrightRed("...failed!")) 163 | 164 | if co.verbose { 165 | fmt.Fprintf(os.Stderr, err.Error()+"\n") 166 | } 167 | 168 | continue 169 | } 170 | 171 | mutex.Lock() 172 | // fmt.Println(au.BrightGreen(" +"), results.URL, au.BrightGreen("...done!")) 173 | // fmt.Println(au.BrightGreen(" +"), results.URL, au.BrightGreen("...done!")) 174 | x := fmt.Sprintf("[ %s ] %s", results.Category, results.URL) 175 | fmt.Println(x) 176 | output = append(output, results) 177 | mutex.Unlock() 178 | } 179 | }() 180 | } 181 | 182 | wg.Wait() 183 | 184 | if err := output.SaveToJSON(co.output); err != nil { 185 | log.Fatalln(err) 186 | } 187 | } 188 | 189 | func hasStdin() bool { 190 | stat, err := os.Stdin.Stat() 191 | if err != nil { 192 | return false 193 | } 194 | 195 | isPipedFromChrDev := (stat.Mode() & os.ModeCharDevice) == 0 196 | isPipedFromFIFO := (stat.Mode() & os.ModeNamedPipe) != 0 197 | 198 | return isPipedFromChrDev || isPipedFromFIFO 199 | } 200 | -------------------------------------------------------------------------------- /static/params.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "param": "access", 4 | "risks": [ 5 | "ssrf" 6 | ] 7 | }, 8 | { 9 | "param": "account", 10 | "risks": [ 11 | "idor" 12 | ] 13 | }, 14 | { 15 | "param": "action", 16 | "risks": [ 17 | "lfi" 18 | ] 19 | }, 20 | { 21 | "param": "activity", 22 | "risks": [ 23 | "ssti" 24 | ] 25 | }, 26 | { 27 | "param": "adm", 28 | "risks": [ 29 | "ssrf" 30 | ] 31 | }, 32 | { 33 | "param": "admin", 34 | "risks": [ 35 | "ssrf" 36 | ] 37 | }, 38 | { 39 | "param": "alter", 40 | "risks": [ 41 | "ssrf" 42 | ] 43 | }, 44 | { 45 | "param": "api", 46 | "risks": [ 47 | "xss" 48 | ] 49 | }, 50 | { 51 | "param": "api_key", 52 | "risks": [ 53 | "xss" 54 | ] 55 | }, 56 | { 57 | "param": "arg", 58 | "risks": [ 59 | "rce" 60 | ] 61 | }, 62 | { 63 | "param": "begindate", 64 | "risks": [ 65 | "xss" 66 | ] 67 | }, 68 | { 69 | "param": "cli", 70 | "risks": [ 71 | "rce" 72 | ] 73 | }, 74 | { 75 | "param": "csrf_token", 76 | "risks": [ 77 | "xss" 78 | ] 79 | }, 80 | { 81 | "param": "board", 82 | "risks": [ 83 | "lfi" 84 | ] 85 | }, 86 | { 87 | "param": "callback", 88 | "risks": [ 89 | "open_redirect", 90 | "xss", 91 | "ssrf" 92 | ] 93 | }, 94 | { 95 | "param": "cat", 96 | "risks": [ 97 | "lfi" 98 | ] 99 | }, 100 | { 101 | "param": "category", 102 | "risks": [ 103 | "sqli" 104 | ] 105 | }, 106 | { 107 | "param": "categoryid", 108 | "risks": [ 109 | "xss" 110 | ] 111 | }, 112 | { 113 | "param": "cfg", 114 | "risks": [ 115 | "ssrf" 116 | ] 117 | }, 118 | { 119 | "param": "class", 120 | "risks": [ 121 | "sqli" 122 | ] 123 | }, 124 | { 125 | "param": "clone", 126 | "risks": [ 127 | "ssrf" 128 | ] 129 | }, 130 | { 131 | "param": "checkout", 132 | "risks": [ 133 | "open_redirect" 134 | ] 135 | }, 136 | { 137 | "param": "checkout_url", 138 | "risks": [ 139 | "open_redirect" 140 | ] 141 | }, 142 | { 143 | "param": "cmd", 144 | "risks": [ 145 | "rce" 146 | ] 147 | }, 148 | { 149 | "param": "code", 150 | "risks": [ 151 | "rce" 152 | ] 153 | }, 154 | { 155 | "param": "column", 156 | "risks": [ 157 | "sqli" 158 | ] 159 | }, 160 | { 161 | "param": "command", 162 | "risks": [ 163 | "rce" 164 | ] 165 | }, 166 | { 167 | "param": "conf", 168 | "risks": [ 169 | "lfi" 170 | ] 171 | }, 172 | { 173 | "param": "content", 174 | "risks": [ 175 | "lfi", 176 | "ssti" 177 | ] 178 | }, 179 | { 180 | "param": "continue", 181 | "risks": [ 182 | "open_redirect", 183 | "ssrf" 184 | ] 185 | }, 186 | { 187 | "param": "create", 188 | "risks": [ 189 | "ssrf" 190 | ] 191 | }, 192 | { 193 | "param": "daemon", 194 | "risks": [ 195 | "rce" 196 | ] 197 | }, 198 | { 199 | "param": "data", 200 | "risks": [ 201 | "open_redirect", 202 | "ssrf" 203 | ] 204 | }, 205 | { 206 | "param": "date", 207 | "risks": [ 208 | "lfi", 209 | "sqli" 210 | ] 211 | }, 212 | { 213 | "param": "dbg", 214 | "risks": [ 215 | "ssrf" 216 | ] 217 | }, 218 | { 219 | "param": "debug", 220 | "risks": [ 221 | "ssrf" 222 | ] 223 | }, 224 | { 225 | "param": "delete", 226 | "risks": [ 227 | "sqli" 228 | ] 229 | }, 230 | { 231 | "param": "dest", 232 | "risks": [ 233 | "open_redirect", 234 | "ssrf" 235 | ] 236 | }, 237 | { 238 | "param": "destination", 239 | "risks": [ 240 | "open_redirect" 241 | ] 242 | }, 243 | { 244 | "param": "detail", 245 | "risks": [ 246 | "lfi" 247 | ] 248 | }, 249 | { 250 | "param": "dir", 251 | "risks": [ 252 | "lfi", 253 | "rce", 254 | "open_redirect", 255 | "ssrf", 256 | "sqli" 257 | ] 258 | }, 259 | { 260 | "param": "disable", 261 | "risks": [ 262 | "ssrf" 263 | ] 264 | }, 265 | { 266 | "param": "do", 267 | "risks": [ 268 | "rce" 269 | ] 270 | }, 271 | { 272 | "param": "doc", 273 | "risks": [ 274 | "idor", 275 | "lfi", 276 | "ssrf" 277 | ] 278 | }, 279 | { 280 | "param": "document", 281 | "risks": [ 282 | "lfi", 283 | "ssrf" 284 | ] 285 | }, 286 | { 287 | "param": "domain", 288 | "risks": [ 289 | "open_redirect", 290 | "ssrf" 291 | ] 292 | }, 293 | { 294 | "param": "download", 295 | "risks": [ 296 | "lfi", 297 | "rce" 298 | ] 299 | }, 300 | { 301 | "param": "edit", 302 | "risks": [ 303 | "idor", 304 | "ssrf" 305 | ] 306 | }, 307 | { 308 | "param": "emailto", 309 | "risks": [ 310 | "xss" 311 | ] 312 | }, 313 | { 314 | "param": "enable", 315 | "risks": [ 316 | "ssrf" 317 | ] 318 | }, 319 | { 320 | "param": "enddate", 321 | "risks": [ 322 | "xss" 323 | ] 324 | }, 325 | { 326 | "param": "exe", 327 | "risks": [ 328 | "rce" 329 | ] 330 | }, 331 | { 332 | "param": "exec", 333 | "risks": [ 334 | "rce", 335 | "ssrf" 336 | ] 337 | }, 338 | { 339 | "param": "execute", 