Codebase list ffuf / 175bcd1 pkg / ffuf / request.go
175bcd1

Tree @175bcd1 (Download .tar.gz)

request.go @175bcd1raw · history · blame 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
package ffuf

import (
	"strings"
)

// Request holds the meaningful data that is passed for runner for making the query
type Request struct {
	Method   string
	Host     string
	Url      string
	Headers  map[string]string
	Data     []byte
	Input    map[string][]byte
	Position int
	Raw      string
}

func NewRequest(conf *Config) Request {
	var req Request
	req.Method = conf.Method
	req.Url = conf.Url
	req.Headers = make(map[string]string)
	return req
}

// BaseRequest returns a base request struct populated from the main config
func BaseRequest(conf *Config) Request {
	req := NewRequest(conf)
	req.Headers = conf.Headers
	req.Data = []byte(conf.Data)
	return req
}

// RecursionRequest returns a base request for a recursion target
func RecursionRequest(conf *Config, path string) Request {
	r := BaseRequest(conf)
	r.Url = path
	return r
}

// CopyRequest performs a deep copy of a request and returns a new struct
func CopyRequest(basereq *Request) Request {
	var req Request
	req.Method = basereq.Method
	req.Host = basereq.Host
	req.Url = basereq.Url

	req.Headers = make(map[string]string, len(basereq.Headers))
	for h, v := range basereq.Headers {
		req.Headers[h] = v
	}

	req.Data = make([]byte, len(basereq.Data))
	copy(req.Data, basereq.Data)

	if len(basereq.Input) > 0 {
		req.Input = make(map[string][]byte, len(basereq.Input))
		for k, v := range basereq.Input {
			req.Input[k] = v
		}
	}

	req.Position = basereq.Position
	req.Raw = basereq.Raw

	return req
}

// SniperRequests returns an array of requests, each with one of the templated locations replaced by a keyword
func SniperRequests(basereq *Request, template string) []Request {
	var reqs []Request
	keyword := "FUZZ"

	// Search for input location identifiers, these must exist in pairs
	if c := strings.Count(basereq.Method, template); c > 0 {
		if c%2 == 0 {
			tokens := templateLocations(template, basereq.Method)

			for i := 0; i < len(tokens); i = i + 2 {
				newreq := CopyRequest(basereq)
				newreq.Method = injectKeyword(basereq.Method, keyword, tokens[i], tokens[i+1])
				scrubTemplates(&newreq, template)
				reqs = append(reqs, newreq)
			}
		}
	}

	if c := strings.Count(basereq.Url, template); c > 0 {
		if c%2 == 0 {
			tokens := templateLocations(template, basereq.Url)

			for i := 0; i < len(tokens); i = i + 2 {
				newreq := CopyRequest(basereq)
				newreq.Url = injectKeyword(basereq.Url, keyword, tokens[i], tokens[i+1])
				scrubTemplates(&newreq, template)
				reqs = append(reqs, newreq)
			}
		}
	}

	data := string(basereq.Data)
	if c := strings.Count(data, template); c > 0 {
		if c%2 == 0 {
			tokens := templateLocations(template, data)

			for i := 0; i < len(tokens); i = i + 2 {
				newreq := CopyRequest(basereq)
				newreq.Data = []byte(injectKeyword(data, keyword, tokens[i], tokens[i+1]))
				scrubTemplates(&newreq, template)
				reqs = append(reqs, newreq)
			}
		}
	}

	for k, v := range basereq.Headers {
		if c := strings.Count(k, template); c > 0 {
			if c%2 == 0 {
				tokens := templateLocations(template, k)

				for i := 0; i < len(tokens); i = i + 2 {
					newreq := CopyRequest(basereq)
					newreq.Headers[injectKeyword(k, keyword, tokens[i], tokens[i+1])] = v
					delete(newreq.Headers, k)
					scrubTemplates(&newreq, template)
					reqs = append(reqs, newreq)
				}
			}
		}
		if c := strings.Count(v, template); c > 0 {
			if c%2 == 0 {
				tokens := templateLocations(template, v)

				for i := 0; i < len(tokens); i = i + 2 {
					newreq := CopyRequest(basereq)
					newreq.Headers[k] = injectKeyword(v, keyword, tokens[i], tokens[i+1])
					scrubTemplates(&newreq, template)
					reqs = append(reqs, newreq)
				}
			}
		}
	}

	return reqs
}

// templateLocations returns an array of template character locations in input
func templateLocations(template string, input string) []int {
	var tokens []int

	for k, i := range []rune(input) {
		if i == []rune(template)[0] {
			tokens = append(tokens, k)
		}
	}

	return tokens
}

// injectKeyword takes a string, a keyword, and a start/end offset. The data between
// the start/end offset in string is removed, and replaced by keyword
func injectKeyword(input string, keyword string, startOffset int, endOffset int) string {

	// some basic sanity checking, return the original string unchanged if offsets didnt make sense
	if startOffset > len(input) || endOffset > len(input) || startOffset > endOffset {
		return input
	}

	inputslice := []rune(input)
	keywordslice := []rune(keyword)

	prefix := inputslice[:startOffset]
	suffix := inputslice[endOffset+1:]

	inputslice = append(prefix, keywordslice...)
	inputslice = append(inputslice, suffix...)

	return string(inputslice)
}

// scrubTemplates removes all template (ยง) strings from the request struct
func scrubTemplates(req *Request, template string) {
	req.Method = strings.Join(strings.Split(req.Method, template), "")
	req.Url = strings.Join(strings.Split(req.Url, template), "")
	req.Data = []byte(strings.Join(strings.Split(string(req.Data), template), ""))

	for k, v := range req.Headers {
		if c := strings.Count(k, template); c > 0 {
			if c%2 == 0 {
				delete(req.Headers, k)
				req.Headers[strings.Join(strings.Split(k, template), "")] = v
			}
		}
		if c := strings.Count(v, template); c > 0 {
			if c%2 == 0 {
				req.Headers[k] = strings.Join(strings.Split(v, template), "")
			}
		}
	}
}