proabiral / inception Goto Github PK
View Code? Open in Web Editor NEWA highly configurable Framework for easy automated web scanning
A highly configurable Framework for easy automated web scanning
any way to a switch to try https as well please?
some servers are not open on port 80 but are on 443
also a port switch could be handy ๐
Hello again, I'm wondering if anyone else would find it useful to be able to filter by response body size? checkSize could be used to show only the responses that are over X in length.
[
{
"vulnerability": "foo ",
"method": "GET",
"color": "red",
"body": "",
"endpoint": [
"/foo"
],
"headers": [],
"checkIn": "responseBody",
"statusCode": [ 404 ],
"checkFor": "foo",
"checkSize": 1000
}
Issue Detected: Foo
Endpoint: /foo
responseBody contains: foo
Response Status Code: 404
Response Size: 4KB
Thank you for considering this.
Hi, I have a sample provider like so:
[
{
"vulnerability": "test",
"method": "GET",
"color": "red",
"body": "",
"endpoint": [
"/913898237523.txt"
],
"headers": [],
"checkIn": "responseBody",
"statusCode": 200,
"checkFor": "this:&&&&that:"
}
]
Inception returns this to me when it is completed:
Issue detected : test Domain: http://localhost/913898237523.txt response contains all check ; Endpoint: /913898237523.txt ; Method: GET ; Body:
However, when I check the server with curl, I see this:
curl -I http://localhost/913898237523.txt
HTTP/1.1 301 Moved Permanently
Location: https://localhost//913898237523.txt
curl -I https://localhost/913898237523.txt
HTTP/1.1 404 Not Found
Any thoughts on what is happening? Thank you.
is it possible to add a check for a mime type?
i've had a few ideas and think this would allow to detect a few things like zip/tar etc
Since we don't have to reinvent the wheel, perhaps allow the use/transformation for dirbuster directory listing files.
Hey dude,
Another little idea Slack Notification when it finds things, i think this should be rather easy to implement.
Hi,
I do not know why I do not have result in my script:
{
"vulnerability": "Metrics",
"sendIn": "url",
"payload": [
"/metrics"
],
"checkIn": "responseBody",
"checkFor": "http_request_duration_seconds||||_reputation_requests_duration_",
"color": "blue"
}
the response in browser is:
# HELP http_request_duration_seconds duration histogram of http responses labeled with: status_code, method
# TYPE http_request_duration_seconds histogram
http_request_duration_seconds_bucket{le="0.003",status_code="200",method="GET"} 541149
http_request_duration_seconds_bucket{le="0.03",status_code="200",method="GET"} 563538
http_request_duration_seconds_bucket{le="0.1",status_code="200",method="GET"} 563726
http_request_duration_seconds_bucket{le="0.3",status_code="200",method="GET"} 563726
http_request_duration_seconds_bucket{le="1.5",status_code="200",method="GET"} 563727
but the inception do not detect this /metrics
.
Hi, thanks for writing such a great tool. I was curious if it would be possible to have the ability to run inception in such a way as to only output the endpoint to a file without any other information?
I run inception like this now:
inception -noProgressBar -silent -d $domains -provider $provider &> file.log
Maybe the "headless" mode could work like :
inception -headless -d $domains -provider $provider -f file.log
Where file.log just contains one endpoint per line, no headers, no request body, no responsebody, no status code, etc:
http://host1/xss">
http://host2/xss5>'
http://host3/sqli>`
This would in turn allow for the ability to use the "headless" output for other pen-testing tools such as EyeWitness which expects a file with one url per line. Thank you.
Hello, and thank you for continuing to support this great piece of software. I'm curious if it would be possible to add the ability to configure and execute "helper scripts" when an issue is detected? For example, during an XSS scan, maybe I'd like to call something like https://github.com/sensepost/gowitness when the issue is detected rather than later on after the scan has already concluded.
Thank you again for this awesome tool ๐
I was wondering if we can use operators like greater than or less than in some checkers. for example in response headers
Content-Length > 2000
Content-Length <= 2000
I've been using the tool for a while and have noticed that it fails to get some positives when domains and provider files are too big.
For example, for a provider file containing around 70 signatures and a domains file containing around 294 domains, it failed with at least 8 different positives.
I've attempted to run the tool decreasing the number of threads and increasing the timeout. Additionally I've included the https
flag.
