new: precompiling --http-success expression to achieve better performances during evaluation

Author: evilsocket

docs/plugins/http.md

@@ -60,13 +60,6 @@ The `--http-success` parameter accepts a boolean expression that is evaluated to
 - `!` - Logical NOT
 - Parentheses for grouping: `(status == 200 || status == 201) && contains(body, "ok")`
 
-### Variable Interpolation
-
-The following placeholders can be used in expressions and will be replaced with the current credential values:
-- `{$username}` - Current username being tested
-- `{$password}` - Current password being tested
-- `{$payload}` - Current payload/username for enumeration plugins
-
 For a list of all the operators and builtin functions [refer to this documentation](https://docs.rs/evalexpr/latest/evalexpr/index.html).
 
 ### Expression Examples
@@ -96,8 +89,14 @@ For a list of all the operators and builtin functions [refer to this documentati
 # Verify API response
 --http-success 'status == 200 && content_type == "application/json" && contains(body, "\"authenticated\": true")'
 
-# Use interpolation to check for username in response
---http-success 'status == 200 && contains(body, "{$username}")'
+# Check for username in response
+--http-success 'status == 200 && contains(body, username)'
+
+# Check for password in response
+--http-success 'status == 200 && contains(body, password)'
+
+# Check for single payload (for http.enum)
+--http-success 'status == 200 && contains(body, payload)'
 ```
 
 ## Plugin Usage Examples
@@ -210,17 +209,6 @@ file?filename=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c.
 ...
 ```
 
-Google Suite / GMail valid accounts enumeration:
-
-```sh
-legba http.enum \
-    --payloads data/employees-names.txt \
-    --http-success-string "COMPASS" \
-    --http-success "status == 204" \
-    --quiet \
-    --target "https://mail.google.com/mail/gxlu?email={PAYLOAD}@broadcom.com" 
-```
-
 ### Misc HTTP Requests
 
 HTTP Post Request (Wordpress wp-login.php page):
@@ -282,4 +270,4 @@ legba http \
     --http-method POST \
     --http-payload 'destination=https://exchange-server/&flags=4&username={USERNAME}&password={PASSWORD}' \
     --http-success 'status == 302 && set_cookie != ""'
-```
+```

src/plugins/http/http_test.rs

@@ -1,18 +1,8 @@
-// TODO: add more tests
 #[cfg(test)]
 mod tests {
-    use reqwest::header::{CONTENT_TYPE, HeaderValue};
-
-    use crate::{
-        creds::Credentials,
-        options::Options,
-        plugins::{
-            Plugin,
-            http::{HTTP_PASSWORD_VAR, HTTP_PAYLOAD_VAR, HTTP_USERNAME_VAR},
-        },
-    };
-
     use crate::plugins::http::{HTTP, Strategy};
+    use crate::{creds::Credentials, options::Options, plugins::Plugin};
+    use reqwest::header::{CONTENT_TYPE, HeaderValue};
 
     #[test]
     fn test_get_target_url_adds_default_schema_and_path() {
@@ -546,7 +536,7 @@ mod tests {
         let mut http = HTTP::new(Strategy::Enumeration);
         // Set the expression directly with the placeholder
         http.success_expression =
-            format!("status == 200 && contains(body, \"{}\")", HTTP_USERNAME_VAR);
+            evalexpr::build_operator_tree("status == 200 && contains(body, username)").unwrap();
 
         let response = http
             .client
@@ -580,7 +570,7 @@ mod tests {
         let mut http = HTTP::new(Strategy::Enumeration);
         // Set the expression directly with the placeholder
         http.success_expression =
-            format!("status == 200 && contains(body, \"{}\")", HTTP_PASSWORD_VAR);
+            evalexpr::build_operator_tree("status == 200 && contains(body, password)").unwrap();
 
         let response = http
             .client
@@ -614,7 +604,7 @@ mod tests {
         let mut http = HTTP::new(Strategy::Enumeration);
         // Set the expression directly with the placeholder
         http.success_expression =
-            format!("status == 200 && contains(body, \"{}\")", HTTP_PAYLOAD_VAR);
+            evalexpr::build_operator_tree("status == 200 && contains(body, payload)").unwrap();
 
