V1.4 版本更新内容
- bug fix
- 删除使用AI进行公共接口过滤逻辑,增大误报 换取 更低漏报
- 增加对uri中路径的替换支持:比如:https://xxxx.com/aaa, 替换规则语法为:path:aaa=bbb,则重放请求则为https://xxxx.com/bbb
- 参数替换越权逻辑优化:启用参数替换测试越权模式时,未发生参数替换的请求(说明两次请求一模一样)直接返回enforce, 只有两次请求发生变化的才会进行下一步分析对比。( 间接的也把公共接口成功排除掉 )
- 去除bypass状态码相等的逻辑,只要在200,30x列表范围内的状态码都认为正常,并按照后续逻辑进行响应对比(避免了3xx状态的漏报)
📌 欢迎继续通过 issue / email 反馈你的使用效果, 让我们一起持续优化工具
V1.4 Update Notes
- bug fixes
- Removed the AI-based public interface filtering logic. This change increases false positives in exchange for reduced false negatives.
- Added support for replacing paths in URIs: For example,
https://xxxx.com/aaawith the replacement rule syntaxpath:aaa=bbbwill result in the replayed request beinghttps://xxxx.com/bbb. - Enhanced parameter replacement authorization logic: When parameter replacement testing is enabled, requests that are identical (no parameter changes) are immediately marked as "enforced". Only requests with changes proceed to the next analysis and comparison step. ( Indirectly, the public interface is successfully excluded )
- Removed the logic for comparing bypassed status codes as identical. Any status code within the
200or30xrange is now treated as valid and processed in subsequent response comparisons. This avoids missing3xxstatus codes.
📌 We welcome continued feedback on your experience via issues or email, let’s work together to continuously optimize the tool