/sessionprobe

SessionProbe is a multi-threaded tool designed for penetration testing and bug bounty hunting. It evaluates user privileges in web applications by taking a session token and checking access across a list of URLs, highlighting potential authorization issues.

Primary LanguageGoMIT LicenseMIT

Go Version Docker Image Size

SessionProbe ๐Ÿš€โšก

SessionProbe is a multi-threaded pentesting tool designed to assist in evaluating user privileges in web applications. It takes a user's session token and checks for a list of URLs if access is possible, highlighting potential authorization issues. SessionProbe deduplicates URL lists and provides real-time logging and progress tracking.

SessionProbe is intended to be used with Burp Suite's "Copy URLs in this host" functionality in the Target tab (available in the free Community Edition).

Note: You may want to change the filter in Burps's Target tab to include files or images. Otherwise, these URLs would not be copied by "Copy URLs in this host" and would not be tested by SessionProbe.

Built-in Help ๐Ÿ†˜

Help is built-in!

  • sessionprobe --help - outputs the help.

How to Use โš™

Usage:
    sessionprobe [flags]

Flags:
  -u, --urls string             file containing the URLs to be checked (required)
  -H, --headers string          HTTP headers to be used in the requests in the format "Key1:Value1;Key2:Value2;..."
  -h, --help                    help for sessionprobe
      --ignore-css              ignore URLs ending with .css (default true)
      --ignore-js               ignore URLs ending with .js (default true)
  -o, --out string              output file (default "output.txt")
  -p, --proxy string            proxy URL (default: "")
  -r, --filter-regex string     exclude HTTP responses using a regex. Responses whose body matches this regex will not be part of the output.
  -l, --filter-lengths string   exclude HTTP responses by body length. You can specify lengths separated by commas (e.g., "123,456,789").
      --skip-verification       skip verification of SSL certificates (default false)
  -t, --threads int             number of threads (default 10)
      --check-all               Check POST, DELETE, PUT & PATCH methods (default false)
      --check-delete            Check DELETE method (default false)
      --check-patch             Check PATCH method (default false)
      --check-post              Check POST method (default false)
      --check-put               Check PUT method (default false)

Examples:
    ./sessionprobe -u ./urls.txt
    ./sessionprobe -u ./urls.txt --out ./unauthenticated-test.txt --threads 15
    ./sessionprobe -u ./urls.txt -H "Cookie: .AspNetCore.Cookies=<cookie>" -o ./output.txt
    ./sessionprobe -u ./urls.txt -H "Authorization: Bearer <token>" --proxy http://localhost:8080
    ./sessionprobe -u ./urls.txt -r "Page Not Found"
    ./sessionprobe -u ./urls.txt -H "Cookie: .AspNetCore.Cookies=<cookie>;Cookie: <another-cookie>=<another_value>"

Run via Docker ๐Ÿณ

  1. Navigate into the directory where your URLs file is.
  2. Run the below command:
docker run -it --rm -v "$(pwd):/app/files" --name sessionprobe fw10/sessionprobe [flags]
  • Note that we are mounting the current directory in. This means that your URLs file must be in the current directory and your output file will also be in this directory.
  • Also remember to have a Burp listener run on all interfaces if you want to use the --proxy option

Setup โœ…

  • You can simply run this tool from source via go run .
  • You can build the tool yourself via go build
  • You can build the docker image yourself via docker build . -t fw10/sessionprobe

Run Tests ๐Ÿงช

  • To run the tests, run go test or go test -v (for more details)

Features ๐Ÿ”Ž

  • Test for authorization issues
  • Automatically dedupes URLs
  • Sorts the URLs by response status code and extension (e.g., .css, .js), and provides the length
  • Multi-threaded
  • Proxy functionality to pass all requests e.g. through Burp
  • ...

Example Output ๐Ÿ“‹

Responses with Status Code: 200

https://example.com/<some-path> => Length: 12345
https://example.com/<some-path> => Length: 40
...

Responses with Status Code: 301

https://example.com/<some-path> => Length: 890
https://example.com/<some-path> => Length: 434
...

Responses with Status Code: 302

https://example.com/<some-path> => Length: 0
...

Responses with Status Code: 404

...

Responses with Status Code: 502

...

Releases ๐Ÿ”‘

  • The Releases section contains some already compiled binaries for you so that you might not have to build the tool yourself
  • For the Mac releases, your Mac may throw a warning ("cannot be opened because it is from an unidentified developer")

Bug Reports ๐Ÿž

If you find a bug, please file an Issue right here in GitHub, and I will try to resolve it in a timely manner.