Plugins

Plugins in Raider are pieces of code that are used to get inputs from, and put them in the HTTP request, and/or to extract some values from the response. This is used to facilitate the information exchange between Flows. Below there’s a list of predefined Plugins. The users are also encouraged to write their own plugins.

Common

Plugin

class Plugin(name, function=None, flags=0, value=None)[source]

Parent class for all plugins.

Each Plugin class inherits from here. “get_value” function should be called when extracting the value from the plugin, which will then be stored in the “value” attribute.

name

A string used as an identifier for the Plugin.

function

A function which will be called to extract the “value” of the Plugin when used as an input in a Flow. The function should set self.value and also return it.

value

A string containing the Plugin’s output value to be used as input in the HTTP request.

flags

An integer containing the flags that define the Plugin’s behaviour. For now only NEEDS_USERDATA and NEEDS_RESPONSE is supported. If NEEDS_USERDATA is set, the plugin will get its value from the user’s data, which will be sent to the function defined here. If NEEDS_RESPONSE is set, the Plugin will extract its value from the HTTP response instead.

Parser

class Parser(name, function, value=None)[source]

Plugins that parse other plugins.

Empty

class Empty(name)[source]

Empty plugin to use for fuzzing new data.

Basic

Variable

Use this when the value of the plugin should be extracted from the user data. At the moment only username and password are working. Future versions will allow adding and accessing arbitrary data from the users.

Example:

(setv username (Variable "username"))
class Variable(name)[source]

Plugin to extract the value of a variable.

For now only the username and password variables are supported. Use this when supplying credentials to the web application.

Prompt

Prompt plugin should be used when the information is not known in advance, for example when receiving the SMS code.

Example:

(setv mfa_code (Prompt "Input code here:"))
class Prompt(name)[source]

Plugin to ask the user for an input.

Use this plugin when the value cannot be known in advance, for example when asking for multi-factor authentication code that is going to be sent over SMS.

get_user_prompt()[source]

Gets the value from user input.

Creates a prompt asking the user for input and stores the value in the Plugin.

Return type

str

Command

Use Command plugin if you want to extract information using a shell command.

Example:

(setv mfa_code (Command
                :name "otp"
                :command "pass otp personal/app1"))
class Command(name, command)[source]

Runs a shell command and extract the output.

run_command()[source]

Runs a command and returns its value.

Given a dictionary with the predefined variables, return the value of the with the same name as the “name” attribute from this Plugin.

Parameters

data – A dictionary with the predefined variables.

Return type

Optional[str]

Returns

A string with the value of the variable found. None if no such variable has been defined.

Regex

Use Regex plugin if the data you want extracted can be easily identified with a regular expression. The string matched in between ( and ) will be stored as the plugin’s value.

Example:

(setv access_token
      (Regex
        :name "access_token"
        :regex "\"accessToken\":\"([^\"]+)\""))
class Regex(name, regex, extract=0)[source]

Plugin to extract something using regular expressions.

This plugin will match the regex provided, and extract the value inside the matched group, which by default is the first one. A group is the string that matched inside the brackets.

For example if the regular expression is:

“accessToken”:”([^”]+)”

and the text to match it against contains:

“accessToken”:”0123456789abcdef”

then only the string “0123456789abcdef” will be extracted and saved in the “value” attribute.

regex

A string containing the regular expression to be matched.

extract

An integer with the group number that needs to be extracted.

__str__()[source]

Returns a string representation of the Plugin.

Return type

str

extract_regex(response)[source]

Extracts defined regular expression from a text.

Given a text to be searched for matches, return the string inside the group defined in “extract” or the first group if it’s undefined.

Parameters

text – A string containing the text to be searched for matches.

Return type

Optional[str]

Returns

A string with the match from the extracted group. Returns None if there are no matches.

Html

Use the Html plugin when the data you want can be easily extracted by parsing HTML tags. Create a new plugin by giving it a name, the tag where the information is located, some attributes to identify whether the tag is the right one, and the name of the tag attribute you want to extract. The attributes are created as a dictionary, and its values can be regular expressions.

Example:

(setv csrf_token
      (Html
        :name "csrf_token"
        :tag "input"
        :attributes
        {:name "csrf_token"
         :value "^[0-9a-f]{40}$"
         :type "hidden"}
        :extract "value"))
class Html(name, tag, attributes, extract)[source]

Plugin to extract something from an HTML tag.

This Plugin will find the HTML “tag” containing the specified “attributes” and store the “extract” attribute of the matched tag in its “value” attribute.

tag

A string defining the HTML tag to look for.

attributes

A dictionary with attributes matching the desired HTML tag. The keys in the dictionary are strings matching the tag’s attributes, and the values are treated as regular expressions, to help match tags that don’t have a static value.

extract

A string defining the HTML tag’s attribute that needs to be extracted and stored inside “value”.

