Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[IMPROVEMENT] Normalization of action & method attributes in form extraction feature. #513

Merged

Conversation

aristosMiliaressis
Copy link
Contributor

@aristosMiliaressis aristosMiliaressis commented Jul 8, 2023

Hi, i made some improvement to the form extraction feature.

CHANGES:

  • action attributes get normalized to absolute urls
  • missing method attributes get normalized to GET
  • missing enctype attributes get normalized to application/x-www-form-urlencoded

i used the following page for testing

<!DOCTYPE html>
<html>
<body>
<form action=https://abs.example.com></form>
<form action=//prel.example.com></form>
<form action=\\unc.example.com></form>
<form action=/root_rel></form>
<form action=path_rel></form>
<form></form>
</body>
</html>

result
Screenshot from 2023-07-08 14-03-10

Copy link
Member

@tarunKoyalwar tarunKoyalwar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm !

$ ./katana -u https://www.hackerone.com/contact -fx -j  -or -ob | jq '.response.forms | select( . != null ) | .[] | select ( .method != "GET" )'

   __        __                
  / /_____ _/ /____ ____  ___ _
 /  '_/ _  / __/ _  / _ \/ _  /
/_/\_\\_,_/\__/\_,_/_//_/\_,_/							 

		projectdiscovery.io

[INF] Current katana version v1.0.2-dev (outdated)
[INF] Started standard crawling for => https://www.hackerone.com/contact
{
  "method": "POST",
  "action": "https://www.hackerone.com/product/insights",
  "enctype": "application/x-www-form-urlencoded",
  "parameters": [
    "email",
    "op",
    "form_build_id",
    "form_id",
    "url"
  ]
}
{
  "method": "POST",
  "action": "https://www.hackerone.com/penetration-testing",
  "enctype": "application/x-www-form-urlencoded",
  "parameters": [
    "email",
    "op",
    "form_build_id",
    "form_id",
    "url"
  ]
}

thanks @aristosMiliaressis for PR and awesome work on joining relative paths (root_rel vs rel_path ) 🔥

@ehsandeep ehsandeep merged commit 7e3e6f7 into projectdiscovery:dev Jul 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants