Merge branch 'migrate-to-golang' of github.com:OWASP/OFFAT into migra…

…te-to-golang
OWASP · Aug 27, 2024 · 3e3fa81 · 3e3fa81
2 parents f7dd43c + 9d2ad97
commit 3e3fa81
Show file tree

Hide file tree

Showing 3 changed files with 54 additions and 0 deletions.
diff --git a/src/cmd/offat/main.go b/src/cmd/offat/main.go
@@ -118,6 +118,7 @@ func main() {
 		RunXssHtmlInjectionTest:       true,
 		RunSstiInjectionTest:          true,
 		RunBolaTest:                   true,
+		RunBolaTrailingPathTest:       true,
 
 		// SSRF Test
 		SsrfUrl: *config.SsrfUrl,

diff --git a/src/pkg/tgen/bola.go b/src/pkg/tgen/bola.go
@@ -1,6 +1,11 @@
 package tgen
 
 import (
+	"path"
+	"strconv"
+	"strings"
+
+	"github.com/OWASP/OFFAT/src/pkg/fuzzer"
 	"github.com/OWASP/OFFAT/src/pkg/parser"
 	"github.com/OWASP/OFFAT/src/pkg/utils"
 	c "github.com/dmdhrumilmistry/fasthttpclient/client"
@@ -38,3 +43,42 @@ func BolaTest(baseUrl string, docParams []*parser.DocHttpParams, queryParams map
 
 	return tests
 }
+
+func BolaTrailingPathTest(baseUrl string, docParams []*parser.DocHttpParams, queryParams map[string]string, headers map[string]string) []*ApiTest {
+	var tests []*ApiTest
+	testName := "BOLA Trailing Path Test"
+	immuneResponseCode := []int{404, 405} // 502, 503, 504 -> responses could lead to DoS using the endpoint
+
+	for _, docParam := range docParams {
+		url, headersMap, queryMap, bodyData, pathWithParams, err := httpParamToRequest(baseUrl, docParam, queryParams, headers, utils.JSON)
+		if err != nil {
+			log.Error().Err(err).Msgf("failed to generate request params from DocHttpParams, skipping test for this case %v due to error %v", *docParam, err)
+			continue
+		}
+
+		randNum, err := fuzzer.GenerateRandomIntInRange(1, 1000)
+		if err != nil {
+			log.Error().Err(err).Msgf("failed to generate random id for Trailing BOLA Path Test, skipping test generation for this case %v due to error %v", *docParam, err)
+			continue
+		}
+		randomId := strconv.Itoa(randNum)
+
+		// add random digit as id at the end of current path
+		uriPath := path.Join(docParam.Path, randomId)
+		url = strings.ReplaceAll(path.Join(url, randomId), ":/", "://")
+
+		// prepare test request
+		request := c.NewRequest(url, docParam.HttpMethod, queryMap, headersMap, bodyData)
+
+		test := ApiTest{
+			TestName:            testName,
+			Request:             request,
+			Path:                uriPath,
+			PathWithParams:      pathWithParams,
+			ImmuneResponseCodes: immuneResponseCode,
+		}
+		tests = append(tests, &test)
+	}
+
+	return tests
+}
diff --git a/src/pkg/tgen/tgen.go b/src/pkg/tgen/tgen.go
@@ -21,6 +21,7 @@ type TGenHandler struct {
 	RunXssHtmlInjectionTest       bool
 	RunSstiInjectionTest          bool
 	RunBolaTest                   bool
+	RunBolaTrailingPathTest       bool
 
 	// SSRF Test related data
 	SsrfUrl string
@@ -45,6 +46,14 @@ func (t *TGenHandler) GenerateTests() []*ApiTest {
 		log.Info().Msgf("%d tests generated for BOLA", len(newTests))
 	}
 
+	// BOLA Trailing Path Test
+	if t.RunBolaTest {
+		newTests := BolaTrailingPathTest(t.BaseUrl, t.Doc, t.DefaultQueryParams, t.DefaultHeaders)
+		tests = append(tests, newTests...)
+
+		log.Info().Msgf("%d tests generated for BOLA Trailing Path", len(newTests))
+	}
+
 	// Basic SQLI Test
 	if t.RunBasicSQLiTest {
 		injectionConfig := InjectionConfig{