From 35e9a6afb5ff82c1f4b39f79f643cef65aeaf792 Mon Sep 17 00:00:00 2001
From: Dhrumil Mistry <56185972+dmdhrumilmistry@users.noreply.github.com>
Date: Tue, 27 Aug 2024 00:27:48 +0530
Subject: [PATCH] add bola trailing path test

---
 src/cmd/offat/main.go |  1 +
 src/pkg/tgen/bola.go  | 44 +++++++++++++++++++++++++++++++++++++++++++
 src/pkg/tgen/tgen.go  |  9 +++++++++
 3 files changed, 54 insertions(+)

diff --git a/src/cmd/offat/main.go b/src/cmd/offat/main.go
index 68a7bc7..b72bf06 100644
--- a/src/cmd/offat/main.go
+++ b/src/cmd/offat/main.go
@@ -119,6 +119,7 @@ func main() {
 		RunXssHtmlInjectionTest:       true,
 		RunSstiInjectionTest:          true,
 		RunBolaTest:                   true,
+		RunBolaTrailingPathTest:       true,
 
 		// SSRF Test
 		SsrfUrl: *config.SsrfUrl,
diff --git a/src/pkg/tgen/bola.go b/src/pkg/tgen/bola.go
index 3bc89b8..dab198f 100644
--- a/src/pkg/tgen/bola.go
+++ b/src/pkg/tgen/bola.go
@@ -1,6 +1,11 @@
 package tgen
 
 import (
+	"path"
+	"strconv"
+	"strings"
+
+	"github.com/OWASP/OFFAT/src/pkg/fuzzer"
 	"github.com/OWASP/OFFAT/src/pkg/parser"
 	"github.com/OWASP/OFFAT/src/pkg/utils"
 	c "github.com/dmdhrumilmistry/fasthttpclient/client"
@@ -38,3 +43,42 @@ func BolaTest(baseUrl string, docParams []*parser.DocHttpParams, queryParams map
 
 	return tests
 }
+
+func BolaTrailingPathTest(baseUrl string, docParams []*parser.DocHttpParams, queryParams map[string]string, headers map[string]string) []*ApiTest {
+	var tests []*ApiTest
+	testName := "BOLA Trailing Path Test"
+	immuneResponseCode := []int{404, 405} // 502, 503, 504 -> responses could lead to DoS using the endpoint
+
+	for _, docParam := range docParams {
+		url, headersMap, queryMap, bodyData, pathWithParams, err := httpParamToRequest(baseUrl, docParam, queryParams, headers, utils.JSON)
+		if err != nil {
+			log.Error().Err(err).Msgf("failed to generate request params from DocHttpParams, skipping test for this case %v due to error %v", *docParam, err)
+			continue
+		}
+
+		randNum, err := fuzzer.GenerateRandomIntInRange(1, 1000)
+		if err != nil {
+			log.Error().Err(err).Msgf("failed to generate random id for Trailing BOLA Path Test, skipping test generation for this case %v due to error %v", *docParam, err)
+			continue
+		}
+		randomId := strconv.Itoa(randNum)
+
+		// add random digit as id at the end of current path
+		uriPath := path.Join(docParam.Path, randomId)
+		url = strings.ReplaceAll(path.Join(url, randomId), ":/", "://")
+
+		// prepare test request
+		request := c.NewRequest(url, docParam.HttpMethod, queryMap, headersMap, bodyData)
+
+		test := ApiTest{
+			TestName:            testName,
+			Request:             request,
+			Path:                uriPath,
+			PathWithParams:      pathWithParams,
+			ImmuneResponseCodes: immuneResponseCode,
+		}
+		tests = append(tests, &test)
+	}
+
+	return tests
+}
diff --git a/src/pkg/tgen/tgen.go b/src/pkg/tgen/tgen.go
index e9d5529..f9d8715 100644
--- a/src/pkg/tgen/tgen.go
+++ b/src/pkg/tgen/tgen.go
@@ -21,6 +21,7 @@ type TGenHandler struct {
 	RunXssHtmlInjectionTest       bool
 	RunSstiInjectionTest          bool
 	RunBolaTest                   bool
+	RunBolaTrailingPathTest       bool
 
 	// SSRF Test related data
 	SsrfUrl string
@@ -45,6 +46,14 @@ func (t *TGenHandler) GenerateTests() []*ApiTest {
 		log.Info().Msgf("%d tests generated for BOLA", len(newTests))
 	}
 
+	// BOLA Trailing Path Test
+	if t.RunBolaTest {
+		newTests := BolaTrailingPathTest(t.BaseUrl, t.Doc, t.DefaultQueryParams, t.DefaultHeaders)
+		tests = append(tests, newTests...)
+
+		log.Info().Msgf("%d tests generated for BOLA Trailing Path", len(newTests))
+	}
+
 	// Basic SQLI Test
 	if t.RunBasicSQLiTest {
 		injectionConfig := InjectionConfig{