zaproxy Param digger add-on

Param Miner is a Burp extension which identifies hidden, unlinked parameters. It's particularly useful for finding web cache poisoning vulnerabilities. It is based on this research by James Kettle: https://portswigger.net/research/practical-web-cache-poisoning

This feature was requested via twitter: https://twitter.com/hahwul/status/1502642090232414208

This will be a non trivial development but could be an idea GSoC (or similar) project

See: https://github.com/zaproxy/zaproxy/issues/7140#issuecomment-1144734876 for follow-on tasks.

Mar 14 '22 12:03 psiinon

Might be able to draw some ideas from this project as well: https://github.com/s0md3v/Arjun

Mar 14 '22 16:03 kingthorin

https://mobile.twitter.com/KathanP19/status/1520398012392292353

May 01 '22 01:05 kingthorin

Can I be assigned this issue? :)

20220819 (First/Blog Release)

[ ] For the time being, it might be a good move to comment out the Header/Cookie Guess checkbox bits (so they aren't added to the panel) and set the associated tab visibility (off or false).
[x] Rename Param Miner to Param Digger in the help docs and associated mappings.
[x] Rename Param miner project.

Jun 02 '22 11:06 ArkaprabhaChakraborty

Super short list(s)? https://github.com/lutfumertceylan/top25-parameter

Could also leverage the HUNT lists. https://github.com/bugcrowd/HUNT/blob/master/Remix/ZAPRemix/src/main/kotlin/HuntData.kt

Jun 14 '22 15:06 kingthorin

Thank you @kingthorin . I'll try to use them too. This will speed up the bruteforce process and will also help to identify what type of attack can be carried out with these parameters.

Jun 14 '22 15:06 ArkaprabhaChakraborty

Just ideas, don't let any of it interfere with actually finishing/progressing :wink:

Jun 14 '22 16:06 kingthorin

Actually, I'll follow the binary search-based approach for these lists too, aka that's the backbone of the URL brute force approach and I think the same can be done for the others too. the speciality of this list can be identifying the possible attacks ( a minor tweak in the 'output' stating the same).

Jun 14 '22 18:06 ArkaprabhaChakraborty

More projects to be considered during research!! https://twitter.com/hahwul/status/1538539422437609472

Jun 19 '22 15:06 ArkaprabhaChakraborty

Thanks @hahwul!

Jun 19 '22 15:06 ArkaprabhaChakraborty

Another sort of list https://wordlists.assetnote.io/ :)

Jun 20 '22 10:06 ArkaprabhaChakraborty

7 PRs merged! More incoming! Woohoo! :)

Jul 05 '22 20:07 ArkaprabhaChakraborty

This may also provide some ideas: https://github.com/maK-/parameth

Jul 28 '22 15:07 kingthorin

Wow, this tool is OLD :). It uses python 2 :).

Jul 28 '22 16:07 ArkaprabhaChakraborty

So this one has deprecated hard :) and I can't set this project up :). Taking ideas from this would be a tough one since I can't tinker with it :). But I'll try :).

Jul 28 '22 16:07 ArkaprabhaChakraborty

I think their README includes details on using virtual env, also there's a PR you could review/pull that adds a docker'ized version.

Anyway don't get stuck on it, it just came up in my suggestions this morning so I passed it along.

Jul 28 '22 16:07 kingthorin

I had a glance through the code :) it was a short one so didn't take much time [ Compared to mine.. ahem ahem :) ]. I can implement this as a final check If none of the dedicated guesses finds anything. Sort of like a final tactic hit.

Jul 28 '22 16:07 ArkaprabhaChakraborty

Can this issue be reanmed to Param Digger? :) Since its the primary issue Im using for tracking :).

Aug 24 '22 19:08 ArkaprabhaChakraborty

I think this can be closed now. We can create a new tracker issue for Param Digger

Jan 16 '23 13:01 ArkaprabhaChakraborty

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

Apr 17 '23 01:04 github-actions[bot]

zaproxy zaproxy copied to clipboard

Param digger add-on

20220819 (First/Blog Release)

zaproxy
zaproxy copied to clipboard