Dev -> Stable 2.8.3

.github/workflows/distro_tests.yml

@@ -30,7 +30,7 @@ jobs:
             elif [ "$ID" = "arch" ]; then
               pacman -Syu --noconfirm curl docker git bash base-devel
             elif [ "$ID" = "fedora" ]; then
-              dnf install -y curl docker git bash gcc make openssl-devel bzip2-devel libffi-devel zlib-devel xz-devel tk-devel gdbm-devel readline-devel sqlite-devel python3-libdnf5
+              dnf install -y curl docker git bash gcc make patch p7zip p7zip-plugins openssl-devel bzip2-devel libffi-devel zlib-devel xz-devel tk-devel gdbm-devel readline-devel sqlite-devel python3-libdnf5
             elif [ "$ID" = "gentoo" ]; then
               echo "media-libs/libglvnd X" >> /etc/portage/package.use/libglvnd
               emerge-webrsync

bbot/core/helpers/interactsh.py

@@ -234,7 +234,9 @@ async def poll(self):
 
         try:
             r = await self.parent_helper.request(
-                f"https://{self.server}/poll?id={self.correlation_id}&secret={self.secret}", headers=headers
+                f"https://{self.server}/poll?id={self.correlation_id}&secret={self.secret}",
+                headers=headers,
+                timeout=15,
             )
             if r is None:
                 raise InteractshError("Error polling interact.sh: No response from server")
@@ -294,7 +296,7 @@ def _decrypt(self, aes_key, data):
         Decrypts and returns the data received from the interact.sh server.
 
         Uses RSA and AES for decrypting the data. RSA with PKCS1_OAEP and SHA256 is used to decrypt the AES key,
-        and then AES (CFB mode) is used to decrypt the actual data payload.
+        and then AES (CTR mode) is used to decrypt the actual data payload.
 
         Parameters:
             aes_key (str): The AES key for decryption, encrypted with RSA and base64 encoded.
@@ -312,6 +314,7 @@ def _decrypt(self, aes_key, data):
         decode = base64.b64decode(data)
         bs = AES.block_size
         iv = decode[:bs]
-        cryptor = AES.new(key=aes_plain_key, mode=AES.MODE_CFB, IV=iv, segment_size=128)
-        plain_text = cryptor.decrypt(decode)
-        return json.loads(plain_text[16:])
+        ciphertext = decode[bs:]
+        cryptor = AES.new(key=aes_plain_key, mode=AES.MODE_CTR, nonce=b"", initial_value=iv)
+        plain_text = cryptor.decrypt(ciphertext)
+        return json.loads(plain_text)

bbot/core/helpers/misc.py

@@ -1333,7 +1333,11 @@ def which(*executables, path=None):
     for e in executables:
         location = shutil.which(e, path=path)
         if location:
-            return location
+            # Resolve directory symlinks but preserve the binary name.
+            # This fixes native 7zip on Fedora where /usr/sbin -> bin symlink
+            # causes codec loading to fail when invoked as /usr/sbin/7z.
+            resolved_dir = os.path.realpath(os.path.dirname(location))
+            return os.path.join(resolved_dir, os.path.basename(location))
 
 
 def search_dict_by_key(key, d):

bbot/core/helpers/web/envelopes.py

@@ -166,6 +166,36 @@ def get_subparam(self, key=None, recursive=True):
                 data = data[segment]
         return data
 
+    def pack_value(self, value, key=None):
+        """
+        Pack a value through the envelope chain WITHOUT modifying internal state.
+        """
+        if key is None:
+            key = self.selected_subparam
+
+        inner = self.unpacked_data(recursive=False)
+
+        if hasattr(inner, "pack_value"):
+            # Inner is another envelope - delegate down the chain
+            data = inner.pack_value(value, key)
+        elif self.singleton:
+            # At the leaf singleton - use the new value directly
+            data = value
+        else:
+            # At the leaf non-singleton (JSON/XML) - copy the data and substitute
+            import copy
+
+            if key is None:
+                raise ValueError("No subparam selected for non-singleton envelope")
+            data = copy.deepcopy(inner)
+            # In the loop: Traverse all the way down to the parent of the target value (all segments except the last),
+            target = data
+            for segment in key[:-1]:
+                target = target[segment]
+            # Use the final segment to actually assign the value.
+            target[key[-1]] = value
+        return self._pack(data)
+
     def set_subparam(self, key=None, value=None, recursive=True):
         envelope = self
         if recursive:

