nuclei-templates/misconfiguration/proxy/open-proxy-localhost.yaml

id: open-proxy-http-portscan
info:
  name: Open Proxy to Other Web Ports on Proxy's localhost Interface
  author: sullo
  severity: high
  tags: exposure,config,proxy,misconfig,fuzz
  description: The host is configured as a proxy which allows access to web ports on the host's internal interface.
  remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports.
  reference:
    - https://blog.projectdiscovery.io/abusing-reverse-proxies-internal-access/
    - https://en.wikipedia.org/wiki/Open_proxy
    - https://www.acunetix.com/vulnerabilities/web/apache-configured-to-run-as-proxy/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 8.6
    cwe-id: CWE-441
requests:
  - raw:
      - |+
        GET / HTTP/1.1
        Host: {{Hostname}}
      - |+
        GET http://somethingthatdoesnotexist/ HTTP/1.1
        Host: somethingthatdoesnotexist
      - |+
        GET http://127.0.0.1/ HTTP/1.1
        Host: 127.0.0.1
      - |+
        GET https://127.0.0.1/ HTTP/1.1
        Host: 127.0.0.1
      - |+
        GET http://localhost/ HTTP/1.1
        Host: localhost
      - |+
        GET https://localhost/ HTTP/1.1
        Host: localhost
    unsafe: true
    req-condition: true
    stop-at-first-match: true
    matchers:
      - type: dsl
        condition: or
        dsl:
          - (!contains(body_1, "<title>IIS7</title>") && !contains(body_2, "<title>IIS7</title>")) && (contains(body_3, "<title>IIS7</title>") || contains(body_4, "<title>IIS7</title>") || contains(body_5, "<title>IIS7</title>") || contains(body_6, "<title>IIS7</title>"))
          - (!contains(body_1, "503 Service Unavailable") && !contains(body_2, "503 Service Unavailable")) && (contains(body_3, "503 Service Unavailable") || contains(body_4, "503 Service Unavailable") || contains(body_5, "503 Service Unavailable") || contains(body_6, "503 Service Unavailable"))
          - (!contains(body_1, "default welcome page") && !contains(body_2, "default welcome page")) && (contains(body_3, "default welcome page") || contains(body_4, "default welcome page") || contains(body_5, "default welcome page") || contains(body_6, "default welcome page"))
          - (!contains(body_1, "IIS Windows Server") && !contains(body_2, "IIS Windows Server")) && (contains(body_3, "IIS Windows Server") || contains(body_4, "IIS Windows Server") || contains(body_5, "IIS Windows Server") || contains(body_6, "IIS Windows Server"))
          - (!contains(body_1, "Microsoft Azure App") && !contains(body_2, "Microsoft Azure App")) && (contains(body_3, "Microsoft Azure App") || contains(body_4, "Microsoft Azure App") || contains(body_5, "Microsoft Azure App") || contains(body_6, "Microsoft Azure App"))
          - (!contains(body_1, "Welcome to IIS") && !contains(body_2, "Welcome to IIS")) && (contains(body_3, "Welcome to IIS") || contains(body_4, "Welcome to IIS") || contains(body_5, "Welcome to IIS") || contains(body_6, "Welcome to IIS"))
          - (!contains(body_1, "Welcome to Microsoft Windows") && !contains(body_2, "Welcome to Microsoft Windows")) && (contains(body_3, "Welcome to Microsoft Windows") || contains(body_4, "Welcome to Microsoft Windows") || contains(body_5, "Welcome to Microsoft Windows") || contains(body_6, "Welcome to Microsoft Windows"))
          - (!contains(body_1, "Welcome to Windows") && !contains(body_2, "Welcome to Windows")) && (contains(body_3, "Welcome to Windows") || contains(body_4, "Welcome to Windows") || contains(body_5, "Welcome to Windows") || contains(body_6, "Welcome to Windows"))
          - (!contains(body_1, "Welcome to Windows") && !contains(body_2, "Welcome to Windows")) && (contains(body_3, "Welcome to Windows") || contains(body_4, "Welcome to Windows") || contains(body_5, "Welcome to Windows") || contains(body_6, "Welcome to Windows"))
          - (!contains(body_1, "It works") && !contains(body_2, "It works")) && (contains(body_3, "It works") || contains(body_4, "It works") || contains(body_5, "It works") || contains(body_6, "It works"))
