Skip to content

Introducing HTTP Anomaly Rank #1569

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
+46 −4
Closed

Introducing HTTP Anomaly Rank #1569

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 41 additions & 2 deletions src/network-services-pentesting/pentesting-web/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,7 @@ Some **tricks** for **finding vulnerabilities** in different well known **techno
- [**IIS tricks**](iis-internet-information-services.md)
- [**Microsoft SharePoint**](microsoft-sharepoint.md)
- [**JBOSS**](jboss.md)
- [**Jenkins**](<[https:/github.com/carlospolop/hacktricks/blob/master/network-services-pentesting/pentesting-web/broken-reference/README.md](https:/github.com/HackTricks-wiki/hacktricks-cloud/tree/master/pentesting-ci-cd/jenkins-security)/>)
- [**Jenkins (CI/CD)**](https://cloud.hacktricks.wiki/en/pentesting-ci-cd/jenkins-security.html)
- [**Jira**](jira.md)
- [**Joomla**](joomla.md)
- [**JSP**](jsp.md)
Expand Down Expand Up @@ -282,6 +282,40 @@ Tools:

_Note that anytime a new directory is discovered during brute-forcing or spidering, it should be Brute-Forced._

### Web fuzzing result triage with Burp/Turbo Intruder Anomaly Rank

For large fuzzing sets, manual sorting by status/length is noisy. In Burp Suite 2025.10+, Anomaly Rank automatically surfaces outliers; Turbo Intruder auto-sorts by this score when the attack completes.

How it works (stability-weighted diffing):

- Extract attributes per response: status, content type, word/line counts, hashes, notable byte sequences.
- Weight attributes by stability across the batch: few unique values = higher weight; invariant or unique-per-response ≈ zero weight.
- Score each response by how rare its value is on high-stability attributes.

Worked example:

```text
Payload | Status | Content-Type | Word-count | CRC32
administrator | 403 | text/html | 812 | d753916d
admin | 403 | text/html | 812 | 5129f3bd
sales | 503 | text/html | 97 | 710639db
accounting | 200 | text/html | 812 | 3978f20f
ADMIN | 403 | text/html | 811 | 9fa1cbc1
root | 503 | text/html | 97 | 27df2486
test | 403 | text/html | 812 | e45449e7
```

ADMIN ranks highest due to a unique word count (811) among otherwise stable attributes.

Why it works on noisy pages:

- It downweights invariant or per-response-unique attributes and emphasizes stable-but-different ones, highlighting subtle, meaningful differences.

Operational tips:

- Requires Burp 2025.10+. Turbo Intruder computes and applies the ordering when the attack finishes.
- Triage: Review top-ranked items first. Look for a lone 200 among 403s, or off-by-one word/line counts indicating auth edges, error paths, or parsing quirks.

### What to check on each file found

- [**Broken link checker**](https://github.com/stevenvachon/broken-link-checker): Find broken links inside HTMLs that may be prone to takeovers
Expand Down Expand Up @@ -428,4 +462,9 @@ Entry_12:
Command: ffuf -w {Subdomain_List}:FUZZ -u {Web_Proto}://{Domain_Name} -H "Host:FUZZ.{Domain_Name}" -c -mc all {Ffuf_Filters}
```

{{#include ../../banners/hacktricks-training.md}}
## References

- [Introducing HTTP Anomaly Rank](https://portswigger.net/research/introducing-http-anomaly-rank)
- [Turbo Intruder: Embracing the billion-request attack](https://portswigger.net/research/turbo-intruder-embracing-the-billion-request-attack)

{{#include ../../banners/hacktricks-training.md}}
7 changes: 5 additions & 2 deletions src/pentesting-web/xs-search/css-injection/less-code-injection.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
## LESS Code Injection leading to SSRF & Local File Read
# LESS Code Injection leading to SSRF & Local File Read

{{#include ../../../banners/hacktricks-training.md}}

LESS is a popular CSS pre-processor that adds variables, mixins, functions and the powerful `@import` directive. During compilation the LESS engine will **fetch the resources referenced in `@import`** statements and embed ("inline") their contents into the resulting CSS when the `(inline)` option is used.

Expand Down Expand Up @@ -59,4 +61,5 @@ curl -sk "${TARGET}rest/v10/css/preview?baseUrl=1&lm=${INJ}" | \

* [SugarCRM ≤ 14.0.0 (css/preview) LESS Code Injection Vulnerability](https://karmainsecurity.com/KIS-2025-04)
* [SugarCRM Security Advisory SA-2024-059](https://support.sugarcrm.com/resources/security/sugarcrm-sa-2024-059/)
* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258)
* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258)
{{#include ../../../banners/hacktricks-training.md}}