bbot/modules/internal/excavate.py

@@ -1242,6 +1242,14 @@ async def handle_event(self, event, **kwargs):
                     if header.lower() == "content-type":
                         content_type = headers["content-type"][0]
 
+            # skip PDF responses -- running YARA/regex on raw PDF bytes produces false positives and wastes time.
+            # PDFs are still processed correctly via the filedownload → extractous → RAW_TEXT pipeline,
+            # which extracts readable text and feeds it back to excavate as a RAW_TEXT event (handled separately below).
+            # TODO: remove this in favor of a proper categorization system for text vs non-text (i.e. to-be-extracted) content
+            if content_type and "application/pdf" in content_type.lower():
+                self.debug(f"Skipping PDF response: {event.data.get('url', 'unknown')}")
+                return
+
             await self.search(
                 body,
                 event,

bbot/modules/internal/unarchive.py

@@ -17,12 +17,12 @@ class unarchive(BaseInternalModule):
     async def setup(self):
         self.ignore_compressions = ["application/java-archive", "application/vnd.android.package-archive"]
         self.compression_methods = {
-            "zip": ["7z", "x", '-p""', "-aoa", "{filename}", "-o{extract_dir}/"],
+            "zip": ["7z", "x", "-aoa", "{filename}", "-o{extract_dir}/"],
             "bzip2": ["tar", "--overwrite", "-xvjf", "{filename}", "-C", "{extract_dir}/"],
             "xz": ["tar", "--overwrite", "-xvJf", "{filename}", "-C", "{extract_dir}/"],
-            "7z": ["7z", "x", '-p""', "-aoa", "{filename}", "-o{extract_dir}/"],
-            # "rar": ["7z", "x", '-p""', "-aoa", "{filename}", "-o{extract_dir}/"],
-            # "lzma": ["7z", "x", '-p""', "-aoa", "{filename}", "-o{extract_dir}/"],
+            "7z": ["7z", "x", "-aoa", "{filename}", "-o{extract_dir}/"],
+            # "rar": ["7z", "x", "-aoa", "{filename}", "-o{extract_dir}/"],
+            # "lzma": ["7z", "x", "-aoa", "{filename}", "-o{extract_dir}/"],
             "tar": ["tar", "--overwrite", "-xvf", "{filename}", "-C", "{extract_dir}/"],
             "gzip": ["tar", "--overwrite", "-xvzf", "{filename}", "-C", "{extract_dir}/"],
         }

bbot/modules/lightfuzz/lightfuzz.py

@@ -13,11 +13,17 @@ class lightfuzz(BaseModule):
         "force_common_headers": False,
         "enabled_submodules": ["sqli", "cmdi", "xss", "path", "ssti", "crypto", "serial", "esi"],
         "disable_post": False,
+        "try_post_as_get": False,
+        "try_get_as_post": False,
+        "avoid_wafs": True,
     }
     options_desc = {
         "force_common_headers": "Force emit commonly exploitable parameters that may be difficult to detect",
         "enabled_submodules": "A list of submodules to enable. Empty list enabled all modules.",
         "disable_post": "Disable processing of POST parameters, avoiding form submissions.",
+        "try_post_as_get": "For each POSTPARAM, also fuzz it as a GETPARAM (in addition to normal POST fuzzing).",
+        "try_get_as_post": "For each GETPARAM, also fuzz it as a POSTPARAM (in addition to normal GET fuzzing).",
+        "avoid_wafs": "Avoid running against confirmed WAFs, which are likely to block lightfuzz requests",
     }
 