         let response = http
             .client
@@ -749,7 +739,7 @@ mod tests {
         });
 
         let mut http = HTTP::new(Strategy::Request);
-        http.success_expression = "status == 200".to_owned();
+        http.success_expression = evalexpr::build_operator_tree("status == 200").unwrap();
         let opts = Options {
             target: Some(server.base_url()),
             ..Options::default()
@@ -773,7 +763,7 @@ mod tests {
         });
 
         let mut http = HTTP::new(Strategy::Request);
-        http.success_expression = "status == 200".to_owned();
+        http.success_expression = evalexpr::build_operator_tree("status == 200").unwrap();
         let opts = Options {
             target: Some(server.base_url()),
             ..Options::default()
@@ -888,7 +878,7 @@ mod tests {
         });
 
         let mut http = HTTP::new(Strategy::Request);
-        http.success_expression = "status == 200".to_owned();
+        http.success_expression = evalexpr::build_operator_tree("status == 200").unwrap();
         let opts = Options {
             target: Some(server.base_url()),
             ..Options::default()
@@ -918,7 +908,7 @@ mod tests {
         });
 
         let mut http = HTTP::new(Strategy::Request);
-        http.success_expression = "status == 200".to_owned();
+        http.success_expression = evalexpr::build_operator_tree("status == 200").unwrap();
         let opts = Options {
             target: Some(server.base_url()),
             ..Options::default()
@@ -973,7 +963,7 @@ mod tests {
         });
 
         let mut http = HTTP::new(Strategy::Request);
-        http.success_expression = "status == 200".to_owned();
+        http.success_expression = evalexpr::build_operator_tree("status == 200").unwrap();
         let opts = Options {
             target: Some(server.base_url()),
             ..Options::default()
@@ -999,7 +989,7 @@ mod tests {
         });
 
         let mut http = HTTP::new(Strategy::Request);
-        http.success_expression = "status == 200".to_owned();
+        http.success_expression = evalexpr::build_operator_tree("status == 200").unwrap();
         let opts = Options {
             target: Some(server.base_url()),
             ..Options::default()
@@ -1591,7 +1581,7 @@ mod tests {
         let mut http = HTTP::new(Strategy::Enumeration);
         // Set the expression directly with the placeholder
         http.success_expression =
-            format!("status == 200 && contains(body, \"{}\")", HTTP_USERNAME_VAR);
+            evalexpr::build_operator_tree("status == 200 && contains(body, username)").unwrap();
 
         let response = http
             .client

src/plugins/http/mod.rs

@@ -26,11 +26,6 @@ mod payload;
 mod placeholders;
 mod ua;
 
-// Placeholders used for interpolating --http-success
-const HTTP_USERNAME_VAR: &str = "{$username}";
-const HTTP_PASSWORD_VAR: &str = "{$password}";
-const HTTP_PAYLOAD_VAR: &str = "{$payload}";
-
 const HTTP_LOWERCASE_PLACEHOLDERS: &[&str] = &["{payload}", "{username}", "{password}"];
 const HTTP_UPPERCASE_PLACEHOLDERS: &[&str] = &["{PAYLOAD}", "{USERNAME}", "{PASSWORD}"];
 
@@ -79,7 +74,7 @@ pub(crate) struct HTTP {
     real_target: Option<String>,
     user_agent: Option<String>,
 
-    success_expression: String,
+    success_expression: evalexpr::Node<evalexpr::DefaultNumericTypes>,
 
     enum_ext: String,
     enum_ext_placeholder: String,
@@ -103,8 +98,8 @@ impl HTTP {
             csrf: None,
             domain: String::new(),
             workstation: String::new(),
-            success_expression: String::new(),
             enum_ext: String::new(),
+            success_expression: evalexpr::build_operator_tree("").unwrap(),
             enum_ext_placeholder: String::new(),
             method: Method::GET,
             headers: HeaderMap::default(),
@@ -238,11 +233,11 @@ impl HTTP {
         builder
     }
 
