Brute vs Scan Usage & Wordlist Usage
righettod opened this issue Β· comments
Hi,
First, thanks a lot for the blog post as well as the tool π
I made this issue to ask a question and I apologise in advance if I have missed a documentation link answering to my question.
I try to understand the following 2 aspects of the tool.
Aspect 1: BRUTE vs SCAN mode behaviour. Even after reading the description in the code and perform some tests I did not achieve to understand the core difference.
Aspect2: Parameter -A vs Parameter -w , how do they work together?
I have made my tests against the following application REST version of Spring PetClinic Sample Application and KR never find something for any of the following command line:
$ export TARGET=http://192.168.178.32:9966/petclinic/api
$ kr version
1.0.2 - e7a7fa6
Built on 2021-04-11T09:51:54Z
$ kr scan $TARGET -w routes-small.kite -q -d 5 -A=apiroutes-210328 --fail-status-codes 404
$ kr scan $TARGET -w routes-small.kite -q -d 5 --fail-status-codes 404
$ kr scan $TARGET -q -d 5 -A=apiroutes-210328 --fail-status-codes 404
$ kr brute $TARGET -A=raft-large-words -A=apiroutes-210228 -x 10 -d 3I'm 100% sure that the problem is a bad use of the tool by me and it's the reason why I made this question.
Thanks a lot in advance for your help and thanks again a lot for this tool/knowledge sharing π
- Brute - does vanilla brute forcing. the input files are interpreted as a wordlist where each line is a word to attempt
- Scan - performs API bruteforcing, input wordlists are parsed as our protobuf API schema. This will also attempt the request with the correct headers, methods and body data as included in the API
-A and -w operate additively. So if you specify -A=apiroutes-210228 -w=mywordlist.txt we will load both the Assetnote wordlist and your mywordlist.txt file. You can specify multiple, so you can say -A=apiroutes-210228,topxml-100 -w=mywordlist.txt,rafter.txt` and we will load all 4.
For your petclinic example, running it with the routes-small yields the following results (as expected)]
β― ./dist/kr scan localhost:9966/petclinic -w routes-small.kite -q --fail-status-codes 404
+-----------------------+----------------------------------------------------------------------------------------------------------------------------------+
| SETTING | VALUE |
+-----------------------+----------------------------------------------------------------------------------------------------------------------------------+
| delay | 0s |
| full-scan | false |
| full-scan-requests | 53033 |
| headers | [x-forwarded-for:127.0.0.1] |
| kitebuilder-apis | [routes-small.kite] |
| max-conn-per-host | 3 |
| max-parallel-host | 50 |
| max-redirects | 3 |
| max-timeout | 3s |
| preflight-routes | 11 |
| quarantine-threshold | 10 |
| quick-scan-requests | 9691 |
| read-body | false |
| read-headers | false |
| scan-depth | 1 |
| skip-preflight | false |
| status-code-blacklist | [404] |
| target | http://localhost:9966/petclinic |
| total-routes | 35884 |
| user-agent | Chrome. Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36 |
+-----------------------+----------------------------------------------------------------------------------------------------------------------------------+
GET 400 [ 127, 5, 1] http://localhost:9966/petclinic/api/users 0cc39f6e9fdf4e55b9a547d2b2fb2456fdf5ac65
PUT 400 [ 127, 5, 1] http://localhost:9966/petclinic/api/users 0cc39f7ee4665a087441f4eb819ca453fc98cdbc
100% |βββββ| (9691/9691, 645 it/s)
1:25PM INF finished quick scan routes=20 targets=1
GET 400 [ 127, 5, 1] http://localhost:9966/petclinic/api/users 0cc39f6e9fdf4e55b9a547d2b2fb2456fdf5ac65
100% |βββββ| (31/31, 611 it/s)
PUT 400 [ 127, 5, 1] http://localhost:9966/petclinic/api/users 0cc39f7ee4665a087441f4eb819ca453fc98cdbc
1:25PM INF scan complete duration=15308.832514 results=2
the -d parameter should be left unused for the most part, as it adjusts how many directories deep to perform the analysis. Our heuristic typically assumes vhosting occurs only 1 directory deep, and we currently dont flatten the depth properly (e.g. if you specify depth 5, and all your paths are only 2 directories deep, you'll get weird results).
specifying /api is causing your results to skew, as all the routes in our provided dataset attempt to guess what the API prefix would be, e.g. routes will include /api/user or /api/v2/user in the path, so including /api in the path means we'll be effectively testing /api/api/user or /api/api/v2/user which is hence yielding no results