Skip to content

Add Log Line to Page + Directory Cmds #362

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
payoub125 merged 2 commits into from
Apr 2, 2026
Merged

Add Log Line to Page + Directory Cmds #362

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
fcaed4d
add log line
payoub125 Apr 2, 2026
dc503a9
cursor comment
payoub125 Apr 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 20 additions & 8 deletions internal/discover/directory/directory.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -224,12 +224,16 @@ func RunDirectoryDiscovery(ctx context.Context, config discover.DiscoverDirector
}

// Analyze response
isValid := AnalyzeResponse(ctx, *httpRequest, validCodes, config.IgnoreBaseContentMatch, baselineSizeInt, baselineWordsInt, baselineSizeRandomPath, baselineWordsRandomPath, config.Threshold)
isValid, errMsg := AnalyzeResponse(ctx, *httpRequest, validCodes, config.IgnoreBaseContentMatch, baselineSizeInt, baselineWordsInt, baselineSizeRandomPath, baselineWordsRandomPath, config.Threshold)

if isValid {
attemptsMutex.Lock()
attempts = append(attempts, httpRequest)
attemptsMutex.Unlock()
} else if errMsg != "" {
attemptsMutex.Lock()
errors = append(errors, errMsg)
attemptsMutex.Unlock()
}

if config.Sleep > 0 {
Expand Down Expand Up @@ -270,19 +274,27 @@ func RunDirectoryDiscovery(ctx context.Context, config discover.DiscoverDirector
}

// AnalyzeResponse checks if the response signifies that directory/file was found based on the response code and the baseline size and word count
func AnalyzeResponse(ctx context.Context, request common.HttpRequestResponse, validCodes map[int]bool, checkBaseContentMatch bool, baselineSize, baselineWords int, baselineSizeRandomPath *int, baselineWordsRandomPath *int, threshold float64) bool {
func AnalyzeResponse(ctx context.Context, request common.HttpRequestResponse, validCodes map[int]bool, checkBaseContentMatch bool, baselineSize, baselineWords int, baselineSizeRandomPath *int, baselineWordsRandomPath *int, threshold float64) (bool, string) {
log := svc1log.FromContext(ctx)
if request.Response == nil || request.Response.StatusCode == nil || !validCodes[*request.Response.StatusCode] {
return false
if request.Response == nil || request.Response.StatusCode == nil {
return false, ""
}
if !validCodes[*request.Response.StatusCode] {
errMsg := fmt.Sprintf("%s%s returned status code %d which is not in the allowed response codes", request.Request.BaseUrl, request.Request.Path, *request.Response.StatusCode)
log.Info(errMsg,
svc1log.SafeParam("url", request.Request.BaseUrl),
svc1log.SafeParam("path", request.Request.Path),
svc1log.SafeParam("status_code", *request.Response.StatusCode))
Comment thread
payoub125 marked this conversation as resolved.
return false, errMsg
}

bodyStr := requesthelpers.GetResponseBodyStringFromBodyStruct(request.Response.ResponseBody)
if bodyStr == nil {
return false
return false, ""
}
bodySize := len(*bodyStr)
if bodySize == 0 {
return false
return false, ""
}

wordCount := len(strings.Fields(*bodyStr))
Expand All @@ -291,11 +303,11 @@ func AnalyzeResponse(ctx context.Context, request common.HttpRequestResponse, va
if checkBaseContentMatch {
if (areSimilar(bodySize, baselineSize, threshold) && areSimilar(wordCount, baselineWords, threshold)) ||
(baselineSizeRandomPath != nil && baselineWordsRandomPath != nil && areSimilar(bodySize, *baselineSizeRandomPath, threshold) && areSimilar(wordCount, *baselineWordsRandomPath, threshold)) {
return false
return false, ""
}
}
log.Info("Valid directory/file found", svc1log.SafeParam("url", request.Request.BaseUrl), svc1log.SafeParam("path", request.Request.Path), svc1log.SafeParam("size", bodySize), svc1log.SafeParam("words", wordCount))
return true
return true, ""
}

// baseLine gets the baseline size and word count of the target to be used for validation of the response
Expand Down
8 changes: 7 additions & 1 deletion internal/discover/page/page.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package discoverpage
import (
// Standard
"context"
"fmt"
// Generated
common "github.com/Method-Security/webscan/generated/go/common"
"github.com/Method-Security/webscan/generated/go/discover"
Expand Down Expand Up @@ -98,7 +99,12 @@ func PerformPageCapture(

// Check if response is valid and add request if status code is allowed
if httpRequestResponse != nil && httpRequestResponse.Response != nil && httpRequestResponse.Response.StatusCode != nil {
if _, exists := validCodes[*httpRequestResponse.Response.StatusCode]; exists {
if _, exists := validCodes[*httpRequestResponse.Response.StatusCode]; !exists {
log.Info("Page returned a response code not in the allowed list, skipping",
svc1log.SafeParam("target", config.Target),
svc1log.SafeParam("status_code", *httpRequestResponse.Response.StatusCode))
errors = append(errors, fmt.Sprintf("page %s returned status code %d which is not in the allowed response codes", config.Target, *httpRequestResponse.Response.StatusCode))
} else {
result.Request = httpRequestResponse

// If sensitive content detection is enabled, extract sensitive content from response body
Expand Down
Loading