-
Notifications
You must be signed in to change notification settings - Fork 31
/
requests.go
113 lines (100 loc) · 3.08 KB
/
requests.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
package cmd
import (
"context"
"fmt"
"io"
"net/http"
"strings"
"time"
log "github.com/sirupsen/logrus"
)
var (
accept string
avoidDangerousRequests string
contentType string
dangerousStrings []string = []string{"add", "block", "build", "buy", "change", "clear", "create", "delete", "destroy", "edit", "emergency", "erase", "execute", "insert", "modify", "order", "purchase", "rebuild", "remove", "reset", "restart", "revoke", "run", "sell", "send", "set", "start", "stop", "update", "upload"}
Headers []string
requestStatus int
riskSurveyed bool = false
UserAgent string
userChoice string
)
func MakeRequest(client http.Client, method, target string, timeout int64, reqData io.Reader) ([]byte, string, int) {
if quiet {
avoidDangerousRequests = "y"
}
for _, v := range dangerousStrings {
if strings.Contains(target, v) {
userChoice = ""
if avoidDangerousRequests == "y" {
return nil, "", 0
} else {
fmt.Printf("[!] Dangerous keyword '%s' detected in URL (%s). Do you still want to test this endpoint? (y/N)", v, target)
fmt.Scanln(&userChoice)
if strings.ToLower(userChoice) != "y" {
if !riskSurveyed {
avoidDangerousRequests = "y"
fmt.Printf("[!] Do you want to avoid all dangerous requests? (Y/n)")
fmt.Scanln(&avoidDangerousRequests)
avoidDangerousRequests = strings.ToLower(avoidDangerousRequests)
riskSurveyed = true
}
return nil, "", 0
}
}
}
}
ctx, cancel := context.WithTimeout(context.Background(), time.Duration(timeout)*time.Second)
defer cancel()
req, err := http.NewRequest(method, target, reqData)
if err != nil && err != context.Canceled && err != io.EOF {
log.Fatal("Error: could not create HTTP request - ", err)
}
for i := range Headers {
h := strings.Split(Headers[i], ":")
if len(h) == 2 {
if h[0] == "User-Agent" {
UserAgent = h[1]
}
if h[0] == "Content-Type" {
contentType = h[1]
}
if h[0] == "Accept" {
accept = h[1]
}
req.Header.Set(h[0], h[1])
} else {
log.Fatal("Custom header provided cannot be used.")
}
}
if UserAgent != "Swagger Jacker (github.com/BishopFox/sj)" {
req.Header.Set("User-Agent", UserAgent)
}
if accept == "" {
req.Header.Set("Accept", "application/json, text/html, */*")
} else {
req.Header.Set("Accept", accept)
}
if method == "POST" {
if contentType == "" {
req.Header.Set("Content-Type", "application/json")
} else {
req.Header.Set("Content-Type", contentType)
}
}
resp, err := client.Do(req.WithContext(ctx))
if err == context.DeadlineExceeded {
log.Printf("Error: %s - skipping request.", err)
return nil, "", 0
} else if err != nil && err != context.Canceled && err != io.EOF {
log.Error("Error: response not received.\n", err)
if strings.Contains(fmt.Sprint(err), "tls") {
fmt.Println("Try supplying the --insecure flag.")
}
return nil, "", 0
}
bodyBytes, _ := io.ReadAll(resp.Body)
bodyString := string(bodyBytes)
requestStatus = resp.StatusCode
return bodyBytes, bodyString, requestStatus
}