Developer Plugin Classification - owtf/reboot GitHub Wiki
Reboot uses a class-based hierarchy for defining a plugin.
Overview
Plugins are expected to return a list of dicts. A sample list might look like this
[{
"type": "suggested_command_box",
"args": {
"command": "python3 sqlmap.py -u some_url.com --data 'some_parameters'",
"header": "Command to run sqlmap"
}
}, {
"type": "vulnerability_search_box",
"args": {
"search_str": "ASPX"
}
}]
This list is stored in the database as plugin output in the JSON form. When the interface wants to render this plugin output, a method of reporter is searched using the type
parameter and the args
are passed to it. A call something like
output_html = ''
for item in plugin_output:
output_html += getattr(reporter, item["type"])(**item["args"])
return(output_html)
The final html of this output is a combination of a command box and vulnerability search box in the same order.
Hierarchy
The hierarchy in a list form will look like this
- Base Plugin
- Static Plugin
- Dynamic Plugin
- Grep Plugin
- Static Plugin
Base Plugin
This is the base class that has methods which are common to all the plugins
Methods
multiple_replace(self, text, replacement_dict)
text
(string) text to be modifiedreplacement_dict
(dict) key-value pairs of substrings to be replaced- return (string) modified text with all the replacements applied
initialize_dir(self, plugin_info)
plugin_info
(dict) attributes of a plugin- return (string) folder path that is created
escape(self, text, ext=None)
text
(string) text to be escapedext
(string) extension of the file (useful in context specific escaping)- return (string) escaped text
setup(self)
- Method that has to be overwritten by plugin authors to involve any setup
execute(self)
- return (list) list of dicts
tear_down(self)
- Method that has to be overwritten by plugin authors for cleaning up anything they created
- ... some more such methods
Static Plugin
The base class consisting of methods like resource list etc..
Methods
link_list(self, list_name, links)
list_name
(string) name of the list of linkslinks
(list) list of links- return (dict)
- ..more to be added
Dynamic Plugin
The base class for plugins involving sending any requests to the target
Methods
run_command(self, command)
command
(string) command that has to be run- return (dict)
- ..more to be added
Grep Plugin
The class for all the grep plugins
Methods
header_matches(self, regex_names)
regex_names
(string|list) regex name(s) (Like HEADERS_FOR_XSS_PROTECTION)- return (dict) which will be used in reporter for rendering
body_matches(self, regex_names)
regex_names
(string|list) regex names (Like RESPONSE_REGEXP_FOR_HTML_COMMENTS)- return (dict) which will be used in reporter for rendering