From e49e7d8863dd0a33ad729896f2031af04a690768 Mon Sep 17 00:00:00 2001
From: flamebarke <39644720+flamebarke@users.noreply.github.com>
Date: Wed, 6 Dec 2023 14:01:13 +1100
Subject: [PATCH] Add FilterHighlightAnnotateOWASP.bambda

---
 .../HTTP/FilterHighlightAnnotateOWASP.bambda  | 99 +++++++++++++++++++
 1 file changed, 99 insertions(+)
 create mode 100644 Proxy/HTTP/FilterHighlightAnnotateOWASP.bambda

diff --git a/Proxy/HTTP/FilterHighlightAnnotateOWASP.bambda b/Proxy/HTTP/FilterHighlightAnnotateOWASP.bambda
new file mode 100644
index 0000000..39a7428
--- /dev/null
+++ b/Proxy/HTTP/FilterHighlightAnnotateOWASP.bambda
@@ -0,0 +1,99 @@
+/**
+* @author Shain Lakin (https://github.com/flamebarke/SkittlesBambda)
+* Filters Proxy HTTP history for requests with vulnerable parameters based on the OWASP Top 25
+* using the parameter arrays written by Tur24Tur / BugBountyzip (https://github.com/BugBountyzip).
+* This version includes colour highlighting for each class of vulnerability along with
+* automatic note annotations detailing the parameter to test and class of vulnerability.
+**/
+
+// Vulnerable parameters 
+String[] ssrfParams = {"dest=", "redirect=", "uri=", "path=", "continue=", "url=", "window=", "next=", "data=", "reference=", "site=", "html=", "val=", "validate=", "domain=", "callback=", "return=", "page=", "feed=", "host=", "port=", "to=", "out=", "view=", "dir="};
+String[] sqlParams = {"id=", "page=", "report=", "dir=", "search=", "category=", "file=", "class=", "url=", "news=", "item=", "menu=", "lang=", "name=", "ref=", "title=", "view=", "topic=", "thread=", "type=", "date=", "form=", "main=", "nav=", "region="};
+String[] xssParams = {"q=", "s=", "search=", "id=", "lang=", "keyword=", "query=", "page=", "keywords=", "year=", "view=", "email=", "type=", "name=", "p=", "month=", "image=", "list_type=", "url=", "terms=", "categoryid=", "key=", "l=", "begindate=", "enddate="};
+String[] lfiParams = {"cat=", "dir=", "action=", "board=", "date=", "detail=", "file=", "download=", "path=", "folder=", "prefix=", "include=", "page=", "inc=", "locate=", "show=", "doc=", "site=", "type=", "view=", "content=", "document=", "layout=", "mod=", "conf="};
+String[] orParams = {"next=", "url=", "target=", "rurl=", "dest=", "destination=", "redir=", "redirect_uri", "redirect_url=", "redirect=", "out=", "view=", "to=", "image_url=", "go=", "return=", "returnTo=", "return_to=", "checkout_url=", "continue=", "return_path="};
+String[] rceParams = {"cmd=", "exec=", "command=", "execute=", "ping=", "query=", "jump=", "code=", "reg=", "do=", "func=", "arg=", "option=", "load=", "process=", "step=", "read=", "feature=", "exe=", "module=", "payload=", "run=", "print="};
+
+boolean manualColorHighlightEnabled = true;
+
+// All parameters and arrays
+String[][] allParams = {ssrfParams, sqlParams, xssParams, lfiParams, orParams, rceParams};
+String[] arrayNames = {"SSRF", "SQL", "XSS", "LFI", "OR", "RCE"};
+
+// Highlight colours (SSRF/GREEN, SQL/BLUE, XSS/ORANGE, LFI/YELLOW, OR/PINK, RCE/RED)
+HighlightColor[] highlightColors = {
+    HighlightColor.GREEN,
+    HighlightColor.BLUE,
+    HighlightColor.ORANGE,
+    HighlightColor.YELLOW,
+    HighlightColor.PINK,
+    HighlightColor.RED
+};
+
+Map<String, HighlightColor> paramColors = new HashMap<>();
+
+for (int i = 0; i < allParams.length; i++) {
+    String[] paramArray = allParams[i];
+    HighlightColor color = highlightColors[i % highlightColors.length];
+    for (String param : paramArray) {
+        paramColors.put(param, color);
+    }
+}
+
+Map<String, HighlightColor> firstParamColorMap = new HashMap<>();
+Set<String> foundParams = new HashSet<>();
+boolean multiColorDetected = false;
+String inputParam = "";
+
+if (requestResponse.request().url() != null) {
+    String requestUrl = requestResponse.request().url().toString();
+    String requestBody = requestResponse.request().bodyToString();
+
+    int queryStart = requestUrl.indexOf("?");
+    String queryString = "";
+    if (queryStart != -1 && queryStart < requestUrl.length() - 1) {
+       queryString = requestUrl.substring(queryStart + 1);
+    }
+
+    String[] allInputParams = (queryString + "&" + requestBody).split("&");
+    // If multiple vulnerable parameters classes apply highlight the request in magenta
+    HighlightColor multipleVulnColor = HighlightColor.MAGENTA;
+
+    for (String tempParam : allInputParams) {
+        for (int i = 0; i < allParams.length; i++) {
+            for (String param : allParams[i]) {
+                if (tempParam.startsWith(param)) {
+                    inputParam = tempParam;
+                    String arrayName = arrayNames[i];
+                    HighlightColor color = highlightColors[i % highlightColors.length];
+
+                    if (manualColorHighlightEnabled) {
+                        if (!firstParamColorMap.containsKey(inputParam)) {
+                            firstParamColorMap.put(inputParam, color);
+                        } else if (!firstParamColorMap.get(inputParam).equals(color)) {
+                            multiColorDetected = true;
+                        }
+
+                        foundParams.add(arrayName + ": " + inputParam);
+                    }
+                }
+            }
+        }
+    }
+
+    if (!foundParams.isEmpty()) {
+        StringBuilder combinedNotes = new StringBuilder();
+        HighlightColor highlightColor = multiColorDetected ? multipleVulnColor : firstParamColorMap.get(inputParam);
+        requestResponse.annotations().setHighlightColor(highlightColor);
+
+        for (String param : foundParams) {
+            if (combinedNotes.length() != 0) {
+                combinedNotes.append(", ");
+            }
+            combinedNotes.append(param);
+        }
+        requestResponse.annotations().setNotes(combinedNotes.toString());
+        return true;
+    }
+}
+return false;