parameter_extraction
Extract parameters from web applications using automated crawling and manual methods to identify input fields for security testing and vulnerability assessment.
Instructions
Extract parameters from web applications using Katana and manual methods
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| depth | No | Crawling depth (default: 2) | |
| target | Yes | Target URL |
Input Schema (JSON Schema)
{
"properties": {
"depth": {
"description": "Crawling depth (default: 2)",
"type": "number"
},
"target": {
"description": "Target URL",
"type": "string"
}
},
"required": [
"target"
],
"type": "object"
}
Implementation Reference
- src/tools/parameter-extraction.ts:31-85 (handler)The core handler function of the parameter_extraction tool. It orchestrates multiple extraction methods: Katana crawling, manual form analysis, JavaScript parsing, and API discovery, then analyzes and returns results.async extractParameters(target: string, depth: number = 2): Promise<ScanResult> { try { console.error(`🔍 Extracting parameters from ${target} (depth: ${depth})`); const allParameters: ExtractedParameter[] = []; // Method 1: Katana crawling and parameter extraction const katanaParams = await this.runKatanaExtraction(target, depth); allParameters.push(...katanaParams); // Method 2: Manual crawling and form analysis const manualParams = await this.manualParameterExtraction(target, depth); allParameters.push(...manualParams); // Method 3: JavaScript analysis const jsParams = await this.extractFromJavaScript(target); allParameters.push(...jsParams); // Method 4: API endpoint discovery const apiParams = await this.discoverAPIParameters(target); allParameters.push(...apiParams); // Deduplicate and analyze const uniqueParams = this.deduplicateParameters(allParameters); const analyzedParams = this.analyzeParameters(uniqueParams); const highInterestParams = this.identifyHighInterestParameters(uniqueParams); const result: ParameterExtractionResult = { total_parameters: allParameters.length, unique_parameters: uniqueParams.length, parameters_by_type: this.categorizeByType(uniqueParams), parameters_by_vuln_type: this.categorizeByVulnType(uniqueParams), high_interest_params: highInterestParams, all_parameters: uniqueParams }; return { target, timestamp: new Date().toISOString(), tool: 'parameter_extraction', results: result, status: 'success' }; } catch (error) { return { target, timestamp: new Date().toISOString(), tool: 'parameter_extraction', results: {}, status: 'error', error: error instanceof Error ? error.message : String(error) }; } }
- src/index.ts:271-281 (registration)Registration of the 'parameter_extraction' tool in the MCP server, defining its name, description, and input schema.name: "parameter_extraction", description: "Extract parameters from web applications using Katana and manual methods", inputSchema: { type: "object", properties: { target: { type: "string", description: "Target URL" }, depth: { type: "number", description: "Crawling depth (default: 2)" } }, required: ["target"] } },
- src/index.ts:549-550 (registration)Handler dispatch in the main switch statement that calls the ParameterExtractionEngine.extractParameters method.case "parameter_extraction": return respond(await this.parameterExtraction.extractParameters(args.target, args.depth || 2));
- TypeScript interface defining the structure of the parameter extraction results.export interface ParameterExtractionResult { total_parameters: number; unique_parameters: number; parameters_by_type: Record<string, number>; parameters_by_vuln_type: Record<string, number>; high_interest_params: ExtractedParameter[]; all_parameters: ExtractedParameter[]; }
- TypeScript interface defining individual extracted parameters.export interface ExtractedParameter { name: string; type: 'GET' | 'POST' | 'COOKIE' | 'HEADER' | 'JSON' | 'XML' | 'MULTIPART'; source: string; url: string; method: string; example_value?: string; context: string; potential_vuln_types: string[]; }