DanaEpp
/ guid_reaper.py
Created
October 20, 2022 17:56
Tool to dump v1 GUIDs and generate a wordlist of GUIDs for use in bruteforce attacks against APIs with predictable GUIDs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/env python3 | |
| import argparse | |
| import datetime | |
| import re | |
| import sys | |
| import uuid | |
| ############################################################################### | |
| # Based off of Daniel Thatcher's guid tool |
DanaEpp
/ dump-endpoints.jq
Created
November 26, 2022 00:05
jq query and filter to dump the HTTP method, route and description of every endpoint in an OpenAPI 3.0 document. Usage: jq -r -f dump-endpoints.jq openapidoc.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| .paths | to_entries | map(select(.key | test("^x-") | not)) | map ( .key as $path | .value | to_entries | map( select( .key | IN("get", "put", "post", "delete", "options", "head", "patch", "trace")) | { method: .key, path: $path, summary: .value.summary?, deprecated: .value.deprecated? })[] ) | map( .method + "\t" + .path + "\t" + .summary + (if .deprecated then " (deprecated)" else "" end)) [] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/env python3 | |
| """ | |
| request_logger.py | |
| A simple HTTP server that will dump the requests being mirrored from an implant on an API server | |
| WARNING: This will record all header and body content of a request to a JSON file. To reduce the risk of | |
| information disclosure, care should be placed in the ACL of the output file. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| {{7*7}} | |
| ${7*7} | |
| <%= 7*7 %> | |
| ${{7*7}} | |
| #{7*7} | |
| *{7*7} |
DanaEpp
/ txt_to_postman_b64_json.py
Created
March 27, 2024 20:58
A simple Python script that will convert and encode a Big List of Naughty Strings (BLNS) into a JSON file that Postman can use
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| from argparse import ArgumentParser, Namespace | |
| import os | |
| import base64 | |
| import json | |
| def main(srcFile: str, dstFile:str) -> None: | |
| if not os.path.isfile(srcFile): |
DanaEpp
/ har_capture_reader.py
Created
May 10, 2024 17:49
HAR capture reader to use with Sensitive Data Detector. see: https://danaepp.com/sensitive-data-detection-using-ai-for-api-hackers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rom base64 import b64decode | |
| import os | |
| from typing import Iterator, Union | |
| import json_stream | |
| # This HAR capture reader was taken from mitmproxy2swagger and slightly modified to work for our needs. | |
| # See https://github.com/alufers/mitmproxy2swagger/blob/master/mitmproxy2swagger/har_capture_reader.py | |
| class HarFlowWrapper: | |
| def __init__(self, flow: dict): |
DanaEpp
/ sensitive_data_detector.py
Created
May 10, 2024 17:52
Sensitive Data Detector see: https://danaepp.com/sensitive-data-detection-using-ai-for-api-hackers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import json | |
| import sys | |
| from typing import List | |
| from dataclasses import dataclass | |
| from presidio_analyzer import AnalyzerEngine, RecognizerResult | |
| import argparse | |
| from har_capture_reader import HarCaptureReader | |
| analyzer: AnalyzerEngine = AnalyzerEngine() |
OlderNewer