OWASP Top-25 Parameters

/*
  Author: Tur24Tur (https://twitter.com/Tur24Tur)
  Source: Twitter (https://twitter.com/Tur24Tur/status/1728095520537678304)
  Init Pub. Date: Nov 24, 2023
  Use Case:
    Get responses that have potentially vulnerable parameters
*/

// Lists of vulnerable parameters based on OWASP Top 25
String[] ssrfParams = {"dest=", "redirect=", "uri=", "path=", "continue=", "url=", "window=", "next=", "data=", "reference=", "site=", "html=", "val=", "validate=", "domain=", "callback=", "return=", "page=", "feed=", "host=", "port=", "to=", "out=", "view=", "dir="};
String[] sqlParams = {"id=", "page=", "report=", "dir=", "search=", "category=", "file=", "class", "url=", "news=", "item=", "menu=", "lang=", "name=", "ref=", "title=", "view=", "topic=", "thread=", "type=", "date=", "form=", "main=", "nav=", "region="};
String[] xssParams = {"q=", "s=", "search=", "id=", "lang=", "keyword=", "query=", "page=", "keywords=", "year=", "view=", "email=", "type=", "name=", "p=", "month=", "image=", "list_type=", "url=", "terms=", "categoryid=", "key=", "l=", "begindate=", "enddate="};
String[] lfiParams = {"cat=", "dir=", "action=", "board=", "date=", "detail=", "file=", "download=", "path", "folder=", "prefix=", "include=", "page=", "inc=", "locate=", "show=", "doc=", "site=", "type=", "view=", "content=", "document=", "layout=", "mod=", "conf="};
String[] orParams = {"next=", "url=", "target=", "rurl=", "dest=", "destination=", "redir=", "redirect_uri", "redirect_url=", "redirect=", "out=", "view=", "to=", "image_url=", "go=", "return=", "returnTo=", "return_to=", "checkout_url=", "continue=", "return_path="};
String[] rceParams = {"cmd=", "exec=", "command=", "execute=", "ping=", "query=", "jump=", "code", "reg=", "do=", "func=", "arg=", "option=", "load=", "process=", "step=", "read=", "feature=", "exe=", "module=", "payload=", "run=", "print="};


// the logic 
if (requestResponse.request().url() != null) {
    String requestUrl = requestResponse.request().url();
    String requestBody = requestResponse.request().bodyToString();

    String[][] allParams = {ssrfParams, sqlParams, xssParams, lfiParams, orParams, rceParams};

    
    int queryStart = requestUrl.indexOf("?");
    String queryString = "";
    if (queryStart != -1 && queryStart < requestUrl.length() - 1) {
        queryString = requestUrl.substring(queryStart + 1);
    }

    String[] allInputParams = (queryString + "&" + requestBody).split("&");

    // Check each parameter against the lists of vulnerable parameters
    for (String inputParam : allInputParams) {
        for (String[] paramArray : allParams) {
            for (String param : paramArray) {
                if (inputParam.startsWith(param)) {
                    return true; 
                }
            }
        }
    }
}

return false;