Skip to content

Latest commit

 

History

History
96 lines (55 loc) · 3.82 KB

README.MD

File metadata and controls

96 lines (55 loc) · 3.82 KB


Sus params

The *FRESHEST* statisitical analysis of paramters and keywords related to web application vulnerability classes. The `sus_params` project is led by Gunnar Andrews and Jason Haddix.


What is the sus_params Project?

This project is aimed to help new (and seasoned) application security testers when testing enterpise web applications. Often you can land on a large web applications and feel lost as to what to test. The sus_paramaters project is project aimed a giving you insight into parameters or routes that are commonly vulnerable to certain vulnerabilitites.

When you see them, they are "sus", and you should do manual testing on them for the vulnerability class referenced.


The Vulnerable Paramter Lists


Using Sus_params with GAP

Sus_params data and alerting is now availble via Burp Extention in the AWESOME GAP Burp extention by xnl-h4ck3r!


Using GF Pattern Files

The project includes GF pattern files in JSON format to help identify vulnerabilities. Here's how to use them:

  1. Gather a list of URLs to inspect. This can be gathered from tools like Burp Suite or WayMore
  2. Ensure you have gf (Grep-Friendly) installed. If not, install it from here.
  3. Copy the JSON pattern files to your gf patterns directory. Typically, this would be ~/.gf
  4. gf pattern-name FileOfUrls (Replace pattern-name with the name of the pattern you want to use like sqli.json)

Whats Next?

Coming soon we will integrate the OWASP Top 25 Parameter data. HUNT's original data, plus the new sus_param data, and the Top 25 should be the ultimate parameter lists!


Features

  • Comprehensive analysis of Hacktivity Disclosures up to 2023
  • Data from platforms like Bugcrowd Crowdstream up to 2023
  • Data from all Bugcrowd submissions up until 2016
  • Identification of high-risk routes and parameters based on historical data

What Else?

Well this repo is much more than just the data and parameters. Aspiring hackers will notice the full Hacktiviy data dump is hosted here feel free to use it in your security research!

We also have the associated code we used parse the data from Hacktivity and Bugcrowd. After we downloaded this we needed to parse the VERY unstructured data to which we used AI for to great effect! (buy Gunnar a beer to maybe see that code).

Sus_params Cross-Site Scripting (XSS) Parameters

Sus_params Debug and Parameter Tampering Parameters

Sus_params Server-Side Request Forgery (SSRF) Parameters

Sus_params File Inclusion or LFI Parameters

Sus_params SQL Injection Parameters

Sus_params Command Injection Parameters

Sus_params Open Redirect Parameters