Based on the error I've obtained:
[Get https://xxx/yyyy: dial tcp: lookup xxx on zzzz: dial udp zzz: socket: too many open files]
I guess this would be related to the ulimit value configured in the server.
in some cases, i would like to check if a path exists, and not reading the full response body. with HEAD this can be achieved.
would be great if you could implement it :)
Not sure what is happening here, but trying to update inception using the usual method:
root@x1:~# go get -u github.com/proabiral/inception
go: finding github.com/proabiral/inception latest
go: downloading github.com/proabiral/inception v0.0.0-20191227134533-3b3e8dbfa6ad
go: extracting github.com/proabiral/inception v0.0.0-20191227134533-3b3e8dbfa6ad
go: finding golang.org/x/net latest
go: finding github.com/logrusorgru/aurora latest
# github.com/proabiral/inception
go/pkg/mod/github.com/proabiral/[email protected]/main.go:175:30: gorequest.New().TLSClientConfig(&tls.Config literal).Timeout(time.Second * 10).Set("User-Agent", "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36").CustomMethod(method, URL).CustomHeader undefined (type *gorequest.SuperAgent has no field or method CustomHeader)
I am using go1.13.5.linux-amd64.
hello,
i can add a custom user-agent ?
thx
Maybe I'm a dunce, but I can't get the regex checking to work. I want to alert on a responseBody that contains 920510
but not NoSuchKey
. My provider:
"checkIn": "responseBody",
"checkFor": "^(?=.*?\\920510\\b)((?!NoSuchKey).)*$",
"regexCheck": true
The issue I'm having:
2020/03/11 19:51:18 error parsing regexp: invalid or unsupported Perl syntax: `(?=`
2020/03/11 19:51:18 error parsing regexp: invalid or unsupported Perl syntax: `(?=`
2020/03/11 19:51:18 error parsing regexp: invalid or unsupported Perl syntax: `(?=`
2020/03/11 19:51:18 error parsing regexp: invalid or unsupported Perl syntax: `(?=`
2020/03/11 19:51:18 error parsing regexp: invalid or unsupported Perl syntax: `(?=`
2020/03/11 19:51:18 error parsing regexp: invalid or unsupported Perl syntax: `(?=`
Hey there,
I'm not sure if I have dreamed about this, or I read it somewhere else in this repository. But have you considered about implementing ReGex support, other than using ||||
and &&&&
. Reason i'm asking for this enhancement is because signatures would be even more flexible and cover edge cases.
Thanks!
Hi mate, this tool is awesome! Thanks for coming up with some like that!
Would be good to use this tool to parse a url.txt.
I was thinking in something like, -url urls.txt.
By doing so, we don't have to worry with protocol scheme (http/s) since urls.txt file would contain an url as http://www.example.com:8080
Cheers
While using the following provider with the beta branch commit 077172:
[
{
"vulnerability": "CRLF",
"method": "GET",
"color": "yellow",
"body": "",
"endpoint": [
"/%%0a0aSet-Cookie:crlf=injection",
"/%0aSet-Cookie:crlf=injection",
"/%0d%0aSet-Cookie:crlf=injection",
"/%0dSet-Cookie:crlf=injection",
"/%23%0aSet-Cookie:crlf=injection",
"/%23%0d%0aSet-Cookie:crlf=injection",
"/%23%0dSet-Cookie:crlf=injection",
"/%25%30%61Set-Cookie:crlf=injection",
"/%25%30aSet-Cookie:crlf=injection",
"/%250aSet-Cookie:crlf=injection",
"/%25250aSet-Cookie:crlf=injection",
"/%2e%2e%2f%0d%0aSet-Cookie:crlf=injection",
"/%2f%2e%2e%0d%0aSet-Cookie:crlf=injection",
"/%2F..%0d%0aSet-Cookie:crlf=injection",
"/%3f%0d%0aSet-Cookie:crlf=injection",
"/%3f%0dSet-Cookie:crlf=injection",
"/%u000aSet-Cookie:crlf=injection"
],
"headers": [],
"checkIn": "responseHeader",
"checkFor": "Set-Cookie:crlf=injection||||Set-Cookie: crlf=injection"
}
]
I see the following crash:
Reading Providers from list at /root/test.json
Reading Domains from list at /tmp/domains.txt
Running test cases against provided domains .....
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x30 pc=0x67e232]
goroutine 48 [running]:
main.stringReplacer(0xc000090240, 0x30, 0xc000090240, 0x30, 0x9, 0xc0000960e0)
/root/go/src/github.com/proabiral/inception/main.go:101 +0x52
main.request(0xc0000945e0, 0x9, 0xc000094598, 0x4, 0xc00009459c, 0x3, 0x0, 0x0, 0xc0000ba280, 0x11, ...)
/root/go/src/github.com/proabiral/inception/main.go:133 +0x17c
main.main.func1(0xc00009a3c0, 0xc00006c0c0, 0xc0000945f0)
/root/go/src/github.com/proabiral/inception/main.go:334 +0x14e
created by main.main
/root/go/src/github.com/proabiral/inception/main.go:326 +0x666
I'm using go version go1.13.4 linux/amd64.
I just converted my old provider.json over to the new format (for the beta branch) and I'm running into this issue:
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x38 pc=0x67fe4c]
goroutine 28 [running]:
main.checker.func1()
/root/go/src/github.com/proabiral/inception/main.go:193 +0xac
main.checker(0xc00001c030, 0x2d, 0x0, 0x0, 0x0, 0xc00009062c, 0x4, 0xc000090640, 0x3, 0x0, ...)
/root/go/src/github.com/proabiral/inception/main.go:202 +0x214
main.request(0xc000090e50, 0x6, 0xc00009062c, 0x4, 0xc000090640, 0x3, 0x0, 0x0, 0xc0000b6280, 0x11, ...)
/root/go/src/github.com/proabiral/inception/main.go:119 +0x53c
main.main.func1(0xc0000967e0, 0xc0000685a0, 0xc000090e60)
/root/go/src/github.com/proabiral/inception/main.go:264 +0x14e
created by main.main
/root/go/src/github.com/proabiral/inception/main.go:256 +0x666
This crash only happens with the beta branch, not the main branch. Still trying to figure out what is triggering this crash. Using Go 1.13.
Hi,
I have inception working using a LIST_1 with 100 urls and the result is 2 issues. I tried inception using a LIST_2 with 90k domains and the result is not the same, all 100 urls in LIST_1 exist in LIST_2.
Hello and thank you again for this great tool. Would it be possible to add some error handling for the provider JSON file so that if there is an error like invalid character '[' in string escape code
, it will print the line # of the JSON where the error occurred? This would be a great help for folks with extra-large provider files. Thank you.
How feasible would it be to add support for something like this?
Let's say I want to test for a file that is named like the domain I'm scanning, for example I'm looking at google.com, so the test would be formatted like so:
[
{
"vulnerability": "file_check",
"sendIn": "url",
"color": "yellow",
"payload": [
"$domain.zip"
],
"checkIn": "responseHeader",
"checkFor": "Content-Type: binary/octet-stream"
}
]
And so for each domain in the list, $domain.zip could be google.zip, facebook.zip, yahoo.zip, etc. Similarly $fqdn.zip could be returned as google.com.zip or www.google.com.zip depending on what the researcher wants. Thanks for taking a look.
Hi,
I have this code:
{
"vulnerability": "Swagger API Panel",
"method": "GET",
"color": "blue",
"body": "",
"endpoint": [
"/swagger/index.html",
"/swagger-ui.html",
"/swagger/swagger-ui.html",
"/api/swagger-ui.html",
"/api-docs/swagger.json",
"/swagger.json",
"/swagger/v1/swagger.json",
"/docs",
"/docs/"
],
"headers": [],
"checkIn": "responseBody",
"checkFor": "<title>Swagger UI"
}
and I have an endpoint vulnerable: https://xxx.com/docs/
when I access this endpoint the response is:
<!-- HTML for static distribution bundle build -->
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Swagger UI</title>
<link href="//fonts.googleapis.com/css?family=Open+Sans:400,700|Source+Code+Pro:300,600|Titillium+Web:400,600,700" rel="stylesheet">
<link rel="stylesheet" type="text/css" href="swagger-ui.css">
<link rel="icon" type="image/png" href="favicon-32x32.png" sizes="32x32" />
<link rel="icon" type="image/png" href="favicon-16x16.png" sizes="16x16" />
<style>
I would like to know why inception can not detect.
obs: the swagger is only available in /docs/ and not in /docs.
I'm digging the new progress bar, it's pretty snazzy. However, I've yet to see it reach 100% before inception stops running.
! inception queue holds 7 unique domains !
537 / 1358 [--------------------->________________________________] 39.54% 34 p/s 16s
Scan complete.
! inception queue holds 1383 unique domains !
96810 / 268302 [---------------->______________________________] 36.08% 1554 p/s 1m3s
Nothing found.
! inception queue holds 69 unique domains !
5579 / 13386 [--------------------->_____________________________] 41.68% 89 p/s 1m3s
Nothing found.
! inception queue holds 156 unique domains !
15735 / 30264 [------------------------>_______________________] 51.99% 213 p/s 1m14s
Nothing found.
Also, would it be possible to have a way to disable the progress bar? Otherwise piping or redirecting inceptions output to a file or whatever is full of progress bar output. Thank you.
