Content-Discovery Template for workflows

[ph-hitachi]

Hi,

im looking for content-discovery template like finding directory, page, parameters including hidden ones im aware that there so many tools as good for this but my goal is to create a workflows template where we can combine dast/fuzz template. can anyone provide samples for this?

[GeorginaReeder]

Hey @ph-hitachi ! Thanks for the question - I don't have any samples off the top of my head, @dwisiswant0 do we know of any related templates?

[dwisiswant0]

We already have a template for conducting a dynamic analysis under dast/.

[ph-hitachi]

yup, and its great but i'm looking for content-discovery (directory, page, parameters) template uses wordlist payload where i can pipe it into already existing dast/ template using workflows.

[ph-hitachi]

Hi @dwisiswant0,

im looking for something like this

id: hidden-parameter-discovery-dynamic

info:
  name: Hidden Parameter Discovery with Dynamic Path and Query Fuzzing
  author: ph-hitachi   
  severity: info
  tags: fuzzing, parameter-discovery

requests:
  - method: GET
    path:
      - "{{BaseURL}}FUZZ"

    headers:
      User-Agent: Nuclei

    matchers:
      - type: status
        status:
          - 200
          - 301
          - 302
          - 403
          - 401

      - type: size
        part: body
        condition: ">="
        value: 10

      - type: size
        part: body
        condition: "<="
        value: 100

    payloads:
      FUZZ:
        - "?FUZZ=value"
        - "&FUZZ=value"

      FUZZ_VALUES:
        - "id"
        - "user"
        - "admin"
        - "token"
        - "auth"
        - "password"
        - "email"
        - "action"
        - "type"
        - "debug"
        - "test"
        
    # Rate limiting to prevent overwhelming the target server
    max-redirects: 2
    max-reqs-per-host: 5

Initial Request: A baseline request is sent without any parameters, and the size of the response is noted.
Fuzzing with Parameters: Parameters are introduced one by one, and the responses are analyzed for changes in size using the diff matcher.

Detection Logic:

• If adding a parameter causes the response size to increase (greater than or equal to 10 bytes) or decrease (within 100 bytes), this may indicate that the parameter is recognized by the server and processed, even if there are no explicit messages in the response body or headers.
• The word and status matchers ensure that only valid and relevant responses are considered.

[dogancanbakir]

This discussion closed automatically due to inactivity. Feel free to reopen or start new if still relevant.