🔍Text Matching

while writing your own script, you need to ensure that you have been matched the right text to avoid False Postive

lotus gives you many easy ways for text matching/procssing including

searching with css selector
generating css selector pattern for xss paylaods
match with regex
check if the string includes custom data
check if the string startswith
text matching with and/or conditions

searching with CSS Selector pattern

SCAN_TYPE = 2
function main()
	local resp = http:send("GET","http://testphp.vulnweb.com/artists.php?artist=1")
	local body = resp.body
	local searched = html_search(body,"h2[id=\"pageName\"]")
	println(searched)
	-- <h2 id="pageName">artist: r4w8173</h2>
end

generating CSS Selector Pattern for XSS Payloads

you can use this for the XSS CVES, to ensure that the payload is render in the page or not

XSS_PAYLOAD = "<img src=x onerror=alert(1)>"
function main()
	local search_pattern = generate_css_selector(XSS_PAYLOAD)
	println(search_pattern)
	-- img[onerror="alert(1)"][src="x"]
end

match with Regex

function main()
	local matched = is_match("\\d\\d\\d","123")
	println(string.format("MATCHED: %s",matched))
	-- MATCHED: true
end

check if the string includes data

str_contains("I use lua","use") -- true

check if the string startswith

str_startswith("I use lua","I use") -- true

text matching with and / or conditions

SCAN_TYPE = 2

function main()
	local match_one = {"test","Mike"}
	local match_all = {"Mike","true"}
	local BODY = '{"name":"Mike","is_admin":true}'
	-- match body with `or` conditions
	-- it means the function will returns true if one of the elements in the list matched with the body
	ResponseMatcher:match_body_once(BODY,match_one) -- true
	-- match body with `and` conditions
	-- it means the function will returns true if all of the elements in the list matched with the body
	ResponseMatcher:match_body(BODY,match_all) -- true
end

PreviousParsing NextReporting

Last updated 9 months ago