Packer-Fuzzer
Packer-Fuzzer copied to clipboard
rtcatc
Packer Fuzzer is a fast and efficient scanner for security detection of websites constructed by javascript module bundler such as Webpack.
[10:27:37] Extracting API parameters, which may take longer... [Err] Traceback (most recent call last): File "PackerFuzzer.py", line 26, in tt.check() File "PackerFuzzer.py", line 19, in check t.parseStart() File "/root/Packer-Fuzzer/lib/Controller.py", line...
[!] 共发现1个安全漏洞: 高危1个, 中危0个, 低危0个 [17:31:15] 检测报告正在生成中... [Err] local variable 'js_path' referenced before assignment [Err] local variable 'vuln_detail' referenced before assignment [17:31:18] 检测报告生成完毕! [-] 全部扫描及检测完毕,Packer Fuzzer团队感谢您的使用! report目录并没有该目标报告
**描述错误** 一些 js 里可能会包含一些删除数据的接口,若这些接口刚好存在未授权,就可能导致**数据误删**。例如接口 ``` https://foo.bar/Filter/delFilterById https://foo.bar/comment/delete https://foo.bar/product/delProductLine ``` **建议** - 在 *API提取* 时添加 黑名单关键词 如 del, remove。可以多加些敏感操作的关键词,目的是宁可误报也不漏报 - 在 *参数提取* 时正常解析,但是不做任何发包与漏洞检测 - 最后报告输出时添加类似 敏感操作接口解析 的结果,让用户自行复制数据包测试,即使误报了也有数据保留
`[!] 检测到提取结果不准确,请输入新的BaseDir (使用逗号分隔):other Traceback (most recent call last): File "PackerFuzzer.py", line 26, in tt.check() File "PackerFuzzer.py", line 19, in check t.parseStart() File "E:\Project\Git\Packer-Fuzzer\lib\Controller.py", line 47, in parseStart Apicollect(projectTag, self.options).apireCoverStart() File...
建议加一个参数 -r读取txt,使用burp数据包。一个一个头参数设置挺麻烦的
