From 5baabf933ebecae49c515a39590185ab9cf916fa Mon Sep 17 00:00:00 2001
From: laluka <louka.jacques-chevallier@manomano.com>
Date: Sun, 5 May 2024 18:37:12 +0200
Subject: [PATCH] adding Sica tips

---
 CONTRIBUTING.md                               |  2 ++
 README.md                                     |  3 ++
 .../payloads/internal_endpaths.lst            |  6 ++++
 .../payloads/internal_midpaths.lst            |  1 +
 tests-history/bup-payloads-2024-05-05.lst     | 30 ++++++++++++++++++-
 5 files changed, 41 insertions(+), 1 deletion(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index ea5c7c9..84161b1 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -12,6 +12,8 @@ export PATH="$HOME/.local/share/mise/shims:$PATH"
 pdm run tox run-parallel
 # Ensure no regression is pushed
 bypass-url-parser -S 0 -v -u http://127.0.0.1:8000/foo/bar --dump-payloads > "tests-history/bup-payloads-$(date +'%Y-%m-%d').lst"
+# If bup installed globally, use
+python src/bypass_url_parser/__init__.py -S 0 -v -u http://127.0.0.1:8000/foo/bar --dump-payloads > "tests-history/bup-payloads-$(date +'%Y-%m-%d').lst"
 # Compare /tmp/bup-payloads-YYYY-MM-DD.lst and the latest tests-history/bup-payloads-YYYY-MM-DD.lst
 git diff --no-index $(find tests-history -type f | sort -n | tail -n 2)
 # Push your changes
diff --git a/README.md b/README.md
index 1e900c0..c641748 100644
--- a/README.md
+++ b/README.md
@@ -114,6 +114,9 @@ sudo apt install -y bat curl virtualenv python3
 virtualenv -p python3 .py3
 source .py3/bin/activate
 PDM_BUILD_SCM_VERSION="$(git describe --abbrev=0)-dev" pip install .
+# If bup installed globally, use
+python src/bypass_url_parser/__init__.py -u https://thinkloveshare.com/juicy_403_endpoint/
+# Else this should work
 bypass-url-parser -u https://thinkloveshare.com/juicy_403_endpoint/
 cat /tmp/tmpRANDOM-bypass-url-parser/triaged-bypass.json  | jq -r '.results[].request_curl_cmd'
 cat /tmp/tmpRANDOM-bypass-url-parser/triaged-bypass.json  | jq -r '.results[].response_data'
diff --git a/src/bypass_url_parser/payloads/internal_endpaths.lst b/src/bypass_url_parser/payloads/internal_endpaths.lst
index 8fdbb0d..974f09f 100644
--- a/src/bypass_url_parser/payloads/internal_endpaths.lst
+++ b/src/bypass_url_parser/payloads/internal_endpaths.lst
@@ -41,3 +41,9 @@ false
 null
 true
 ~
+.js
+.css
+.gif
+.jpe?g
+.png
+.xls
diff --git a/src/bypass_url_parser/payloads/internal_midpaths.lst b/src/bypass_url_parser/payloads/internal_midpaths.lst
index c12b9ed..9a9ea18 100644
--- a/src/bypass_url_parser/payloads/internal_midpaths.lst
+++ b/src/bypass_url_parser/payloads/internal_midpaths.lst
@@ -1,3 +1,4 @@
+,
 ;
 ;?
 ;/
diff --git a/tests-history/bup-payloads-2024-05-05.lst b/tests-history/bup-payloads-2024-05-05.lst
index 16b9f12..e384b33 100644
--- a/tests-history/bup-payloads-2024-05-05.lst
+++ b/tests-history/bup-payloads-2024-05-05.lst
@@ -1,5 +1,5 @@
 
-Bypasser has generated 3750 payloads for 'http://127.0.0.1:8000/foo/bar' url:
+Bypasser has generated 3778 payloads for 'http://127.0.0.1:8000/foo/bar' url:
 [case_substitution] http://127.0.0.1:8000/Foo/bar
 [case_substitution] http://127.0.0.1:8000/fOo/bar
 [case_substitution] http://127.0.0.1:8000/foO/bar
@@ -48,10 +48,20 @@ Bypasser has generated 3750 payloads for 'http://127.0.0.1:8000/foo/bar' url:
 [end_paths] http://127.0.0.1:8000/foo/bar..\;/
 [end_paths] http://127.0.0.1:8000/foo/bar./
 [end_paths] http://127.0.0.1:8000/foo/bar.//
+[end_paths] http://127.0.0.1:8000/foo/bar.css
+[end_paths] http://127.0.0.1:8000/foo/bar.css/
+[end_paths] http://127.0.0.1:8000/foo/bar.gif
+[end_paths] http://127.0.0.1:8000/foo/bar.gif/
 [end_paths] http://127.0.0.1:8000/foo/bar.html
 [end_paths] http://127.0.0.1:8000/foo/bar.html/
+[end_paths] http://127.0.0.1:8000/foo/bar.jpe?g
+[end_paths] http://127.0.0.1:8000/foo/bar.jpe?g/
+[end_paths] http://127.0.0.1:8000/foo/bar.js
+[end_paths] http://127.0.0.1:8000/foo/bar.js/
 [end_paths] http://127.0.0.1:8000/foo/bar.json
 [end_paths] http://127.0.0.1:8000/foo/bar.json/
