Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No second order support. #12

Open
sectroyer opened this issue May 15, 2023 · 4 comments
Open

No second order support. #12

sectroyer opened this issue May 15, 2023 · 4 comments
Labels
delayed The issue will be fixed with a big update later enhancement New feature or request

Comments

@sectroyer
Copy link

I will use PortSwigger's "Basic server-side template injection (code context)" task as an example but I have encountered same issue elsewhere.

Currently there is no way to specify a second order url however it's pretty simple to implement. I didn't add specific switch but in code I just had add two lines.
I used this command line:
./sstimap.py -u "https://0a70002e03773a3d81129428007b00eb.web-security-academy.net/my-account/change-blog-post-author-display" -d "blog-post-author-display=user.first_name&csrf=xGbHC88kaLt5KmNUTq7zw3wZ3fMDDAGx" --cookie 'session=Sk45UsfrkQRg3siVdnHxV8uBhDFG20gJ' -A -e Tornado

And changed those lines:

        second_order_url="https://0a70002e03773a3d81129428007b00eb.web-security-academy.net/post?postId=6"
        try:
            result = requests.request(method=self.http_method, url=url_params, params=get_params, data=post_params,
                                      headers=header_params, proxies=self.proxies, verify=self.args.get('verify_ssl'), allow_redirects=False).text
            result = requests.get(second_order_url,cookies=cookies,proxies=self.proxies,verify=False).text

simple if that checks if second_order_url is in self.args should suffice IMHO.
@vladko312
Copy link
Owner

This is a great idea! I will add this feature soon.

@vladko312 vladko312 added in progress The issue would be fixed in the next minor version enhancement New feature or request labels May 16, 2023
@vladko312 vladko312 added delayed The issue will be fixed with a big update later and removed in progress The issue would be fixed in the next minor version labels May 26, 2023
@vladko312
Copy link
Owner

There are other cases that need a deeper fix:

  • Second order based on returned data (ID of the created post)
  • Reset required after every attempt (deleting a comment to fix HTTP error 500)
  • Reset based on data
  • Reset or second order not being HTTP (email, websockets, ...)

Some of this cases need some extra parameters that are unlikely to be used outside of them. I decided to move requesting functionality to a separate module in the future with a way to add custom parameters for that module.

For now, I don't have a lot of time, so this functionality will appear later.

@Molx32
Copy link

Molx32 commented Jan 3, 2024

Hi there!
Any update regarding the second order feature?
I started thinking of how to implement this, so feel free to share if you already have something in mind or some prototype.

@vladko312
Copy link
Owner

@Molx32 I have some plans to add a way to do complex workflows with any amount of requests and a possibility for second order. This would also cover cases where you need to obtain a new session or remove your payloads to recover functionality on a vulnerable page.

@vladko312 vladko312 mentioned this issue Oct 7, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
delayed The issue will be fixed with a big update later enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sectroyer @Molx32 @vladko312