__str__()[source]

Returns a string representation of the Plugin.

Return type

str

extract_html_tag(response)[source]

Extract data from an HTML tag.

Given the HTML text, parses it, iterates through the tags, and find the one matching the attributes. Then it stores the matched “value” and returns it.

Parameters

text – A string containing the HTML text to be processed.

Return type

Optional[str]

Returns

A string with the match as defined in the Plugin. Returns None if there are no matches.

Json

class Json(name, extract, function=None, flags=2)[source]

Plugin to extract a field from JSON.

The “extract” attribute is used to specify which field to store in the “value”. Using the dot . character you can go deeper inside the JSON object. To look inside an array, use square brackets [].

Keys with special characters should be written inside double quotes ". Keep in mind that when written inside hyfiles, it’ll already be between double quotes, so you’ll have to escape them with the backslash character \.

Examples

env.production[0].field production.keys[1].x5c[0][1][0]."with space"[3]

extract

A string defining the location of the field that needs to be extracted. For now this is still quite primitive, and cannot access data from JSON arrays.

__str__()[source]

Returns a string representation of the Plugin.

Return type

str

extract_json_field(text)[source]

Extracts the JSON field from the text.

Given the JSON body as a string, extract the field and store it in the Plugin’s “value” attribute.

Parameters

text (str) – A string with the JSON body.

Return type

Optional[str]

Returns

A string with the result of extraction. If no such field is found None will be returned.

extract_json_from_plugin()[source]

Extracts the json field from a plugin.

Return type

Optional[str]

extract_json_from_response(response)[source]

Extracts the json field from a HTTP response.

Return type

Optional[str]

classmethod from_plugin(parent_plugin, name, extract)[source]

Extracts the JSON field from another plugin’s value.

Return type

Json

Modifiers

Alter

class Alter(parent_plugin, alter_function=None)[source]

Plugin used to alter other plugin’s value.

If the value extracted from other plugins cannot be used in it’s raw form and needs to be somehow processed, Alter plugin can be used to do that. Initialize it with the original plugin and a function which will process the string and return the modified value.

alter_function

A function which will be given the plugin’s value. It should return a string with the processed value.

classmethod append(parent_plugin, string)[source]

Append a string after the plugin’s value

Return type

Alter

classmethod prepend(parent_plugin, string)[source]

Prepend a string to plugin’s value.

Return type

Alter

process_value()[source]

Process the original plugin’s value.

Gives the original plugin’s value to alter_function. Return the processed value and store it in self.value.

Return type

Optional[str]

Returns

A string with the processed value.

classmethod replace(parent_plugin, old_value, new_value)[source]

Replace a substring from plugin’s value with something else.

Return type

Alter

Combine

class Combine(*args)[source]

Plugin to combine the values of other plugins.

concatenate_values()[source]

Concatenate the provided values.

This function will concatenate the arguments values. Accepts both strings and plugins.

Return type

str

Parsers

UrlParser

class UrlParser(parent_plugin, element)[source]

Parse the URL and extract elements from it.

Use this when needing to extract some piece of information from the URL.

parse_url()[source]

Parses the URL and returns the string with the desired element.

Return type

Optional[str]

Writing custom plugins

In case the existing plugins are not enough, the user can write their own to add the new functionality. Those new plugins should be written in the project’s configuration directory in a “.hy” file. To do this, a new class has to be defined, which will inherit from Raider’s Plugin class:

Let’s assume we want a new plugin that will use unix password store to extract the OTP from our website.

(defclass PasswordStore [Plugin]
;; Define class PasswordStore which inherits from Plugin

  (defn __init__ [self path]
  ;; Initiatialize the object given the path

    (.__init__ (super)
               :name path
               :function (. self run_command)))
  ;; Call the super() class, i.e. Plugin, and give it the
  ;; path as the name identifier, and the function
  ;; self.run_command() as a function to get the value.
  ;;
  ;; We don't need the response nor the user data to use
  ;; this plugin, so no flags will be set.

  (defn run_command [self]
    (import os)
    ;; We need os.popen() to run the command

    (setv self.value
          ((. ((. (os.popen
                    (+ "pass otp " self.path))
                  read))
              strip)))
    ;; set self.value to the output from "pass otp",
    ;; with the newline stripped.

    (return self.value)))

And we can create a new variable that will use this class:

(setv mfa_code (PasswordStore "personal/reddit"))

Now whenever we use the mfa_code in our requests, its value will be extracted from the password store.