-    async fn is_success_response(
+    async fn build_response_context(
         &self,
         creds: &Credentials,
         response: Response,
-    ) -> Option<Success> {
+    ) -> Result<(u16, String, usize, HashMapContext<DefaultNumericTypes>), Error> {
         let status = response.status().as_u16();
 
         let mut context = HashMapContext::<DefaultNumericTypes>::new();
@@ -265,14 +260,14 @@ impl HTTP {
 
             context
                 .set_value(header_var_name, Value::from(value.to_str().unwrap()))
-                .unwrap();
+                .map_err(|e| e.to_string())?;
         }
 
         // always set content_type
         if !content_type_set {
             context
                 .set_value(String::from("content_type"), Value::from(""))
-                .unwrap();
+                .map_err(|e| e.to_string())?;
         }
 
         // add response status, body, size and content type to the context
@@ -281,13 +276,13 @@ impl HTTP {
 
         context
             .set_value(String::from("status"), Value::from_int(status as i64))
-            .unwrap();
+            .map_err(|e| e.to_string())?;
         context
             .set_value(String::from("body"), Value::from(body))
-            .unwrap();
+            .map_err(|e| e.to_string())?;
         context
             .set_value(String::from("size"), Value::from_int(size as i64))
-            .unwrap();
+            .map_err(|e| e.to_string())?;
 
         // the builtin contains function is for searching a string within a tuple of strings,
         // let's override it to something that makes more sense
@@ -305,37 +300,61 @@ impl HTTP {
                     }
                 }),
             )
-            .unwrap();
-
-        // replace placeholders with actual values
-        let success_expression = self
-            .success_expression
-            .replace(HTTP_USERNAME_VAR, &creds.username)
-            .replace(HTTP_PASSWORD_VAR, &creds.password)
-            .replace(HTTP_PAYLOAD_VAR, creds.single());
-
-        match eval_boolean_with_context(&success_expression, &context) {
-            Ok(result) => {
-                if result {
-                    Some(Success {
-                        status,
-                        content_type,
-                        size,
-                    })
-                } else {
+            .map_err(|e| e.to_string())?;
+
+        // set placeholders with actual values
+        context
+            .set_value(
+                String::from("username"),
+                Value::from(creds.username.clone()),
+            )
+            .map_err(|e| e.to_string())?;
+        context
+            .set_value(
+                String::from("password"),
+                Value::from(creds.password.clone()),
+            )
+            .map_err(|e| e.to_string())?;
+        context
+            .set_value(String::from("payload"), Value::from(creds.single()))
+            .map_err(|e| e.to_string())?;
+
+        Ok((status, content_type, size, context))
+    }
+
+    async fn is_success_response(
+        &self,
+        creds: &Credentials,
+        response: Response,
+    ) -> Option<Success> {
+        let built = self.build_response_context(creds, response).await;
+        if let Ok((status, content_type, size, context)) = built {
+            match self.success_expression.eval_boolean_with_context(&context) {
+                Ok(result) => {
+                    if result {
+                        Some(Success {
+                            status,
+                            content_type,
+                            size,
+                        })
+                    } else {
+                        None
+                    }
+                }
+                Err(e) => {
+                    #[cfg(test)]
+                    println!(
+                        "error evaluating expression '{}': {}",
+                        self.success_expression, e
+                    );
+                    #[cfg(not(test))]
+                    log::error!("error evaluating success expression: {}", e);
                     None
                 }
             }
-            Err(e) => {
-                #[cfg(test)]
-                println!(
-                    "error evaluating expression '{}': {}",
-                    success_expression, e
-                );
-                #[cfg(not(test))]
-                log::error!("error evaluating success expression: {}", e);
-                None
-            }
+        } else {
+            log::error!("error building response context: {}", built.err().unwrap());
+            None
         }
     }
 
@@ -865,7 +884,13 @@ impl Plugin for HTTP {
             None
         };
 
-        self.success_expression = opts.http.http_success.clone();
+        self.success_expression =
+            evalexpr::build_operator_tree(&opts.http.http_success).map_err(|e| {
+                format!(
+                    "error parsing success expression '{}': {}",
+                    opts.http.http_success, e
+                )
+            })?;
 
         self.enum_ext = opts.http.http_enum_ext.clone();
         self.enum_ext_placeholder = opts.http.http_enum_ext_placeholder.clone();