Auto-Recon script that will help you in the Burp Suite Certified Practitioner Exam or with any web-security lab.
Wordlists provided in wordlists directory are these provided by Web Security Academy here :
I created this tool for personal use, at the beginning of the certification when it was still only 3 hours for 6 challenges, because I was very short of time and I needed a tool that would make me recognize the labs to go faster. In no way my goal was to make a tool that was going to make me do labs automatically, that's why there is no payload in this script, it's only to save time on the reconnaissance related to labs.
I know, the code of this script is not perfect, as I said before I had made this script quickly as my own, I publish this code hoping to give a starting point to someone to make maybe something cleaner or to have a little tool to help with the reconnaissance. If you want to improve it, don't hesitate to contribute
If you want to know more about this certification and the process, I wrote an article here: https://nishacid.guru/articles/bscp/ .
git clone https://github.com/Nishacid/WSAAR.git
cd WSAAR/
pip3 install -r requirements.txt
» python3 wsaar.py -h
usage: wsaar.py [-h] --id HOST [--username USERNAME] [--password PASSWORD]
options:
-h, --help show this help message and exit
--id HOST, -i HOST Your Lab ID
--username USERNAME, -u USERNAME
Username to login
--password PASSWORD, -p PASSWORD
Password to login
» python3 wsaar.py --id 0ae7004d0475e2aec3077ab10088008a
_ __ _____ ___ ___ _____
| | / / / ___/ / | / | | _ \
| | __ / / | |___ / /| | / /| | | |_| |
| | / | / / \___ \ / / | | / / | | | _ /
| |/ |/ / ___| | / / | | / / | | | | \ \
|___/|___/ /_____/ /_/ |_| /_/ |_| |_| \_\
Web Security Academy Auto Recon
@Nishacid
[*] General Check...
[+] Restricted Admin Panel found on /admin
[+] Exploit server avaliable on https://exploit-0a4200ad04abe23ac34279b001030015.exploit-server.net
[*] Login Check...
[+] There is a login page on /login
[*] CSRF Token required for login
[+] Successful login with default wiener:peter account
[*] Cookies are : {'session': 'bXjUemxcNF3x5IWpsYNNIUl4Jw9QNn50'}
[*] Account Informations
[+] Account Details found on /accountDetails
{
"apikey": "heuXirXWmZi5EJsb7lu1RISDYgog19pP",
"email": "",
"sessions": [
"bXjUemxcNF3x5IWpsYNNIUl4Jw9QNn50"
],
"username": "wiener"
}
[+] Highly possible CORS due to Access-Control-Allow-Credentials Header in response
[*] Deserialization Check...
[*] CORS Check...
[*] Access Control Check...
[*] OAuth Check...
[*] LFI Check...
[*] File Upload Check...
[*] Business Logic Check...
[*] Information Disclosure Check...
[*] SQL Injection Check...
[*] SSRF Check...
[*] XXE Check...
[*] Web Cache Poisoning Check...
[*] XSS Check...
[*] HTTP Request Smuggling Check...
[*] WebSockets Check...
[*] Prototype Pollution Check...
Execution completed, good luck for the next steps :)
» python3 wsaar.py --id 0afd00d5042b2017c02da98d00c3004a
_ __ _____ ___ ___ _____
| | / / / ___/ / | / | | _ \
| | __ / / | |___ / /| | / /| | | |_| |
| | / | / / \___ \ / / | | / / | | | _ /
| |/ |/ / ___| | / / | | / / | | | | \ \
|___/|___/ /_____/ /_/ |_| /_/ |_| |_| \_\
Web Security Academy Auto Recon
@Nishacid
[*] General Check...
[+] Exploit server avaliable on https://exploit-0a620032040d20a9c0cca8ac01b600d4.exploit-server.net
[*] Login Check...
[+] There is a login page on /login
[*] CSRF Token required for login
[-] Default login doesn't work
[*] You can try to Bruteforce with the username and password provided in the ./wordlists/ folder
[*] Deserialization Check...
[*] CORS Check...
[*] Access Control Check...
[*] OAuth Check...
[*] LFI Check...
[*] File Upload Check...
[*] Business Logic Check...
[*] Information Disclosure Check...
[*] SQL Injection Check...
[*] SSRF Check...
[*] XXE Check...
[*] Web Cache Poisoning Check...
[+] Highly possible Web Cache Poisoning due to X-Cache Header in response
[+] Highly possible Web Cache Poisoning due to Cache-Control Header in response
[+] Possible Web Cache Poisoning due to script on /resources/js/tracking.js
[*] XSS Check...
[*] HTTP Request Smuggling Check...
[*] WebSockets Check...
[*] Prototype Pollution Check...
Execution completed, good luck for the next steps :)
» python3 wsaar.py --id 0a42002c03fc3bdfc08c59b700f60004 --username atlas --password 131313
_ __ _____ ___ ___ _____
| | / / / ___/ / | / | | _ \
| | __ / / | |___ / /| | / /| | | |_| |
| | / | / / \___ \ / / | | / / | | | _ /
| |/ |/ / ___| | / / | | / / | | | | \ \
|___/|___/ /_____/ /_/ |_| /_/ |_| |_| \_\
Web Security Academy Auto Recon
@Nishacid
[*] General Check...
[+] Leave a comment to a post functionality
[*] Login Check...
[+] There is a login page on /login
[+] Successful login with custom atlas:131313 account
[*] Cookies are : {'session': 'ejGFm9t9oqcLVzWaIBkOuGRbxn6JNNE8'}
[*] Account Informations
[*] Deserialization Check...
[*] CORS Check...
[*] Access Control Check...
[*] OAuth Check...
[*] LFI Check...
[*] File Upload Check...
[*] Business Logic Check...
[*] Information Disclosure Check...
[*] SQL Injection Check...
[*] SSRF Check...
[*] XXE Check...
[*] Web Cache Poisoning Check...
[*] XSS Check...
[*] HTTP Request Smuggling Check...
[*] WebSockets Check...
[*] Prototype Pollution Check...
Execution completed, good luck for the next steps :)
- Add header argument to pass some cookies / HTTP headers
- Code cleaning
- Improve login.py script (dirty)
- Add news labs / and missing vulnerabilities
- Add carlos:montoya login check
Pull requests are welcome. Feel free to contribute to complete these scripts or to make improvements.
You can contact me on Twitter @Nishacid or email nishacid@protonmail.com.