proabiral / inception Goto Github PK

View Code? Open in Web Editor NEW

354.0 354.0 66.0 232 KB

A highly configurable Framework for easy automated web scanning

Go 45.18% HTML 54.82%

inception's People

Contributors

Stargazers

Watchers

Forkers

ice3man543 rakhithjk shahid1996 renniepak bbhunter hax0rg1rl idkwim d1pakda5 random-robbie nikos-glikis 0ixit chan9390 daudmalik06 samueleng cmscardoso bhasbor jackrichardzon sumgr0 darrenmartyn natrix-fork a1kaid ankushgoel27 developer-box geeknik affilares h4ng3r vinsonzou pentest-tools jineeshak rajkrishnamurthy premhcz 5l1v3r1 zaidozaid devopsred x4rma samoo-7 sleepyeinstein alchemycyberblaze preteriranto pczajkowski polling-repo-continua slooppe pradeepch99 nitish800 schniggie ipk1 mrseccoder zimshk tiamat-tech cqr-cryeye-forks ameg-yag elamaran619 ghost9 djsousuo scottdef b1ackhood tommalvoriddle 3mr3-sec 1crazymoney catchmeifyoucaan excloudx6 aatomicss mastog0d

inception's Issues

HTTPS/HTTP

any way to a switch to try https as well please?

some servers are not open on port 80 but are on 443

also a port switch could be handy 👍

Feature Request: Add ability to filter by response body size

Hello again, I'm wondering if anyone else would find it useful to be able to filter by response body size? checkSize could be used to show only the responses that are over X in length.

[
    {
        "vulnerability": "foo ",
        "method": "GET",
        "color": "red",
        "body": "",
        "endpoint": [
            "/foo"
        ],
        "headers": [],
        "checkIn": "responseBody",
        "statusCode": [ 404 ],
        "checkFor": "foo",
        "checkSize": 1000
    }

Issue Detected: Foo
Endpoint: /foo
responseBody contains: foo
Response Status Code: 404
Response Size: 4KB

Thank you for considering this.

statusCode in Beta branch is ignored?

Hi, I have a sample provider like so:

[
    {
        "vulnerability": "test",
        "method": "GET",
        "color": "red",
        "body": "",
        "endpoint": [
            "/913898237523.txt"
        ],
        "headers": [],
        "checkIn": "responseBody",
        "statusCode": 200,
        "checkFor": "this:&&&&that:"
    }
]

Inception returns this to me when it is completed:

Issue detected : test Domain: http://localhost/913898237523.txt response contains all check ; Endpoint: /913898237523.txt ; Method: GET ; Body:

However, when I check the server with curl, I see this:

curl -I http://localhost/913898237523.txt
HTTP/1.1 301 Moved Permanently
Location: https://localhost//913898237523.txt
curl -I https://localhost/913898237523.txt
HTTP/1.1 404 Not Found

Any thoughts on what is happening? Thank you.

Suggestion: mime type detection

is it possible to add a check for a mime type?

i've had a few ideas and think this would allow to detect a few things like zip/tar etc

Feature: use dirbuster directory list

Since we don't have to reinvent the wheel, perhaps allow the use/transformation for dirbuster directory listing files.

Feature Request: Slack Notification

Hey dude,

Another little idea Slack Notification when it finds things, i think this should be rather easy to implement.

/metrics

Hi,

I do not know why I do not have result in my script:

    {
      "vulnerability": "Metrics",
      "sendIn": "url",
      "payload": [
        "/metrics"
      ],
      "checkIn": "responseBody",
      "checkFor": "http_request_duration_seconds||||_reputation_requests_duration_",
      "color": "blue"
    }

the response in browser is:

# HELP http_request_duration_seconds duration histogram of http responses labeled with: status_code, method
# TYPE http_request_duration_seconds histogram
http_request_duration_seconds_bucket{le="0.003",status_code="200",method="GET"} 541149
http_request_duration_seconds_bucket{le="0.03",status_code="200",method="GET"} 563538
http_request_duration_seconds_bucket{le="0.1",status_code="200",method="GET"} 563726
http_request_duration_seconds_bucket{le="0.3",status_code="200",method="GET"} 563726
http_request_duration_seconds_bucket{le="1.5",status_code="200",method="GET"} 563727

but the inception do not detect this /metrics.

