bbot icon indicating copy to clipboard operation
bbot copied to clipboard

Published 20 hours ago verified publisher icon blacklanternsecurity

Ability to Not Print "Not Reflected" Reports of Paramminer on Output.ndjson

Open TheTechromancer opened this issue 1 year ago • 3 comments

Discussed in https://github.com/blacklanternsecurity/bbot/discussions/1329

Originally posted by amiremami April 29, 2024 That would be great if possible to add a config option for paramminer to not print not reflected items into output.ndjson

image

Thanks 🙏

TheTechromancer avatar Apr 29 '24 12:04 TheTechromancer

I think i'd rather have the generic ability to filter by tags in the output module, rather than something specific just for this one tag in paramminer. @TheTechromancer thoughts?

liquidsec avatar May 04 '24 14:05 liquidsec

Tags are a good idea but we should try and consider users who are only scanning for vulnerabilities and don't plan on doing manual fuzzing. To them I think only the reflected ones would be interesting, so it might make sense to have a filter option on the module.

On the other hand, even the reflected ones sometimes don't result in a vulnerability. So until we have a more complete web scanning family with PARAM events, if we just want to say the paramminer modules are for advanced users only, that's fine too.

TheTechromancer avatar May 04 '24 16:05 TheTechromancer

Lightfuzz branch will change how all of these works, so I am very hesitant to make changes like this now (there will be an entirely new event type, WEB_PARAMETER). This is also why I was leaning towards making a generic option to filter by tags.

liquidsec avatar May 07 '24 16:05 liquidsec