feat(recon): Implement advanced path and parameter fuzzing

vishnurajkv · vishnurajkv · commit be7d0556b7e5 · 2026-03-09T13:06:38.000+01:00
- Added extended version identification (/v2/, /beta/, etc)
- Added file extension fuzzing (.json, .bak, .old)
- Added shadow admin path fuzzing (/admin, /system)
- Injected edge-case anomalies into parameters (0, 999999, SQLi/LFI snippets)
diff --git a/src/secnodeapi/services/recon.py b/src/secnodeapi/services/recon.py
@@ -17,14 +17,35 @@ def _mutate_path(path: str) -> List[str]:
     """Generate potential hidden paths based on existing routes."""
     mutations: Set[str] = set()
     stripped = path.rstrip("/")
+    
+    # Version mutations
     if "/v1/" in stripped:
-        mutations.add(stripped.replace("/v1/", "/v2/", 1))
-        mutations.add(stripped.replace("/v1/", "/internal/", 1))
-    if not stripped.endswith("/admin"):
-        mutations.add(f"{stripped}/admin")
+        for ver in ("/v2/", "/v3/", "/beta/", "/dev/", "/internal/"):
+            mutations.add(stripped.replace("/v1/", ver, 1))
+    
+    # Extension mutations
+    if "." not in stripped.split("/")[-1]:
+        for ext in (".json", ".xml", ".yaml", ".bak", ".old"):
+            mutations.add(f"{stripped}{ext}")
+            
+    # Admin & Shadow directory mutations
+    if not any(x in stripped for x in ("/admin", "/administrator", "/manager", "/config")):
+        for shadow in ("/admin", "/administrator", "/manager", "/config", "/system"):
+            mutations.add(f"{stripped}{shadow}")
+            
+    # ID & Injection mutations
     if "{id}" in stripped:
-        mutations.add(stripped.replace("{id}", "1"))
-        mutations.add(stripped.replace("{id}", "2"))
+        for inject in (
+            "1", 
+            "2", 
+            "0", 
+            "999999", 
+            "00000000-0000-0000-0000-000000000000",
+            "../../etc/passwd",
+            "' OR 1=1--"
+        ):
+            mutations.add(stripped.replace("{id}", inject))
+            
     return [m for m in mutations if m and m != path]
 
 
@@ -71,6 +92,21 @@ def _build_discovery_tests(endpoints: List[APIEndpoint]) -> List[TestCase]:
                 )
             )
             idx += 1
+            
+        # Probe for hidden parameters on existing GET paths
+        if "GET" in known_methods:
+            discovery_tests.append(
+                TestCase(
+                    id=f"PARAM-FUZZ-{idx}",
+                    name="Parameter Discovery",
+                    description="Probe for hidden debug or admin parameters",
+                    owasp_category="API9: Improper Inventory Management",
+                    endpoint=path,
+                    method="GET",
+                    params={"debug": "true", "admin": "1", "test": "true"}
+                )
+            )
+            idx += 1
 
     return discovery_tests
 