Feature Request: Headless(?) mode

Hi, thanks for writing such a great tool. I was curious if it would be possible to have the ability to run inception in such a way as to only output the endpoint to a file without any other information?

I run inception like this now:
inception -noProgressBar -silent -d $domains -provider $provider &> file.log

Maybe the "headless" mode could work like :
inception -headless -d $domains -provider $provider -f file.log

Where file.log just contains one endpoint per line, no headers, no request body, no responsebody, no status code, etc:

http://host1/xss">
http://host2/xss5>'
http://host3/sqli>`

This would in turn allow for the ability to use the "headless" output for other pen-testing tools such as EyeWitness which expects a file with one url per line. Thank you.

Feature request: Execute "helper script" when issue detected

Hello, and thank you for continuing to support this great piece of software. I'm curious if it would be possible to add the ability to configure and execute "helper scripts" when an issue is detected? For example, during an XSS scan, maybe I'd like to call something like https://github.com/sensepost/gowitness when the issue is detected rather than later on after the scan has already concluded.

Feature Request: Flexible operators

Thank you again for this awesome tool 👍

I was wondering if we can use operators like greater than or less than in some checkers. for example in response headers
Content-Length > 2000
Content-Length <= 2000

Tool miss some positives

I've been using the tool for a while and have noticed that it fails to get some positives when domains and provider files are too big.

For example, for a provider file containing around 70 signatures and a domains file containing around 294 domains, it failed with at least 8 different positives.

I've attempted to run the tool decreasing the number of threads and increasing the timeout. Additionally I've included the https flag.

Based on the error I've obtained:

[Get https://xxx/yyyy: dial tcp: lookup xxx on zzzz: dial udp zzz: socket: too many open files]

I guess this would be related to the ulimit value configured in the server.

Feature Request: HEAD method

in some cases, i would like to check if a path exists, and not reading the full response body. with HEAD this can be achieved.
would be great if you could implement it :)

Unable to update?

Not sure what is happening here, but trying to update inception using the usual method:

root@x1:~# go get -u github.com/proabiral/inception
go: finding github.com/proabiral/inception latest
go: downloading github.com/proabiral/inception v0.0.0-20191227134533-3b3e8dbfa6ad
go: extracting github.com/proabiral/inception v0.0.0-20191227134533-3b3e8dbfa6ad
go: finding golang.org/x/net latest
go: finding github.com/logrusorgru/aurora latest
# github.com/proabiral/inception
go/pkg/mod/github.com/proabiral/[email protected]/main.go:175:30: gorequest.New().TLSClientConfig(&tls.Config literal).Timeout(time.Second * 10).Set("User-Agent", "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36").CustomMethod(method, URL).CustomHeader undefined (type *gorequest.SuperAgent has no field or method CustomHeader)

I am using go1.13.5.linux-amd64.

User-Agent custom

hello,

i can add a custom user-agent ?

thx

Help wanted with regexCheck

Maybe I'm a dunce, but I can't get the regex checking to work. I want to alert on a responseBody that contains 920510 but not NoSuchKey. My provider:

"checkIn": "responseBody",
"checkFor": "^(?=.*?\\920510\\b)((?!NoSuchKey).)*$",
"regexCheck": true

The issue I'm having:

2020/03/11 19:51:18 error parsing regexp: invalid or unsupported Perl syntax: `(?=`
2020/03/11 19:51:18 error parsing regexp: invalid or unsupported Perl syntax: `(?=`
2020/03/11 19:51:18 error parsing regexp: invalid or unsupported Perl syntax: `(?=`
2020/03/11 19:51:18 error parsing regexp: invalid or unsupported Perl syntax: `(?=`
2020/03/11 19:51:18 error parsing regexp: invalid or unsupported Perl syntax: `(?=`
2020/03/11 19:51:18 error parsing regexp: invalid or unsupported Perl syntax: `(?=`

Feature request: ReGex compatibility instead of |||| and &&&&

Hey there,

I'm not sure if I have dreamed about this, or I read it somewhere else in this repository. But have you considered about implementing ReGex support, other than using |||| and &&&&. Reason i'm asking for this enhancement is because signatures would be even more flexible and cover edge cases.

Thanks!

