Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] Add support to send requests to different hosts #177

Open
slicingmelon opened this issue Feb 6, 2024 · 3 comments
Open

[FEATURE] Add support to send requests to different hosts #177

slicingmelon opened this issue Feb 6, 2024 · 3 comments
Labels
enhancement New feature or request

Comments

@slicingmelon
Copy link

What is the problem you are trying to solve?

Add support to send requests to different target URLs. This could be done by adding support to set the target host on the request that is going to be sent.

How are you currently being hindered by this problem?

So given the following bchecks code:

metadata:
    language: v2-beta
    name: "cool name here"
    description: "cool description"
    author: "pedro"
    tags: "cooltag"


given path then
     send request called check:
        method: "POST"
        path: "/my_awesome_endpoint"
        replacing headers:
            "Host": "myawesomehost",
            "Content-Type": "application/x-www-form-urlencoded"

        replacing body:
                `data={base64_encode({base.response.body})}`

        if {check.response.status_code} is "200" then
            report issue and continue:
            severity: high
            confidence: tentative
            detail: "bla bla detail"
            remediation: "delete"
        end if

So even though I am setting the Host header, the request is still being sent to the original hostname, having my custom Host header being set. It would be great if we could send requests to different hosts, to be able to develop more complex bchecks templates.

Thank you!
@slicingmelon slicingmelon added the enhancement New feature or request label Feb 6, 2024
@slicingmelon slicingmelon changed the title [FEATURE] [FEATURE] Add support to send requests to different hosts Feb 6, 2024
@Hannah-PortSwigger
Copy link
Contributor

Hi

Could you provide some more information on why you would like to send requests to different hosts at the point of the scan check?

Once you get to this point in the Scanner, the scope of the item you are scanning is quite narrow. Generally speaking, you shouldn't be making requests to different targets at this point.

@slicingmelon
Copy link
Author

Hello,

One scenario would be in a microservices-based environment, you might need to send a request to a different host to fetch a token, and then use it in a subsequent request.
Another example, I would like to communicate with a different host/API, to confirm the validity of a potential secret leaked in the response.

@Hannah-PortSwigger
Copy link
Contributor

Hi

Thanks for that information.

You BCheck should not be handling authentication. Instead, this should be done on a wider level. For example, by providing application logins as part of your scan configuration or using session handling rules.

Confirming the validity of a secret may be better suited to manual confirmation or performed separately from a scan. If you prefer, you could write an extension for this functionality instead. If you'd like to find out more about writing extensions, you can check out our documentation here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Milestone
No milestone
Development

No branches or pull requests
2 participants
@slicingmelon @Hannah-PortSwigger