Creates, validates and analyse potential list of URLS for a target based on the source code provided. This is a direct comparison based on the directory structures. Does not take into account routing or advance MVC type applications.
Useful when obtaining source code from a target and you want to check of any files is accesible without auth, or during code reviews to identify potential pages which can be reviewed first. Wrote as part of prep for OSWE.
python .\SourceMapping.py -w 'c:\source\appname' -t 'https://localhost'
-d for debug mode which will attempt to use a proxy as well
--wordlist to print only a wordlist of the files
-o for output location in csv format
Some of the extensions which is configurable inside the source:
['*.txt', '*.json', '*.xml', '*.sql', '*.conf', '*.zip', '*.php', '*.ini', '*.cs', '*.js', '*.aspx', '*.asp', '*.java', '*.dll', '*.dat']
Limited functionality available to "review" potential pages for inputs, these pages should be primary targets and can easily be modified on this function:
def analyseVuln(rqResponse):
if "<form action" in str(rqResponse.content):
return "InputForm"
elif "<form name" in str(rqResponse.content):
return "InputForm"
elif 'type="submit"' in str(rqResponse.content):
return "SubmitForm"
else:
return ""
- Progress bar
- Output write to file in CSV format
- Threading
- Debug mode, will have verbose output on each request and use proxy if one is found
In the below example, we could either have found a backup file on blackbox engagement, or we are doing an whitebox engagement with the source. We've used the ATutor example from the OSWE coursework. The script will automatically check which pages is accessible based on response, then check for potential form inputs on the pages that is accessible. This will allow us to target pages instead of sifting through large volumes.