The *FRESHEST* statisitical analysis of paramters and keywords related to web application vulnerability classes. The `sus_params` project is led by Gunnar Andrews and Jason Haddix.
This project is aimed to help new (and seasoned) application security testers when testing enterpise web applications. Often you can land on a large web applications and feel lost as to what to test. The sus_paramaters project is project aimed a giving you insight into parameters or routes that are commonly vulnerable to certain vulnerabilitites.
When you see them, they are "sus", and you should do manual testing on them for the vulnerability class referenced.
- Cross-Site Scripting
- Debug and Parameter Tampering
- Server-Side Request Forgery
- File Inclusion - LFI
- SQL Injection
- Command Injection
- Open Redirect
Sus_params data and alerting is now availble via Burp Extention in the AWESOME GAP Burp extention by xnl-h4ck3r!
The project includes GF pattern files in JSON format to help identify vulnerabilities. Here's how to use them:
- Gather a list of URLs to inspect. This can be gathered from tools like Burp Suite or WayMore
- Ensure you have
gf(Grep-Friendly) installed. If not, install it from here. - Copy the JSON pattern files to your
gfpatterns directory. Typically, this would be~/.gf gf pattern-name FileOfUrls(Replacepattern-namewith the name of the pattern you want to use likesqli.json)
Coming soon we will integrate the OWASP Top 25 Parameter data. HUNT's original data, plus the new sus_param data, and the Top 25 should be the ultimate parameter lists!
- Comprehensive analysis of Hacktivity Disclosures up to 2023
- Data from platforms like Bugcrowd Crowdstream up to 2023
- Data from all Bugcrowd submissions up until 2016
- Identification of high-risk routes and parameters based on historical data
Well this repo is much more than just the data and parameters. Aspiring hackers will notice the full Hacktiviy data dump is hosted here feel free to use it in your security research!
We also have the associated code we used parse the data from Hacktivity and Bugcrowd. After we downloaded this we needed to parse the VERY unstructured data to which we used AI for to great effect! (buy Gunnar a beer to maybe see that code).
