Filedownload - do not download PNGs

bbot/core/event/base.py

@@ -1091,6 +1091,17 @@ class HASHED_PASSWORD(BaseEvent):
 class USERNAME(BaseEvent):
     _always_emit = True
 
+    def __new__(cls, data, *args, **kwargs):
+        # if the data is an email, emit as an email instead
+        if validators.soft_validate(data, "email"):
+            log.critical(f"{data} is an email")
+            tags = set(kwargs.get("tags", []))
+            # add affiliate tag so the event is always emitted regardless of scope distance
+            tags.add("affiliate")
+            kwargs["tags"] = tags
+            return EMAIL_ADDRESS(data, *args, **kwargs)
+        return super().__new__(cls)
+
 
 class SOCIAL(DictEvent):
     _always_emit = True

bbot/modules/dehashed.py

@@ -6,7 +6,7 @@
 class dehashed(credential_leak):
     watched_events = ["DNS_NAME"]
     produced_events = ["PASSWORD", "HASHED_PASSWORD", "USERNAME"]
-    flags = ["passive"]
+    flags = ["passive", "safe", "email-enum"]
     meta = {"description": "Execute queries against dehashed.com for exposed credentials", "auth_required": True}
     options = {"username": "", "api_key": ""}
     options_desc = {"username": "Email Address associated with your API key", "api_key": "DeHashed API Key"}

bbot/modules/filedownload.py

@@ -14,7 +14,7 @@ class filedownload(BaseModule):
 
     watched_events = ["URL_UNVERIFIED", "HTTP_RESPONSE"]
     produced_events = []
-    flags = ["active", "safe"]
+    flags = ["active", "safe", "web-basic"]
     meta = {"description": "Download common filetypes such as PDF, DOCX, PPTX, etc."}
     options = {
         "extensions": [
@@ -46,7 +46,6 @@ class filedownload(BaseModule):
             "odt",  #  OpenDocument Text (LibreOffice, OpenOffice)
             "pdf",  #  Adobe Portable Document Format
             "pem",  #  Privacy Enhanced Mail (SSL certificate)
-            "png",  #  Portable Network Graphics Image
             "pps",  #  Microsoft PowerPoint Slideshow (Old Format)
             "ppsx",  #  Microsoft PowerPoint Slideshow
             "ppt",  #  Microsoft PowerPoint Presentation (Old Format)

bbot/modules/hunt.py

@@ -274,7 +274,7 @@
 class hunt(BaseModule):
     watched_events = ["HTTP_RESPONSE"]
     produced_events = ["FINDING"]
-    flags = ["active", "safe", "web-basic", "web-thorough"]
+    flags = ["active", "safe", "web-thorough"]
     meta = {"description": "Watch for commonly-exploitable HTTP parameters"}
     # accept all events regardless of scope distance
     scope_distance_modifier = None

bbot/test/test_step_1/test_modules_basic.py

@@ -125,6 +125,9 @@ async def test_modules_basic(scan, helpers, events, bbot_config, bbot_scanner, h
             assert ("active" in flags and not "passive" in flags) or (
                 not "active" in flags and "passive" in flags
             ), f'module "{module_name}" must have either "active" or "passive" flag'
+            assert ("safe" in flags and not "aggressive" in flags) or (
+                not "safe" in flags and "aggressive" in flags
+            ), f'module "{module_name}" must have either "safe" or "aggressive" flag'
             assert preloaded.get("meta", {}).get("description", ""), f"{module_name} must have a description"
 
         # attribute checks

bbot/test/test_step_2/module_tests/test_module_dehashed.py

@@ -7,7 +7,7 @@
             "id": "4363462346",
             "email": "[email protected]",
             "ip_address": "",
-            "username": "",
+            "username": "[email protected]",
             "password": "",
             "hashed_password": "$2a$12$pVmwJ7pXEr3mE.DmCCE4fOUDdeadbeefd2KuCy/tq1ZUFyEOH2bve",
             "name": "Bob Smith",
@@ -46,8 +46,11 @@ async def setup_before_prep(self, module_test):
         )
 
     def check(self, module_test, events):
-        assert len(events) == 7
+        for e in events:
+            module_test.log.critical(e)
+        assert len(events) == 8
         assert 1 == len([e for e in events if e.type == "EMAIL_ADDRESS" and e.data == "[email protected]"])
+        assert 1 == len([e for e in events if e.type == "EMAIL_ADDRESS" and e.data == "[email protected]" and e.scope_distance == 1 and "affiliate" in e.tags] and e.source.data == "[email protected]")
         assert 1 == len([e for e in events if e.type == "EMAIL_ADDRESS" and e.data == "[email protected]"])
         assert 1 == len(
             [