+[end_paths] http://127.0.0.1:8000/foo/bar.png
+[end_paths] http://127.0.0.1:8000/foo/bar.png/
 [end_paths] http://127.0.0.1:8000/foo/bar.random
 [end_paths] http://127.0.0.1:8000/foo/bar.random/
 [end_paths] http://127.0.0.1:8000/foo/bar.svc
@@ -60,6 +70,8 @@ Bypasser has generated 3750 payloads for 'http://127.0.0.1:8000/foo/bar' url:
 [end_paths] http://127.0.0.1:8000/foo/bar.svc?wsdl/
 [end_paths] http://127.0.0.1:8000/foo/bar.wsdl
 [end_paths] http://127.0.0.1:8000/foo/bar.wsdl/
+[end_paths] http://127.0.0.1:8000/foo/bar.xls
+[end_paths] http://127.0.0.1:8000/foo/bar.xls/
 [end_paths] http://127.0.0.1:8000/foo/bar/
 [end_paths] http://127.0.0.1:8000/foo/bar/#
 [end_paths] http://127.0.0.1:8000/foo/bar/#/
@@ -97,10 +109,20 @@ Bypasser has generated 3750 payloads for 'http://127.0.0.1:8000/foo/bar' url:
 [end_paths] http://127.0.0.1:8000/foo/bar/..\;/
 [end_paths] http://127.0.0.1:8000/foo/bar/./
 [end_paths] http://127.0.0.1:8000/foo/bar/.//
+[end_paths] http://127.0.0.1:8000/foo/bar/.css
+[end_paths] http://127.0.0.1:8000/foo/bar/.css/
+[end_paths] http://127.0.0.1:8000/foo/bar/.gif
+[end_paths] http://127.0.0.1:8000/foo/bar/.gif/
 [end_paths] http://127.0.0.1:8000/foo/bar/.html
 [end_paths] http://127.0.0.1:8000/foo/bar/.html/
+[end_paths] http://127.0.0.1:8000/foo/bar/.jpe?g
+[end_paths] http://127.0.0.1:8000/foo/bar/.jpe?g/
+[end_paths] http://127.0.0.1:8000/foo/bar/.js
+[end_paths] http://127.0.0.1:8000/foo/bar/.js/
 [end_paths] http://127.0.0.1:8000/foo/bar/.json
 [end_paths] http://127.0.0.1:8000/foo/bar/.json/
+[end_paths] http://127.0.0.1:8000/foo/bar/.png
+[end_paths] http://127.0.0.1:8000/foo/bar/.png/
 [end_paths] http://127.0.0.1:8000/foo/bar/.random
 [end_paths] http://127.0.0.1:8000/foo/bar/.random/
 [end_paths] http://127.0.0.1:8000/foo/bar/.svc
@@ -109,6 +131,8 @@ Bypasser has generated 3750 payloads for 'http://127.0.0.1:8000/foo/bar' url:
 [end_paths] http://127.0.0.1:8000/foo/bar/.svc?wsdl/
 [end_paths] http://127.0.0.1:8000/foo/bar/.wsdl
 [end_paths] http://127.0.0.1:8000/foo/bar/.wsdl/
+[end_paths] http://127.0.0.1:8000/foo/bar/.xls
+[end_paths] http://127.0.0.1:8000/foo/bar/.xls/
 [end_paths] http://127.0.0.1:8000/foo/bar//
 [end_paths] http://127.0.0.1:8000/foo/bar///
 [end_paths] http://127.0.0.1:8000/foo/bar////
@@ -2386,6 +2410,7 @@ Bypasser has generated 3750 payloads for 'http://127.0.0.1:8000/foo/bar' url:
 [mid_paths] http://127.0.0.1:8000/%u002e;foo/bar
 [mid_paths] http://127.0.0.1:8000/%u002efoo/bar
 [mid_paths] http://127.0.0.1:8000/&foo/bar
+[mid_paths] http://127.0.0.1:8000/,foo/bar
 [mid_paths] http://127.0.0.1:8000/.%00/foo/bar
 [mid_paths] http://127.0.0.1:8000/.%00foo/bar
 [mid_paths] http://127.0.0.1:8000/.%2e/foo/bar
@@ -2552,6 +2577,7 @@ Bypasser has generated 3750 payloads for 'http://127.0.0.1:8000/foo/bar' url:
 [mid_paths] http://127.0.0.1:8000//&foo/bar
 [mid_paths] http://127.0.0.1:8000//*/foo/bar
 [mid_paths] http://127.0.0.1:8000//*foo/bar
+[mid_paths] http://127.0.0.1:8000//,foo/bar
 [mid_paths] http://127.0.0.1:8000//.%00/foo/bar
 [mid_paths] http://127.0.0.1:8000//.%00foo/bar
 [mid_paths] http://127.0.0.1:8000//.%2e/foo/bar
@@ -2961,6 +2987,7 @@ Bypasser has generated 3750 payloads for 'http://127.0.0.1:8000/foo/bar' url:
 [mid_paths] http://127.0.0.1:8000//foo/%u002e;bar
 [mid_paths] http://127.0.0.1:8000//foo/%u002ebar
 [mid_paths] http://127.0.0.1:8000//foo/&bar
+[mid_paths] http://127.0.0.1:8000//foo/,bar
 [mid_paths] http://127.0.0.1:8000//foo/.%00/bar
 [mid_paths] http://127.0.0.1:8000//foo/.%00bar
 [mid_paths] http://127.0.0.1:8000//foo/.%2e/bar
@@ -3461,6 +3488,7 @@ Bypasser has generated 3750 payloads for 'http://127.0.0.1:8000/foo/bar' url:
 [mid_paths] http://127.0.0.1:8000/foo/%u002e;bar
 [mid_paths] http://127.0.0.1:8000/foo/%u002ebar
 [mid_paths] http://127.0.0.1:8000/foo/&bar
+[mid_paths] http://127.0.0.1:8000/foo/,bar
 [mid_paths] http://127.0.0.1:8000/foo/.%00/bar
 [mid_paths] http://127.0.0.1:8000/foo/.%00bar
 [mid_paths] http://127.0.0.1:8000/foo/.%2e/bar