     meta = {
@@ -36,8 +42,11 @@ async def setup(self):
         self.interactsh_instance = None
         self.interactsh_domain = None
         self.disable_post = self.config.get("disable_post", False)
+        self.try_post_as_get = self.config.get("try_post_as_get", False)
+        self.try_get_as_post = self.config.get("try_get_as_post", False)
         self.enabled_submodules = self.config.get("enabled_submodules")
         self.interactsh_disable = self.scan.config.get("interactsh_disable", False)
+        self.avoid_wafs = self.scan.config.get("avoid_wafs", True)
         self.submodules = {}
 
         if not self.enabled_submodules:
@@ -142,9 +151,29 @@ async def handle_event(self, event):
             connectivity_test = await self.helpers.request(event.data["url"], timeout=10)
 
             if connectivity_test:
-                for submodule_name, submodule in self.submodules.items():
-                    self.debug(f"Starting {submodule_name} fuzz()")
-                    await self.run_submodule(submodule, event)
+                original_type = event.data["type"]
+
+                # Normal fuzzing pass (skipped for POSTPARAM if disable_post is True)
+                if not (self.disable_post and original_type == "POSTPARAM"):
+                    for submodule_name, submodule in self.submodules.items():
+                        self.debug(f"Starting {submodule_name} fuzz()")
+                        await self.run_submodule(submodule, event)
+
+                # Additional pass: try POSTPARAM as GETPARAM
+                if self.try_post_as_get and original_type == "POSTPARAM":
+                    event.data["type"] = "GETPARAM"
+                    event.data["converted_from_post"] = True
+                    for submodule_name, submodule in self.submodules.items():
+                        self.debug(f"Starting {submodule_name} fuzz() (try_post_as_get)")
+                        await self.run_submodule(submodule, event)
+
+                # Additional pass: try GETPARAM as POSTPARAM
+                if self.try_get_as_post and original_type == "GETPARAM":
+                    event.data["type"] = "POSTPARAM"
+                    event.data["converted_from_get"] = True
+                    for submodule_name, submodule in self.submodules.items():
+                        self.debug(f"Starting {submodule_name} fuzz() (try_get_as_post)")
+                        await self.run_submodule(submodule, event)
             else:
                 self.debug(f"WEB_PARAMETER URL {event.data['url']} failed connectivity test, aborting")
 
@@ -167,10 +196,19 @@ async def finish(self):
             except InteractshError as e:
                 self.debug(f"Error in interact.sh: {e}")
 
-    # If we've disabled fuzzing POST parameters, back out of POSTPARAM WEB_PARAMETER events as quickly as possible
     async def filter_event(self, event):
+        # Unless configured specifically to do so, avoid running against confirmed WAFs
+        if self.avoid_wafs and "waf" in event.tags:
+            # Use parsed_url.geturl() for both URL and WEB_PARAMETER events
+            parsed_url = getattr(event, "parsed_url", None)
+            url = parsed_url.geturl() if parsed_url else "unknown"
+            self.debug(f"Skipping {event.type} because it is likely to be blocked by a WAF. URL: {url}")
+            return False
+
+        # If we've disabled fuzzing POST parameters, back out of POSTPARAM WEB_PARAMETER events as quickly as possible
         if event.type == "WEB_PARAMETER" and self.disable_post and event.data["type"] == "POSTPARAM":
-            return False, "POST parameter disabled in lightfuzz module"
+            if not self.try_post_as_get:
+                return False, "POST parameter disabled in lightfuzz module"
         return True
 
     @classmethod

bbot/modules/lightfuzz/submodules/base.py

@@ -238,8 +238,15 @@ async def standard_probe(
         self.debug(f"standard_probe requested URL: [{request_params['url']}]")
         return await self.lightfuzz.helpers.request(**request_params)
 