Feature request - url file

Hi mate, this tool is awesome! Thanks for coming up with some like that!

Would be good to use this tool to parse a url.txt.

I was thinking in something like, -url urls.txt.

By doing so, we don't have to worry with protocol scheme (http/s) since urls.txt file would contain an url as http://www.example.com:8080

Cheers

Beta: panic: runtime error: invalid memory address or nil pointer dereference

While using the following provider with the beta branch commit 077172:

[
    {
        "vulnerability": "CRLF",
        "method": "GET",
        "color": "yellow",
        "body": "",
        "endpoint": [
            "/%%0a0aSet-Cookie:crlf=injection",
            "/%0aSet-Cookie:crlf=injection",
            "/%0d%0aSet-Cookie:crlf=injection",
            "/%0dSet-Cookie:crlf=injection",
            "/%23%0aSet-Cookie:crlf=injection",
            "/%23%0d%0aSet-Cookie:crlf=injection",
            "/%23%0dSet-Cookie:crlf=injection",
            "/%25%30%61Set-Cookie:crlf=injection",
            "/%25%30aSet-Cookie:crlf=injection",
            "/%250aSet-Cookie:crlf=injection",
            "/%25250aSet-Cookie:crlf=injection",
            "/%2e%2e%2f%0d%0aSet-Cookie:crlf=injection",
            "/%2f%2e%2e%0d%0aSet-Cookie:crlf=injection",
            "/%2F..%0d%0aSet-Cookie:crlf=injection",
            "/%3f%0d%0aSet-Cookie:crlf=injection",
            "/%3f%0dSet-Cookie:crlf=injection",
            "/%u000aSet-Cookie:crlf=injection"
        ],
        "headers": [],
        "checkIn": "responseHeader",
        "checkFor": "Set-Cookie:crlf=injection||||Set-Cookie: crlf=injection"
    }
]

I see the following crash:

Reading Providers from list at /root/test.json
Reading Domains from list at /tmp/domains.txt
Running test cases against provided domains .....
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x30 pc=0x67e232]

goroutine 48 [running]:
main.stringReplacer(0xc000090240, 0x30, 0xc000090240, 0x30, 0x9, 0xc0000960e0)
        /root/go/src/github.com/proabiral/inception/main.go:101 +0x52
main.request(0xc0000945e0, 0x9, 0xc000094598, 0x4, 0xc00009459c, 0x3, 0x0, 0x0, 0xc0000ba280, 0x11, ...)
        /root/go/src/github.com/proabiral/inception/main.go:133 +0x17c
main.main.func1(0xc00009a3c0, 0xc00006c0c0, 0xc0000945f0)
        /root/go/src/github.com/proabiral/inception/main.go:334 +0x14e
created by main.main
        /root/go/src/github.com/proabiral/inception/main.go:326 +0x666

I'm using go version go1.13.4 linux/amd64.

panic: runtime error: invalid memory address or nil pointer dereference

I just converted my old provider.json over to the new format (for the beta branch) and I'm running into this issue:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x38 pc=0x67fe4c]

goroutine 28 [running]:
main.checker.func1()
        /root/go/src/github.com/proabiral/inception/main.go:193 +0xac
main.checker(0xc00001c030, 0x2d, 0x0, 0x0, 0x0, 0xc00009062c, 0x4, 0xc000090640, 0x3, 0x0, ...)
        /root/go/src/github.com/proabiral/inception/main.go:202 +0x214
main.request(0xc000090e50, 0x6, 0xc00009062c, 0x4, 0xc000090640, 0x3, 0x0, 0x0, 0xc0000b6280, 0x11, ...)
        /root/go/src/github.com/proabiral/inception/main.go:119 +0x53c
main.main.func1(0xc0000967e0, 0xc0000685a0, 0xc000090e60)
        /root/go/src/github.com/proabiral/inception/main.go:264 +0x14e
created by main.main
        /root/go/src/github.com/proabiral/inception/main.go:256 +0x666

This crash only happens with the beta branch, not the main branch. Still trying to figure out what is triggering this crash. Using Go 1.13.

big list not working

Hi,

I have inception working using a LIST_1 with 100 urls and the result is 2 issues. I tried inception using a LIST_2 with 90k domains and the result is not the same, all 100 urls in LIST_1 exist in LIST_2.

