bump deps and implement bola test

OWASP · Aug 26, 2024 · 0872111 · 0872111
1 parent f42d384
commit 0872111
Show file tree

Hide file tree

Showing 5 changed files with 55 additions and 5 deletions.
diff --git a/src/cmd/offat/main.go b/src/cmd/offat/main.go
@@ -118,6 +118,7 @@ func main() {
 		RunOsCommandInjectionTest:     true,
 		RunXssHtmlInjectionTest:       true,
 		RunSstiInjectionTest:          true,
+		RunBolaTest:                   true,
 
 		// SSRF Test
 		SsrfUrl: *config.SsrfUrl,

diff --git a/src/go.mod b/src/go.mod
@@ -16,7 +16,7 @@ require (
 
 require (
 	github.com/andybalholm/brotli v1.1.0 // indirect
-	github.com/bytedance/gopkg v0.1.0 // indirect
+	github.com/bytedance/gopkg v0.1.1 // indirect
 	github.com/cloudwego/hertz v0.9.2 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect

diff --git a/src/go.sum b/src/go.sum
@@ -2,8 +2,8 @@ github.com/andybalholm/brotli v1.1.0 h1:eLKJA0d02Lf0mVpIDgYnqXcUn0GqVmEFny3VuID1
 github.com/andybalholm/brotli v1.1.0/go.mod h1:sms7XGricyQI9K10gOSf56VKKWS4oLer58Q+mhRPtnY=
 github.com/bytedance/go-tagexpr/v2 v2.9.2/go.mod h1:5qsx05dYOiUXOUgnQ7w3Oz8BYs2qtM/bJokdLb79wRM=
 github.com/bytedance/gopkg v0.0.0-20220413063733-65bf48ffb3a7/go.mod h1:2ZlV9BaUH4+NXIBF0aMdKKAnHTzqH+iMU4KUjAbL23Q=
-github.com/bytedance/gopkg v0.1.0 h1:aAxB7mm1qms4Wz4sp8e1AtKDOeFLtdqvGiUe7aonRJs=
-github.com/bytedance/gopkg v0.1.0/go.mod h1:FtQG3YbQG9L/91pbKSw787yBQPutC+457AvDW77fgUQ=
+github.com/bytedance/gopkg v0.1.1 h1:3azzgSkiaw79u24a+w9arfH8OfnQQ4MHUt9lJFREEaE=
+github.com/bytedance/gopkg v0.1.1/go.mod h1:576VvJ+eJgyCzdjS+c4+77QF3p7ubbtiKARP3TxducM=
 github.com/bytedance/mockey v1.2.1/go.mod h1:+Jm/fzWZAuhEDrPXVjDf/jLM2BlLXJkwk94zf2JZ3X4=
 github.com/bytedance/sonic v1.5.0/go.mod h1:ED5hyg4y6t3/9Ku1R6dU/4KyJ48DZ4jPhfY1O2AihPM=
 github.com/bytedance/sonic v1.8.1/go.mod h1:i736AoUSYt75HyZLoJW9ERYxcy6eaN6h4BZXU064P/U=
@@ -132,7 +132,6 @@ golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.0.0-20221014081412-f15817d10f9b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
@@ -155,7 +154,6 @@ golang.org/x/sys v0.0.0-20220110181412-a018aaa089fe/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

diff --git a/src/pkg/tgen/bola.go b/src/pkg/tgen/bola.go
@@ -0,0 +1,40 @@
+package tgen
+
+import (
+	"github.com/OWASP/OFFAT/src/pkg/parser"
+	"github.com/OWASP/OFFAT/src/pkg/utils"
+	c "github.com/dmdhrumilmistry/fasthttpclient/client"
+	"github.com/rs/zerolog/log"
+)
+
+func BolaTest(baseUrl string, docParams []*parser.DocHttpParams, queryParams map[string]string, headers map[string]string) []*ApiTest {
+	var tests []*ApiTest
+	testName := "BOLA Test"
+	immuneResponseCode := []int{404, 405} // 502, 503, 504 -> responses could lead to DoS using the endpoint
+
+	for _, docParam := range docParams {
+		// skip test generation if there are no path params
+		if len(docParam.PathParams) < 1 {
+			continue
+		}
+
+		url, headersMap, queryMap, bodyData, pathWithParams, err := httpParamToRequest(baseUrl, docParam, queryParams, headers, utils.JSON)
+		if err != nil {
+			log.Error().Err(err).Msgf("failed to generate request params from DocHttpParams, skipping test for this case %v due to error %v", *docParam, err)
+			continue
+		}
+
+		request := c.NewRequest(url, docParam.HttpMethod, queryMap, headersMap, bodyData)
+
+		test := ApiTest{
+			TestName:            testName,
+			Request:             request,
+			Path:                docParam.Path,
+			PathWithParams:      pathWithParams,
+			ImmuneResponseCodes: immuneResponseCode,
+		}
+		tests = append(tests, &test)
+	}
+
+	return tests
+}
diff --git a/src/pkg/tgen/tgen.go b/src/pkg/tgen/tgen.go
@@ -20,20 +20,31 @@ type TGenHandler struct {
 	RunOsCommandInjectionTest     bool
 	RunXssHtmlInjectionTest       bool
 	RunSstiInjectionTest          bool
+	RunBolaTest                   bool
 
 	// SSRF Test related data
 	SsrfUrl string
 }
 
 func (t *TGenHandler) GenerateTests() []*ApiTest {
 	tests := []*ApiTest{}
+
+	// Unrestricted HTTP Method/Verbs
 	if t.RunUnrestrictedHttpMethodTest {
 		newTests := UnrestrictedHttpMethods(t.BaseUrl, t.Doc, t.DefaultQueryParams, t.DefaultHeaders)
 		tests = append(tests, newTests...)
 
 		log.Info().Msgf("%d tests generated for Unrestricted HTTP Methods/Verbs", len(newTests))
 	}
 
+	// BOLA Test
+	if t.RunBolaTest {
+		newTests := BolaTest(t.BaseUrl, t.Doc, t.DefaultQueryParams, t.DefaultHeaders)
+		tests = append(tests, newTests...)
+
+		log.Info().Msgf("%d tests generated for BOLA", len(newTests))
+	}
+
 	// Basic SQLI Test
 	if t.RunBasicSQLiTest {
 		injectionConfig := InjectionConfig{