+    def conversion_note(self):
+        if self.event.data.get("converted_from_post", False):
+            return " (converted from POSTPARAM)"
+        elif self.event.data.get("converted_from_get", False):
+            return " (converted from GETPARAM)"
+        return ""
+
     def metadata(self):
-        metadata_string = f"Parameter: [{self.event.data['name']}] Parameter Type: [{self.event.data['type']}]"
+        metadata_string = f"Parameter: [{self.event.data['name']}] Parameter Type: [{self.event.data['type']}]{self.conversion_note()}"
         if self.event.data["original_value"] != "" and self.event.data["original_value"] is not None:
             metadata_string += (
                 f" Original Value: [{self.lightfuzz.helpers.truncate_string(self.event.data['original_value'], 200)}]"
@@ -265,13 +272,16 @@ def incoming_probe_value(self, populate_empty=True):
 
     def outgoing_probe_value(self, outgoing_probe_value):
         """
-        Transparently modifies the outgoing probe value (fuzz probe being sent to the target), given any envelopes that may have been identified, so that fuzzing within the envelopes can occur.
+        Transparently packs the outgoing probe value (fuzz probe being sent to the target) through
+        any envelopes that may have been identified, so that fuzzing within the envelopes can occur.
+
+        Uses pack_value() to avoid mutating the envelope's internal state, preventing cross-contamination
+        between submodules that share the same event/envelope object.
         """
         self.debug(f"outgoing_probe_value (before packing): {outgoing_probe_value} / {self.event}")
         envelopes = getattr(self.event, "envelopes", None)
         if envelopes is not None:
-            envelopes.set_subparam(value=outgoing_probe_value)
-            outgoing_probe_value = envelopes.pack()
+            outgoing_probe_value = envelopes.pack_value(outgoing_probe_value)
             self.debug(
                 f"outgoing_probe_value (after packing): {outgoing_probe_value} with envelopes [{envelopes}] / {self.event}"
             )

bbot/modules/lightfuzz/submodules/crypto.py

@@ -232,37 +232,56 @@ async def padding_oracle_execute(self, original_data, encoding, block_size, cook
         else:
             baseline_byte = b"\x00"  # set the baseline byte to 0x00
             starting_pos = 1  # set the starting position to 1
-        # first obtain
+
+        baseline_probe_value = self.format_agnostic_encode(
+            ivblock + paddingblock[:-1] + baseline_byte + datablock, encoding
+        )
         baseline = self.compare_baseline(
             self.event.data["type"],
-            self.format_agnostic_encode(ivblock + paddingblock[:-1] + baseline_byte + datablock, encoding),
+            baseline_probe_value,
             cookies,
         )
         differ_count = 0
         # for each possible byte value, send a probe and check if the response is different
         for i in range(starting_pos, starting_pos + 254):
             byte = bytes([i])
+            probe_value = self.format_agnostic_encode(ivblock + paddingblock[:-1] + byte + datablock, encoding)
             oracle_probe = await self.compare_probe(
                 baseline,
                 self.event.data["type"],
-                self.format_agnostic_encode(ivblock + paddingblock[:-1] + byte + datablock, encoding),
+                probe_value,
                 cookies,
             )
             # oracle_probe[0] will be false if the response is different - oracle_probe[1] stores what aspect of the response is different (headers, body, code)
             if oracle_probe[0] is False and "body" in oracle_probe[1]:
+                # When the server reflects submitted values or reveals decrypted data, every probe will differ in the body. Strip the known probe values from both responses and re-compare.
+                stripped_baseline = baseline.baseline.text
+                stripped_probe = oracle_probe[3].text
+                for encoded_baseline, encoded_probe in [
+                    (baseline_probe_value, probe_value),
+                    (baseline_probe_value.replace("+", " "), probe_value.replace("+", " ")),
+                    (quote(baseline_probe_value), quote(probe_value)),
+                ]:
+                    stripped_baseline = stripped_baseline.replace(encoded_baseline, "")
+                    stripped_probe = stripped_probe.replace(encoded_probe, "")
+                if stripped_baseline == stripped_probe:
+                    continue
+                # If the server reveals decrypted data, the response may differ by only a few bytes (the varying decrypted byte). Tolerate small character-level differences.
+                if len(stripped_baseline) == len(stripped_probe):
+                    char_diffs = sum(1 for a, b in zip(stripped_baseline, stripped_probe) if a != b)
+                    if char_diffs <= 5:
+                        continue
                 differ_count += 1
-
-                if i == 2:
-                    if possible_first_byte is True:
-                        # Thats two results which appear "different". Since this is the first run, it's entirely possible \x00 was the correct padding.
-                        # We will break from this loop and redo it with the last byte as the baseline instead of the first
-                        return None
-                    else:
-                        # Now that we have tried the run twice, we know it can't be because the first byte was the correct padding, and we know it is not vulnerable
-                        return False
-        # A padding oracle vulnerability will produce exactly one different response, and no more, so this is likely a real padding oracle
-        if differ_count == 1:
+        self.debug(f"padding_oracle_execute: finished loop. differ_count={differ_count}")
+        # A padding oracle vulnerability can produce a small number of different responses.
+        # The correct \x01 padding byte always differs, but also, multi-byte padding values (\x02\x02, \x03\x03\x03, etc.) can also produce valid padding if the intermediate state randomly aligns. At most 'block_size' of such values are possible.
+        if 1 <= differ_count <= block_size:
             return True
+        # If too many probes differ, the baseline byte may have been the correct padding byte (1/255 chance).
+        # In that case, the baseline response represents "valid padding" and nearly all probes appear different.
+        # Retry with a different baseline byte to rule this out.
+        if possible_first_byte and differ_count > block_size:
+            return None
         return False
 