Feature Request: Add error handling for provider JSON

Hello and thank you again for this great tool. Would it be possible to add some error handling for the provider JSON file so that if there is an error like invalid character '[' in string escape code, it will print the line # of the JSON where the error occurred? This would be a great help for folks with extra-large provider files. Thank you.

Feature request: Allow searching for files based upon the domain currently being scanned.

How feasible would it be to add support for something like this?

Let's say I want to test for a file that is named like the domain I'm scanning, for example I'm looking at google.com, so the test would be formatted like so:

[
    {
        "vulnerability": "file_check",
        "sendIn": "url",
        "color": "yellow",
        "payload": [
            "$domain.zip"
        ],
        "checkIn": "responseHeader",
        "checkFor": "Content-Type: binary/octet-stream"
    }
]

And so for each domain in the list, $domain.zip could be google.zip, facebook.zip, yahoo.zip, etc. Similarly $fqdn.zip could be returned as google.com.zip or www.google.com.zip depending on what the researcher wants. Thanks for taking a look.

identify swagger endpoint

Hi,

I have this code:

    {
        "vulnerability": "Swagger API Panel",
        "method": "GET",
        "color": "blue",
        "body": "",
        "endpoint": [
            "/swagger/index.html",
            "/swagger-ui.html",
            "/swagger/swagger-ui.html",
            "/api/swagger-ui.html",
            "/api-docs/swagger.json",
            "/swagger.json",
            "/swagger/v1/swagger.json",
            "/docs",
            "/docs/"
        ],
        "headers": [],
        "checkIn": "responseBody",
        "checkFor": "<title>Swagger UI"
    }

and I have an endpoint vulnerable: https://xxx.com/docs/

when I access this endpoint the response is:

<!-- HTML for static distribution bundle build -->
<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <title>Swagger UI</title>
  <link href="//fonts.googleapis.com/css?family=Open+Sans:400,700|Source+Code+Pro:300,600|Titillium+Web:400,600,700" rel="stylesheet">
  <link rel="stylesheet" type="text/css" href="swagger-ui.css">
  <link rel="icon" type="image/png" href="favicon-32x32.png" sizes="32x32" />
  <link rel="icon" type="image/png" href="favicon-16x16.png" sizes="16x16" />
  <style>

I would like to know why inception can not detect.

obs: the swagger is only available in /docs/ and not in /docs.

Progress bar never reaches 100%

I'm digging the new progress bar, it's pretty snazzy. However, I've yet to see it reach 100% before inception stops running.

! inception queue holds 7 unique domains !
537 / 1358 [--------------------->________________________________] 39.54% 34 p/s 16s
Scan complete.

! inception queue holds 1383 unique domains !
96810 / 268302 [---------------->______________________________] 36.08% 1554 p/s 1m3s
Nothing found.

! inception queue holds 69 unique domains !
5579 / 13386 [--------------------->_____________________________] 41.68% 89 p/s 1m3s
Nothing found.

! inception queue holds 156 unique domains !
15735 / 30264 [------------------------>_______________________] 51.99% 213 p/s 1m14s
Nothing found.

Also, would it be possible to have a way to disable the progress bar? Otherwise piping or redirecting inceptions output to a file or whatever is full of progress bar output. Thank you.

Feature Request: Add list to not print issue

I have a lot of endpoints in my list and I run the inception every X hour and I would like to request a feature where I can set a list (endpoints that I reported or is false positive) and then inception will not detect/show this endpoint because it is inside the list.

Feature request: POST vs GET

Would it be feasible to add a command line switch like -post so that it sends POST requests instead of GET requests? Thank you.

Feature request: Ability to use multiple provider files.

Hi, thank you for a great tool. I would like to know if it would be possible to add the ability to specify a list of providers via the command line instead of being restricted to a single monolithic file?

inception -silent -providers xss.json sqli.json rce.json -d domains.txt

Or maybe the ability to specify a directory full of json files?

inception -silent -providers $HOME/providers/ -d domains.txt

Bug : Parsing Error when space is present at the end of domain

Parsing of URL fails when space is present at the end of domain being passed.

parse http://foobar.com /test.txt: invalid character " " in host name

Feature Request: check both the body and headers together?