340 | "risks": [ 341 | "rce", 342 | "ssrf" 343 | ] 344 | }, 345 | { 346 | "param": "email", 347 | "risks": [ 348 | "idor", 349 | "xss" 350 | ] 351 | }, 352 | { 353 | "param": "feature", 354 | "risks": [ 355 | "rce" 356 | ] 357 | }, 358 | { 359 | "param": "feed", 360 | "risks": [ 361 | "open_redirect", 362 | "ssrf" 363 | ] 364 | }, 365 | { 366 | "param": "fetch", 367 | "risks": [ 368 | "sqli" 369 | ] 370 | }, 371 | { 372 | "param": "field", 373 | "risks": [ 374 | "sqli" 375 | ] 376 | }, 377 | { 378 | "param": "file", 379 | "risks": [ 380 | "lfi", 381 | "open_redirect", 382 | "ssrf", 383 | "sqli" 384 | ] 385 | }, 386 | { 387 | "param": "filename", 388 | "risks": [ 389 | "ssrf" 390 | ] 391 | }, 392 | { 393 | "param": "file_name", 394 | "risks": [ 395 | "open_redirect" 396 | ] 397 | }, 398 | { 399 | "param": "file_url", 400 | "risks": [ 401 | "open_redirect" 402 | ] 403 | }, 404 | { 405 | "param": "filter", 406 | "risks": [ 407 | "sqli" 408 | ] 409 | }, 410 | { 411 | "param": "folder", 412 | "risks": [ 413 | "lfi", 414 | "open_redirect", 415 | "ssrf" 416 | ] 417 | }, 418 | { 419 | "param": "folder_url", 420 | "risks": [ 421 | "open_redirect" 422 | ] 423 | }, 424 | { 425 | "param": "form", 426 | "risks": [ 427 | "sqli" 428 | ] 429 | }, 430 | { 431 | "param": "forward", 432 | "risks": [ 433 | "open_redirect" 434 | ] 435 | }, 436 | { 437 | "param": "from", 438 | "risks": [ 439 | "sqli" 440 | ] 441 | }, 442 | { 443 | "param": "from_url", 444 | "risks": [ 445 | "open_redirect" 446 | ] 447 | }, 448 | { 449 | "param": "func", 450 | "risks": [ 451 | "rce" 452 | ] 453 | }, 454 | { 455 | "param": "function", 456 | "risks": [ 457 | "rce" 458 | ] 459 | }, 460 | { 461 | "param": "go", 462 | "risks": [ 463 | "open_redirect" 464 | ] 465 | }, 466 | { 467 | "param": "goto", 468 | "risks": [ 469 | "open_redirect" 470 | ] 471 | }, 472 | { 473 | "param": "grant", 474 | "risks": [ 475 | "ssrf" 476 | ] 477 | }, 478 | { 479 | "param": "group", 480 | "risks": [ 481 | "idor" 482 | ] 483 | }, 484 | { 485 | "param": "host", 486 | "risks": [ 487 | "open_redirect", 488 | "ssrf" 489 | ] 490 | }, 491 | { 492 | "param": "html", 493 | "risks": [ 494 | "open_redirect", 495 | "ssrf" 496 | ] 497 | }, 498 | { 499 | "param": "id", 500 | "risks": [ 501 | "idor", 502 | "xss", 503 | "sqli", 504 | "ssti" 505 | ] 506 | }, 507 | { 508 | "param": "image_url", 509 | "risks": [ 510 | "open_redirect" 511 | ] 512 | }, 513 | { 514 | "param": "imagine", 515 | "risks": [ 516 | "xss" 517 | ] 518 | }, 519 | { 520 | "param": "img", 521 | "risks": [ 522 | "ssrf" 523 | ] 524 | }, 525 | { 526 | "param": "img_url", 527 | "risks": [ 528 | "open_redirect" 529 | ] 530 | }, 531 | { 532 | "param": "inc", 533 | "risks": [ 534 | "lfi" 535 | ] 536 | }, 537 | { 538 | "param": "include", 539 | "risks": [ 540 | "lfi" 541 | ] 542 | }, 543 | { 544 | "param": "ip", 545 | "risks": [ 546 | "rce" 547 | ] 548 | }, 549 | { 550 | "param": "item", 551 | "risks": [ 552 | "xss", 553 | "sqli" 554 | ] 555 | }, 556 | { 557 | "param": "join", 558 | "risks": [ 559 | "sqli" 560 | ] 561 | }, 562 | { 563 | "param": "jsonp", 564 | "risks": [ 565 | "xss" 566 | ] 567 | }, 568 | { 569 | "param": "jump", 570 | "risks": [ 571 | "rce" 572 | ] 573 | }, 574 | { 575 | "param": "key", 576 | "risks": [ 577 | "idor", 578 | "xss" 579 | ] 580 | }, 581 | { 582 | "param": "keyword", 583 | "risks": [ 584 | "xss", 585 | "sqli" 586 | ] 587 | }, 588 | { 589 | "param": "keywords", 590 | "risks": [ 591 | "xss" 592 | ] 593 | }, 594 | { 595 | "param": "l", 596 | "risks": [ 597 | "xss" 598 | ] 599 | }, 600 | { 601 | "param": "lang", 602 | "risks": [ 603 | "xss", 604 | "sqli" 605 | ] 606 | }, 607 | { 608 | "param": "layout", 609 | "risks": [ 610 | "lfi" 611 | ] 612 | }, 613 | { 614 | "param": "list_type", 615 | "risks": [ 616 | "xss" 617 | ] 618 | }, 619 | { 620 | "param": "locate", 621 | "risks": [ 622 | "lfi" 623 | ] 624 | }, 625 | { 626 | "param": "load", 627 | "risks": [ 628 | "rce", 629 | "ssrf" 630 | ] 631 | }, 632 | { 633 | "param": "load_file", 634 | "risks": [ 635 | "open_redirect" 636 | ] 637 | }, 638 | { 639 | "param": "load_url", 640 | "risks": [ 641 | "open_redirect" 642 | ] 643 | }, 644 | { 645 | "param": "log", 646 | "risks": [ 647 | "rce" 648 | ] 649 | }, 650 | { 651 | "param": "login_url", 652 | "risks": [ 653 | "open_redirect" 654 | ] 655 | }, 656 | { 657 | "param": "logout", 658 | "risks": [ 659 | "open_redirect" 660 | ] 661 | }, 662 | { 663 | "param": "main", 664 | "risks": [ 665 | "sqli" 666 | ] 667 | }, 668 | { 669 | "param": "make", 670 | "risks": [ 671 | "ssrf" 672 | ] 673 | }, 674 | { 675 | "param": "menu", 676 | "risks": [ 677 | "sqli" 678 | ] 679 | }, 680 | { 681 | "param": "mod", 682 | "risks": [ 683 | "lfi" 684 | ] 685 | }, 686 | { 687 | "param": "modify", 688 | "risks": [ 689 | "ssrf" 690 | ] 691 | }, 692 | { 693 | "param": "module", 694 | "risks": [ 695 | "rce" 696 | ] 697 | }, 698 | { 699 | "param": "month", 700 | "risks": [ 701 | "xss" 702 | ] 703 | }, 704 | { 705 | "param": "name", 706 | "risks": [ 707 | "lfi", 708 | "xss", 709 | "sqli", 710 | "open_redirect", 711 | "ssrf" 712 | ] 713 | }, 714 | { 715 | "param": "nav", 716 | "risks": [ 717 | "sqli" 718 | ] 719 | }, 720 | { 721 | "param": "navigation", 722 | "risks": [ 723 | "open_redirect", 724 | "ssrf" 725 | ] 726 | }, 727 | { 728 | "param": "news", 729 | "risks": [ 730 | "sqli" 731 | ] 732 | }, 733 | { 734 | "param": "next", 735 | "risks": [ 736 | "open_redirect", 737 | "ssrf" 738 | ] 739 | }, 740 | { 741 | "param": "next_page", 742 | "risks": [ 743 | "open_redirect" 744 | ] 745 | }, 746 | { 747 | "param": "no", 748 | "risks": [ 749 | "idor" 750 | ] 751 | }, 752 | { 753 | "param": "number", 754 | "risks": [ 755 | "idor", 756 | "sqli" 757 | ] 758 | }, 759 | { 760 | "param": "open", 761 | "risks": [ 762 | "ssrf", 763 | "open_redirect" 764 | ] 765 | }, 766 | { 767 | "param": "option", 768 | "risks": [ 769 | "rce" 770 | ] 771 | }, 772 | { 773 | "param": "order", 774 | "risks": [ 775 | "idor", 776 | "sqli" 777 | ] 778 | }, 779 | { 780 | "param": "out", 781 | "risks": [ 782 | "open_redirect", 783 | "ssrf" 784 | ] 785 | }, 786 | { 787 | "param": "p", 788 | "risks": [ 789 | "xss" 790 | ] 791 | }, 792 | { 793 | "param": "page", 794 | "risks": [ 795 | "lfi", 796 | "xss", 797 | "ssrf", 798 | "sqli" 799 | ] 800 | }, 801 | { 802 | "param": "page_id", 803 | "risks": [ 804 | "xss" 805 | ] 806 | }, 807 | { 808 | "param": "page_url", 809 | "risks": [ 810 | "open_redirect" 811 | ] 812 | }, 813 | { 814 | "param": "params", 815 | "risks": [ 816 | "sqli" 817 | ] 818 | }, 819 | { 820 | "param": "password", 821 | "risks": [ 822 | "xss" 823 | ] 824 | }, 825 | { 826 | "param": "path", 827 | "risks": [ 828 | "lfi", 829 | "open_redirect", 830 | "ssrf" 831 | ] 832 | }, 833 | { 834 | "param": "payload", 835 | "risks": [ 836 | "rce" 837 | ] 838 | }, 839 | { 840 | "param": "pdf", 841 | "risks": [ 842 | "lfi" 843 | ] 844 | }, 845 | { 846 | "param": "pg", 847 | "risks": [ 848 | "lfi", 849 | "ssrf" 850 | ] 851 | }, 852 | { 853 | "param": "php_path", 854 | "risks": [ 855 | "lfi", 856 | "ssrf" 857 | ] 858 | }, 859 | { 860 | "param": "ping", 861 | "risks": [ 862 | "rce" 863 | ] 864 | }, 865 | { 866 | "param": "port", 867 | "risks": [ 868 | "open_redirect", 869 | "ssrf" 870 | ] 871 | }, 872 | { 873 | "param": "prefix", 874 | "risks": [ 875 | "lfi" 876 | ] 877 | }, 878 | { 879 | "param": "preview", 880 | "risks": [ 881 | "ssti" 882 | ] 883 | }, 884 | { 885 | "param": "print", 886 | "risks": [ 887 | "rce" 888 | ] 889 | }, 890 | { 891 | "param": "profile", 892 | "risks": [ 893 | "idor" 894 | ] 895 | }, 896 | { 897 | "param": "process", 898 | "risks": [ 899 | "rce", 900 | "sqli" 901 | ] 902 | }, 903 | { 904 | "param": "q", 905 | "risks": [ 906 | "xss" 907 | ] 908 | }, 909 | { 910 | "param": "query", 911 | "risks": [ 912 | "rce", 913 | "xss", 914 | "sqli" 915 | ] 916 | }, 917 | { 918 | "param": "read", 919 | "risks": [ 920 | "rce" 921 | ] 922 | }, 923 | { 924 | "param": "redir", 925 | "risks": [ 926 | "open_redirect" 927 | ] 928 | }, 929 | { 930 | "param": "redirect", 931 | "risks": [ 932 | "open_redirect", 933 | "ssrf", 934 | "ssti" 935 | ] 936 | }, 937 | { 938 | "param": "redirect_to", 939 | "risks": [ 940 | "open_redirect" 941 | ] 942 | }, 943 | { 944 | "param": "redirect_uri", 945 | "risks": [ 946 | "open_redirect" 947 | ] 948 | }, 949 | { 950 | "param": "redirect_url", 951 | "risks": [ 952 | "open_redirect" 953 | ] 954 | }, 955 | { 956 | "param": "ref", 957 | "risks": [ 958 | "sqli" 959 | ] 960 | }, 961 | { 962 | "param": "reference", 963 | "risks": [ 964 | "open_redirect", 965 | "ssrf" 966 | ] 967 | }, 968 | { 969 | "param": "reg", 970 | "risks": [ 971 | "rce" 972 | ] 973 | }, 974 | { 975 | "param": "region", 976 | "risks": [ 977 | "sqli" 978 | ] 979 | }, 980 | { 981 | "param": "rename", 982 | "risks": [ 983 | "ssrf" 984 | ] 985 | }, 986 | { 987 | "param": "return", 988 | "risks": [ 989 | "open_redirect", 990 | "ssrf" 991 | ] 992 | }, 993 | { 994 | "param": "return_path", 995 | "risks": [ 996 | "open_redirect" 997 | ] 998 | }, 999 | { 1000 | "param": "return_to", 1001 | "risks": [ 1002 | "open_redirect" 1003 | ] 1004 | }, 1005 | { 1006 | "param": "returnTo", 1007 | "risks": [ 1008 | "open_redirect" 1009 | ] 1010 | }, 1011 | { 1012 | "param": "return_url", 1013 | "risks": [ 1014 | "open_redirect" 1015 | ] 1016 | }, 1017 | { 1018 | "param": "req", 1019 | "risks": [ 1020 | "rce" 1021 | ] 1022 | }, 1023 | { 1024 | "param": "report", 1025 | "risks": [ 1026 | "idor", 1027 | "sqli" 1028 | ] 1029 | }, 1030 | { 1031 | "param": "reset", 1032 | "risks": [ 1033 | "ssrf" 1034 | ] 1035 | }, 1036 | { 1037 | "param": "results", 1038 | "risks": [ 1039 | "sqli" 1040 | ] 1041 | }, 1042 | { 1043 | "param": "role", 1044 | "risks": [ 1045 | "sqli" 1046 | ] 1047 | }, 1048 | { 1049 | "param": "root", 1050 | "risks": [ 1051 | "lfi", 1052 | "ssrf" 1053 | ] 1054 | }, 1055 | { 1056 | "param": "row", 1057 | "risks": [ 1058 | "sqli" 1059 | ] 1060 | }, 1061 | { 1062 | "param": "rt", 1063 | "risks": [ 1064 | "open_redirect" 1065 | ] 1066 | }, 1067 | { 1068 | "param": "run", 1069 | "risks": [ 1070 | "rce" 1071 | ] 1072 | }, 1073 | { 1074 | "param": "rurl", 1075 | "risks": [ 1076 | "open_redirect" 1077 | ] 1078 | }, 1079 | { 1080 | "param": "s", 1081 | "risks": [ 1082 | "xss" 1083 | ] 1084 | }, 1085 | { 1086 | "param": "search", 1087 | "risks": [ 1088 | "xss", 1089 | "sqli" 1090 | ] 1091 | }, 1092 | { 1093 | "param": "sel", 1094 | "risks": [ 1095 | "sqli" 1096 | ] 1097 | }, 1098 | { 1099 | "param": "select", 1100 | "risks": [ 1101 | "sqli" 1102 | ] 1103 | }, 1104 | { 1105 | "param": "shell", 1106 | "risks": [ 1107 | "ssrf" 1108 | ] 1109 | }, 1110 | { 1111 | "param": "show", 1112 | "risks": [ 1113 | "lfi", 1114 | "open_redirect", 1115 | "ssrf" 1116 | ] 1117 | }, 1118 | { 1119 | "param": "site", 1120 | "risks": [ 1121 | "lfi", 1122 | "open_redirect", 1123 | "ssrf" 1124 | ] 1125 | }, 1126 | { 1127 | "param": "sleep", 1128 | "risks": [ 1129 | "sqli" 1130 | ] 1131 | }, 1132 | { 1133 | "param": "sort", 1134 | "risks": [ 1135 | "sqli" 1136 | ] 1137 | }, 1138 | { 1139 | "param": "step", 1140 | "risks": [ 1141 | "rce" 1142 | ] 1143 | }, 1144 | { 1145 | "param": "string", 1146 | "risks": [ 1147 | "sqli" 1148 | ] 1149 | }, 1150 | { 1151 | "param": "style", 1152 | "risks": [ 1153 | "lfi", 1154 | "ssrf" 1155 | ] 1156 | }, 1157 | { 1158 | "param": "table", 1159 | "risks": [ 1160 | "sqli" 1161 | ] 1162 | }, 1163 | { 1164 | "param": "target", 1165 | "risks": [ 1166 | "open_redirect" 1167 | ] 1168 | }, 1169 | { 1170 | "param": "template", 1171 | "risks": [ 1172 | "lfi", 1173 | "ssrf" 1174 | ] 1175 | }, 1176 | { 1177 | "param": "terms", 1178 | "risks": [ 1179 | "xss" 1180 | ] 1181 | }, 1182 | { 1183 | "param": "test", 1184 | "risks": [ 1185 | "ssrf" 1186 | ] 1187 | }, 1188 | { 1189 | "param": "thread", 1190 | "risks": [ 1191 | "sqli" 1192 | ] 1193 | }, 1194 | { 1195 | "param": "title", 1196 | "risks": [ 1197 | "sqli" 1198 | ] 1199 | }, 1200 | { 1201 | "param": "to", 1202 | "risks": [ 1203 | "open_redirect", 1204 | "ssrf" 1205 | ] 1206 | }, 1207 | { 1208 | "param": "toggle", 1209 | "risks": [ 1210 | "ssrf" 1211 | ] 1212 | }, 1213 | { 1214 | "param": "token", 1215 | "risks": [ 1216 | "xss" 1217 | ] 1218 | }, 1219 | { 1220 | "param": "topic", 1221 | "risks": [ 1222 | "sqli" 1223 | ] 1224 | }, 1225 | { 1226 | "param": "type", 1227 | "risks": [ 1228 | "lfi", 1229 | "xss", 1230 | "sqli" 1231 | ] 1232 | }, 1233 | { 1234 | "param": "update", 1235 | "risks": [ 1236 | "sqli" 1237 | ] 1238 | }, 1239 | { 1240 | "param": "upload", 1241 | "risks": [ 1242 | "rce" 1243 | ] 1244 | }, 1245 | { 1246 | "param": "unsubscribe_token", 1247 | "risks": [ 1248 | "xss" 1249 | ] 1250 | }, 1251 | { 1252 | "param": "uri", 1253 | "risks": [ 1254 | "open_redirect", 1255 | "ssrf" 1256 | ] 1257 | }, 1258 | { 1259 | "param": "url", 1260 | "risks": [ 1261 | "open_redirect", 1262 | "xss", 1263 | "ssrf", 1264 | "sqli" 1265 | ] 1266 | }, 1267 | { 1268 | "param": "user", 1269 | "risks": [ 1270 | "idor", 1271 | "sqli" 1272 | ] 1273 | }, 1274 | { 1275 | "param": "username", 1276 | "risks": [ 1277 | "xss" 1278 | ] 1279 | }, 1280 | { 1281 | "param": "val", 1282 | "risks": [ 1283 | "open_redirect", 1284 | "ssrf" 1285 | ] 1286 | }, 1287 | { 1288 | "param": "validate", 1289 | "risks": [ 1290 | "open_redirect", 1291 | "ssrf" 1292 | ] 1293 | }, 1294 | { 1295 | "param": "view", 1296 | "risks": [ 1297 | "lfi", 1298 | "open_redirect", 1299 | "xss", 1300 | "sqli", 1301 | "ssti", 1302 | "ssrf" 1303 | ] 1304 | }, 1305 | { 1306 | "param": "where", 1307 | "risks": [ 1308 | "sqli" 1309 | ] 1310 | }, 1311 | { 1312 | "param": "window", 1313 | "risks": [ 1314 | "open_redirect", 1315 | "ssrf" 1316 | ] 1317 | }, 1318 | { 1319 | "param": "year", 1320 | "risks": [ 1321 | "xss" 1322 | ] 1323 | } 1324 | ] 1325 | --------------------------------------------------------------------------------