     async def padding_oracle(self, probe_value, cookies):

bbot/modules/lightfuzz/submodules/esi.py

@@ -22,7 +22,7 @@ async def check_probe(self, cookies, probe, match):
             self.results.append(
                 {
                     "type": "FINDING",
-                    "description": f"Edge Side Include. Parameter: [{self.event.data['name']}] Parameter Type: [{self.event.data['type']}]",
+                    "description": f"Edge Side Include. Parameter: [{self.event.data['name']}] Parameter Type: [{self.event.data['type']}]{self.conversion_note()}",
                 }
             )
             return True

bbot/modules/lightfuzz/submodules/xss.py

@@ -91,7 +91,7 @@ async def check_probe(self, cookies, probe, match, context):
             self.results.append(
                 {
                     "type": "FINDING",
-                    "description": f"Possible Reflected XSS. Parameter: [{self.event.data['name']}] Context: [{context}] Parameter Type: [{self.event.data['type']}]",
+                    "description": f"Possible Reflected XSS. Parameter: [{self.event.data['name']}] Context: [{context}] Parameter Type: [{self.event.data['type']}]{self.conversion_note()}",
                 }
             )
             return True

bbot/modules/nuclei.py

@@ -15,7 +15,7 @@ class nuclei(BaseModule):
     }
 
     options = {
-        "version": "3.6.2",
+        "version": "3.7.0",
         "tags": "",
         "templates": "",
         "severity": "",

bbot/presets/web/lightfuzz-heavy.yml

@@ -1,4 +1,4 @@
-description: Discover web parameters and lightly fuzz them for vulnerabilities, with more intense discovery techniques, including POST parameters, which are more invasive. Uses all lightfuzz modules, and adds paramminer modules for parameter discovery.
+description: Discover web parameters and lightly fuzz them for vulnerabilities, with more intense discovery techniques, including POST parameters, which are more invasive. Uses all lightfuzz modules, and adds paramminer modules for parameter discovery. Avoids running against confirmed WAFs.
 
 include:
   - lightfuzz-medium
@@ -14,3 +14,5 @@ config:
     lightfuzz:
       enabled_submodules: [cmdi,crypto,path,serial,sqli,ssti,xss,esi]
       disable_post: False
+      try_post_as_get: True
+      try_get_as_post: True