Use the on_regex_loaded hook to yield secator output types.
Example:
Assume mytool outputs on stdout like:
mytool-umytarget.com[INF] This is an info message[ERR] This is an error message[FOUND] https://mytarget.com/api [type=url] [status=200] [content_type=application/json] [title=MyAwesomeWebPage][FOUND] https://mytarget.com/api/metrics [type=url] [status=403][FOUND] A3TBABCD1234EFGH5678 [type=aws_api_key] [matched_at=https://mytarget/api/.aws_key.json][FOUND] <-- an HTML comment --> [type=aws_api_key] [matched_at=https://mytarget/api/.aws_key.json][FOUND] CVE-2021-44228 [type=vulnerability] [matched_at=https://mytarget/api/sensitive_api_path]
First we need to find a regular expression that will match the items marked with [FOUND] and get the individual values using a named regex (you can use Pythex for this).
An integration of mytool with secator would look like:
secator/tasks/mytool.py
from secator.decorators import taskfrom secator.runners import Commandfrom secator.output_types import Url, Tag, Vulnerabilityfrom secator.serializers import RegexSerializerfrom secator.tasks._categories import VulnOUTPUT_REGEX =r'\[\w+]\s(?P<value>.*)\s\[type=(?P<type>[\w_]+)\](\s\[status=(?P<status>\d+)\])?(\s\[content_type=(?P<content_type>[\w\/]+)\])?(\s\[title=(?P<title>.*)\])?(\s\[matched_at=(?P<matched_at>.*)\])?'@task()classmytool(Command): cmd ='/home/osboxes/.local/bin/mytool' input_flag ='-u' json_flag ='-jsonl' output_types = [Url, Tag, Vulnerability]# Use the RegexSerializer to load the stdout input item_loaders = [RegexSerializer( OUTPUT_REGEX, fields=['value', 'type', 'status', 'content_type', 'title', 'matched_at'] ) ]# React to items loaded by the RegexSerializer, and yield secator output types# like Url, Vulnerability, and Tag.@staticmethoddefon_regex_loaded(self,item):# this is called after the regex serializer runs,# so we can expect item to be a dict with the matched regex valuesif (item['type']=='url'):yieldUrl( url=item['value'], status_code=int(item['status']), content_type=item['content_type'], title=item['title'] )elif (item['type']=='vulnerability'): cve_id = item['value'] lookup_data = Vuln.lookup_cve(cve_id)# perform vulnerability search vuln ={'matched_at': item['matched_at']}if lookup_data: vuln.update(**lookup_data)yieldVulnerability(**vuln)else:yieldTag( name=item['type'], match=item['matched_at'], extra_data={'secret': item['value'] } )
Run it with secator:
$secatorxmytoolmytarget.com____________________//__________/___/_ \/ ___/__`/__/__ \/ ___/ (__/__//__//_///_//_////____/\___/\___/\__,_/\__/\____/_/v0.6.0freelabz.comNoCeleryworkeralive./home/osboxes/.local/bin/mytool-umytarget.com-jsonl[INF] This is an info message[ERR] This is an error message🔗https://mytarget.com/api [200] [MyAwesomeWebPage] [application/json]🔗https://mytarget.com/api/metrics [403]🏷️aws_api_keyfound@https://mytarget/api/.aws_key.jsonsecret:A3TBABCD1234EFGH5678🚨 [Object Injection🡕] [critical] https://mytarget/api/sensitive_api_path
from secator.tasks import mytooltask =mytool('mytarget.com')for item in task:print(item)# this will output Url, Vulnerability, or Tag items.
Writing a custom item loader
Steps:
Override the item_loader static method to parse the standard output with custom code.
Example:
Assume mytool outputs on stdout like:
mytool-umytarget.comhttps://mytarget.com/api|url|200|application/json|MyAwesomePagehttps://mytarget.com/api/metrics|url|403A3TBABCD1234EFGH5678|aws_api_key|http://mytarget/api/.aws_key.json<-- an HTML comment -->|html_comment|http://mytarget/api/.aws_key.jsonCVE-2021-44228|vulnerability|http://mytarget/api/sensitive_ap
$secatorxmytoolmytarget.com____________________//__________/___/_ \/ ___/__`/__/__ \/ ___/ (__/__//__//_///_//_////____/\___/\___/\__,_/\__/\____/_/v0.6.0freelabz.comNoCeleryworkeralive./home/osboxes/.local/bin/mytool-umytarget.com-jsonl[INF] This is an info message[ERR] This is an error message🔗https://mytarget.com/api [200] [MyAwesomeWebPage] [application/json]🔗https://mytarget.com/api/metrics [403]🏷️aws_api_keyfound@https://mytarget/api/.aws_key.jsonsecret:A3TBABCD1234EFGH5678🚨 [Object Injection🡕] [critical] https://mytarget/api/sensitive_api_path
from secator.tasks import mytooltask =mytool('mytarget.com')for item in task:print(item)# this will output Url, Vulnerability, or Tag items.