Would it be possible to check both the responseHeader and the responseBody with the same provider like so?

[
    {
        "vulnerability": "test",
        "method": "GET",
        "color": "blue",
        "body": "",
        "endpoint": [
            "/test"
        ],
        "headers": [],
        "checkHeader": "Last-Modified&&&&2020"
        "checkBody": "this||||that|||the other"
        "contentLength": {
            "operator": ">",
            "length": 10000
        },
        "statusCode": [
            200
        ],
        "regexCheck": false,

    }
]

Hogging bandwidth

Hi @proabiral Than you for this great tool, having one issue like Inception hogging all the bandwidth even when the threads are set between 10-20

Provider.json need fixing

I guess your latest commit on 10 December has corrupted the provider.json. You need to revert that back.
Great tool btw.
I really enjoyed it.

Feature Request - Response Code Checking

Hi mate,

Another good feature would be to check for status code as well. Some vulns returns 200 and some 201.

Is that an easy implement in the code and html file ?

Cheers

Beta output does not show header information

So I have an XSS provider setup that hits the / endpoint but also tests 15 different HTTP headers, however, when inception runs, the output doesn't show which header triggered the hit, making it difficult to track down how to reproduce it:

Issue detected : XSS_199 Domain: http://localhost/ response contains <script src=//blah.blah></script> ; Endpoint: / ; Method: GET ; Body:

Feature request: Ignore certain headers

I'm curious if it would be feasible to add an option to ignore certain headers? Like for instance if I'm searching for HTTP Response Smuggling, I'm not really interested in the location or the x-amz-error-detail-key headers. Thank you.

Cannot run it on debian

I installed golang and ran go get github.com/proabiral/inception command
How to run the inception command?
Normal run says: inception -h
-bash: inception: command not found

panic: runtime error: index out of range

Reading Providers from list at /root/src/github.com/proabiral/inception/provider.json
Reading Domains from list at /root/src/github.com/proabiral/inception/domains.txt
Running test cases against provided domains ..... 
Issue detected : Web/Meta XML http://twitter.com/WEB-INF/web.xml response contains application/xml
panic: runtime error: index out of range

goroutine 5 [running]:
main.request(0xc000018b50, 0xb, 0xc0000185a0, 0x9, 0xc0000185aa, 0x6, 0xc000052380, 0x3, 0x4, 0xc0000185c0, ...)
        /root/src/github.com/proabiral/inception/main.go:131 +0xb18
main.main.func1(0xc0000544e0, 0xc00005e300, 0xc000018b90)
        /root/src/github.com/proabiral/inception/main.go:275 +0x14e
created by main.main
        /root/src/github.com/proabiral/inception/main.go:267 +0x53a

only thing changed is the provider.json but i always keep getting this? any ideas it's valid json?

Question about statusCode handling in beta branch

Is it currently possible to define more than one statusCode per provider? Say I want to get an alert if there is a 200, 301, 302, but no alerts for 404. If not, could this feature be added in a future release? Thank you.

attempting to install inception results in validator.v10 error

Facing the following error when attempting to install inception

root@fb7fe89f075c:/recon# lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 20.04.2 LTS
Release:	20.04
Codename:	focal
root@fb7fe89f075c:/recon# go version
go version go1.16.3 linux/amd64
root@fb7fe89f075c:/recon# go get github.com/proabiral/inception
go: downloading github.com/proabiral/inception v0.0.0-20200712135115-94a86ad61254
go: downloading github.com/cheggaaa/pb v1.0.29
go: downloading github.com/cheggaaa/pb/v3 v3.0.8
go: downloading gopkg.in/go-playground/validator.v10 v10.5.0
go: downloading github.com/proabiral/gorequest v0.2.15
go get: gopkg.in/go-playground/validator.v10@none updating to
	gopkg.in/go-playground/[email protected]: parsing go.mod:
	module declares its path as: github.com/go-playground/validator/v10
	        but was required as: gopkg.in/go-playground/validator.v10

Possible error location:

inception/main.go

Line 15 in 94a86ad

"gopkg.in/go-playground/validator.v10"

Suggested Fix: use github.com/go-playground/validator/v10 instead gopkg.in/go-playground/validator.v10

Reference for fix: go-playground/validator#555