No second order support.

[sectroyer]

I will use PortSwigger's "Basic server-side template injection (code context)" task as an example but I have encountered same issue elsewhere.

Currently there is no way to specify a second order url however it's pretty simple to implement. I didn't add specific switch but in code I just had add two lines.
I used this command line:
./sstimap.py -u "https://0a70002e03773a3d81129428007b00eb.web-security-academy.net/my-account/change-blog-post-author-display" -d "blog-post-author-display=user.first_name&csrf=xGbHC88kaLt5KmNUTq7zw3wZ3fMDDAGx" --cookie 'session=Sk45UsfrkQRg3siVdnHxV8uBhDFG20gJ' -A -e Tornado

And changed those lines:

        second_order_url="https://0a70002e03773a3d81129428007b00eb.web-security-academy.net/post?postId=6"
        try:
            result = requests.request(method=self.http_method, url=url_params, params=get_params, data=post_params,
                                      headers=header_params, proxies=self.proxies, verify=self.args.get('verify_ssl'), allow_redirects=False).text
            result = requests.get(second_order_url,cookies=cookies,proxies=self.proxies,verify=False).text

simple if that checks if second_order_url is in self.args should suffice IMHO.

[vladko312]

This is a great idea! I will add this feature soon.

[vladko312]

There are other cases that need a deeper fix:

• Second order based on returned data (ID of the created post)
• Reset required after every attempt (deleting a comment to fix HTTP error 500)
• Reset based on data
• Reset or second order not being HTTP (email, websockets, ...)

Some of this cases need some extra parameters that are unlikely to be used outside of them. I decided to move requesting functionality to a separate module in the future with a way to add custom parameters for that module.

For now, I don't have a lot of time, so this functionality will appear later.

[Molx32]

Hi there!
Any update regarding the second order feature?
I started thinking of how to implement this, so feel free to share if you already have something in mind or some prototype.

[vladko312]

@Molx32 I have some plans to add a way to do complex workflows with any amount of requests and a possibility for second order. This would also cover cases where you need to obtain a new session or remove your payloads to recover functionality on a vulnerable page.