I have a lot of endpoints in my list and I run the inception every X hour and I would like to request a feature where I can set a list (endpoints that I reported or is false positive) and then inception will not detect/show this endpoint because it is inside the list.
Would it be feasible to add a command line switch like -post
so that it sends POST requests instead of GET requests? Thank you.
Hi, thank you for a great tool. I would like to know if it would be possible to add the ability to specify a list of providers via the command line instead of being restricted to a single monolithic file?
inception -silent -providers xss.json sqli.json rce.json -d domains.txt
Or maybe the ability to specify a directory full of json files?
inception -silent -providers $HOME/providers/ -d domains.txt
Parsing of URL fails when space is present at the end of domain being passed.
parse http://foobar.com /test.txt: invalid character " " in host name
Would it be possible to check both the responseHeader and the responseBody with the same provider like so?
[
{
"vulnerability": "test",
"method": "GET",
"color": "blue",
"body": "",
"endpoint": [
"/test"
],
"headers": [],
"checkHeader": "Last-Modified&&&&2020"
"checkBody": "this||||that|||the other"
"contentLength": {
"operator": ">",
"length": 10000
},
"statusCode": [
200
],
"regexCheck": false,
}
]
Hi @proabiral Than you for this great tool, having one issue like Inception hogging all the bandwidth even when the threads are set between 10-20
I guess your latest commit on 10 December has corrupted the provider.json. You need to revert that back.
Great tool btw.
I really enjoyed it.
Hi mate,
Another good feature would be to check for status code as well. Some vulns returns 200 and some 201.
Is that an easy implement in the code and html file ?
Cheers
So I have an XSS provider setup that hits the / endpoint but also tests 15 different HTTP headers, however, when inception runs, the output doesn't show which header triggered the hit, making it difficult to track down how to reproduce it:
Issue detected : XSS_199 Domain: http://localhost/ response contains <script src=//blah.blah></script> ; Endpoint: / ; Method: GET ; Body:
I'm curious if it would be feasible to add an option to ignore certain headers? Like for instance if I'm searching for HTTP Response Smuggling, I'm not really interested in the location
or the x-amz-error-detail-key
headers. Thank you.
I installed golang and ran go get github.com/proabiral/inception command
How to run the inception command?
Normal run says: inception -h
-bash: inception: command not found
Reading Providers from list at /root/src/github.com/proabiral/inception/provider.json
Reading Domains from list at /root/src/github.com/proabiral/inception/domains.txt
Running test cases against provided domains .....
Issue detected : Web/Meta XML http://twitter.com/WEB-INF/web.xml response contains application/xml
panic: runtime error: index out of range
goroutine 5 [running]:
main.request(0xc000018b50, 0xb, 0xc0000185a0, 0x9, 0xc0000185aa, 0x6, 0xc000052380, 0x3, 0x4, 0xc0000185c0, ...)
/root/src/github.com/proabiral/inception/main.go:131 +0xb18
main.main.func1(0xc0000544e0, 0xc00005e300, 0xc000018b90)
/root/src/github.com/proabiral/inception/main.go:275 +0x14e
created by main.main
/root/src/github.com/proabiral/inception/main.go:267 +0x53a
only thing changed is the provider.json but i always keep getting this? any ideas it's valid json?
Is it currently possible to define more than one statusCode per provider? Say I want to get an alert if there is a 200, 301, 302, but no alerts for 404. If not, could this feature be added in a future release? Thank you.
Facing the following error when attempting to install inception
root@fb7fe89f075c:/recon# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.2 LTS
Release: 20.04
Codename: focal
root@fb7fe89f075c:/recon# go version
go version go1.16.3 linux/amd64
root@fb7fe89f075c:/recon# go get github.com/proabiral/inception
go: downloading github.com/proabiral/inception v0.0.0-20200712135115-94a86ad61254
go: downloading github.com/cheggaaa/pb v1.0.29
go: downloading github.com/cheggaaa/pb/v3 v3.0.8
go: downloading gopkg.in/go-playground/validator.v10 v10.5.0
go: downloading github.com/proabiral/gorequest v0.2.15
go get: gopkg.in/go-playground/validator.v10@none updating to
gopkg.in/go-playground/[email protected]: parsing go.mod:
module declares its path as: github.com/go-playground/validator/v10
but was required as: gopkg.in/go-playground/validator.v10
Possible error location:
Line 15 in 94a86ad
Suggested Fix: use github.com/go-playground/validator/v10 instead gopkg.in/go-playground/validator.v10
Reference for fix: go-playground/validator#555
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.