bbot
bbot copied to clipboard
blacklanternsecurity
custom headers not validated, cryptic errors in web helper when incorrectly set
When http_headers are supplied incorrectly, web helper gives off cryptic errors, no validation is happening prior to scan.
Expectation: An error message showing an example of how to properly define the headers.
Command:
poetry run bbot -m httpx telerik -c http_headers={"ASP.NET_SessionId":"wezl5nvfi4ukn0f3yn4jua0a"} -t https://nunya/
2024-03-29 17:06:24,936 [TRACE] bbot.scanner scanner.py:1060 Traceback (most recent call last):
File "/root/bbot/bbot/scanner/scanner.py", line 1042, in _acatch
yield
File "/root/bbot/bbot/modules/base.py", line 629, in _worker
await handle_event_task
File "/root/bbot/bbot/modules/telerik.py", line 175, in handle_event
result, _ = await self.test_detector(event.data, webresource)
File "/root/bbot/bbot/modules/telerik.py", line 361, in test_detector
result = await self.helpers.request(url, timeout=self.timeout)
File "/root/bbot/bbot/core/helpers/web.py", line 229, in request
response = await client.request(*args, **kwargs)
File "/root/bbot/bbot/core/helpers/web.py", line 87, in request
return await super().request(*args, **kwargs)
File "/root/.cache/pypoetry/virtualenvs/bbot-aKeTQkGo-py3.10/lib/python3.10/site-packages/httpx/_client.py", line 1546, in request
request = self.build_request(
File "/root/bbot/bbot/core/helpers/web.py", line 96, in build_request
request.headers[hk] = hv
File "/root/.cache/pypoetry/virtualenvs/bbot-aKeTQkGo-py3.10/lib/python3.10/site-packages/httpx/_models.py", line 234, in __setitem__
set_value = value.encode(self._encoding or "utf-8")
AttributeError: 'NoneType' object has no attribute 'encode'
Command:
poetry run bbot -m httpx telerik -c http_headers="ASP.NET_SessionId=wezl5nvfi4ukn0f3yn4jua0a" -t https://nunya
2024-03-29 17:07:37,376 [TRACE] bbot.scanner scanner.py:1060 Traceback (most recent call last):
File "/root/bbot/bbot/scanner/scanner.py", line 1042, in _acatch
yield
File "/root/bbot/bbot/modules/base.py", line 395, in _handle_batch
await handle_batch_task
File "/root/bbot/bbot/modules/httpx.py", line 130, in handle_batch
for hk, hv in self.scan.config.get("http_headers", {}).items():
AttributeError: 'str' object has no attribute 'items'
2024-03-29 17:07:37,449 [ERROR] bbot.scanner scanner.py:1059 Error in httpx.handle_batch(): /root/bbot/bbot/modules/httpx.py:130:handle_batch(): 'str' object has no attribute 'items'
2024-03-29 17:07:37,452 [TRACE] bbot.scanner scanner.py:1060 Traceback (most recent call last):
File "/root/bbot/bbot/scanner/scanner.py", line 1042, in _acatch
yield
File "/root/bbot/bbot/modules/base.py", line 395, in _handle_batch
await handle_batch_task
File "/root/bbot/bbot/modules/httpx.py", line 130, in handle_batch
for hk, hv in self.scan.config.get("http_headers", {}).items():
AttributeError: 'str' object has no attribute 'items'
2024-03-29 17:07:37,464 [ERROR] bbot.scanner scanner.py:1059 Error in httpx.handle_batch(): /root/bbot/bbot/modules/httpx.py:130:handle_batch(): 'str' object has no attribute 'items'
2024-03-29 17:07:37,466 [TRACE] bbot.scanner scanner.py:1060 Traceback (most recent call last):
File "/root/bbot/bbot/scanner/scanner.py", line 1042, in _acatch
yield
File "/root/bbot/bbot/modules/base.py", line 395, in _handle_batch
await handle_batch_task
File "/root/bbot/bbot/modules/httpx.py", line 130, in handle_batch
for hk, hv in self.scan.config.get("http_headers", {}).items():
AttributeError: 'str' object has no attribute 'items'