# Enhanced by cs on 2022/02/14
Add cloud metadata checks for reverse proxies (#3528) * Add cloud metadata checks (proxied) for: - Amazon AWS - Alibaba Cloud - Microsoft Azure - DigitalOcean - Hetzner Cloud - OpenStack - Oracle Cloud * fixup! Add cloud metadata checks (proxied) for: - Amazon AWS - Alibaba Cloud - Microsoft Azure - DigitalOcean - Hetzner Cloud - OpenStack - Oracle Cloud * Fix URL * Remove unnecessary Flavor header * Add cgi as a file type * syntax fix * syntax update * moving files around * tags update * matchers update * * Added CVSS scores * Updated metadata tests to latest versions * Added generic proxy tests * * Update to latest versions * Remove empty lines to pass lint * removing sniper to use default attacktype * minor syntax fix * minor updates Co-authored-by: sullo <sullo@ziggy.local> Co-authored-by: sullo <sullo@cirt.net> 2022-01-16 12:25:28 +00:00			`id: open-proxy-http-portscan`
			`info:`
			`name: Open Proxy to Other Web Ports on Proxy's localhost Interface`
			`author: sullo`
			`severity: high`
			`tags: exposure,config,proxy,misconfig,fuzz`
			`description: The host is configured as a proxy which allows access to web ports on the host's internal interface.`
Dashboard (#3706) * Enhancement: cves/2010/CVE-2010-1353.yaml by mp * Enhancement: cves/2010/CVE-2010-1352.yaml by mp * Enhancement: cves/2010/CVE-2010-1345.yaml by mp * Enhancement: cves/2010/CVE-2010-1340.yaml by mp * Enhancement: cves/2010/CVE-2010-1345.yaml by mp * Enhancement: cves/2010/CVE-2010-1315.yaml by mp * Enhancement: cves/2010/CVE-2010-1314.yaml by mp * Enhancement: cves/2010/CVE-2010-1313.yaml by mp * Enhancement: cves/2010/CVE-2010-1312.yaml by mp * Enhancement: cves/2010/CVE-2010-1308.yaml by mp * Enhancement: cves/2010/CVE-2010-1307.yaml by mp * Enhancement: cves/2010/CVE-2010-1306.yaml by mp * Enhancement: cves/2010/CVE-2010-1305.yaml by mp * Enhancement: cves/2010/CVE-2010-1304.yaml by mp * Enhancement: cves/2010/CVE-2010-1302.yaml by mp * Enhancement: cves/2010/CVE-2010-1219.yaml by mp * Enhancement: cves/2010/CVE-2010-1352.yaml by mp * Enhancement: cves/2010/CVE-2010-1354.yaml by mp * Enhancement: cves/2010/CVE-2010-1461.yaml by mp * Enhancement: cves/2010/CVE-2010-1469.yaml by mp * Enhancement: cves/2010/CVE-2010-1470.yaml by mp * Enhancement: cves/2010/CVE-2010-1471.yaml by mp * Enhancement: cves/2010/CVE-2010-1472.yaml by mp * Enhancement: cves/2010/CVE-2010-1473.yaml by mp * Enhancement: cves/2010/CVE-2010-1474.yaml by mp * Enhancement: cves/2010/CVE-2010-1475.yaml by mp * Enhancement: cves/2010/CVE-2010-1476.yaml by mp * Enhancement: cves/2010/CVE-2010-1478.yaml by mp * Enhancement: cves/2010/CVE-2010-1491.yaml by mp * Enhancement: cves/2010/CVE-2010-1494.yaml by mp * Enhancement: cves/2010/CVE-2010-1495.yaml by mp * Enhancement: cves/2010/CVE-2010-1531.yaml by mp * Enhancement: cves/2010/CVE-2010-1473.yaml by mp * Enhancement: misconfiguration/proxy/metadata-alibaba.yaml by cs * Enhancement: misconfiguration/proxy/metadata-openstack.yaml by cs * Enhancement: misconfiguration/proxy/metadata-oracle.yaml by cs * Enhancement: cves/2016/CVE-2016-4975.yaml by cs * Enhancement: misconfiguration/proxy/metadata-openstack.yaml by cs * Enhancement: misconfiguration/proxy/metadata-oracle.yaml by cs * Enhancement: misconfiguration/proxy/metadata-openstack.yaml by cs * Enhancement: misconfiguration/proxy/metadata-digitalocean.yaml by cs * Enhancement: misconfiguration/proxy/metadata-alibaba.yaml by cs * Enhancement: misconfiguration/proxy/metadata-hetzner.yaml by cs * Enhancement: misconfiguration/proxy/metadata-aws.yaml by cs * Enhancement: misconfiguration/proxy/metadata-google.yaml by cs * Enhancement: misconfiguration/proxy/metadata-azure.yaml by cs * Enhancement: misconfiguration/proxy/open-proxy-localhost.yaml by cs * Enhancement: misconfiguration/proxy/open-proxy-internal.yaml by cs * Enhancement: cves/2021/CVE-2021-1497.yaml by cs * Spacing fixes and enhancement to CNVD-2019-01348.yaml * Spacing fixes, and enhancement to CNVD-2019-01348.yaml * Merge artifact * Spacing Co-authored-by: sullo <sullo@cirt.net> 2022-02-15 06:09:56 +00:00			`remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports.`
Add cloud metadata checks for reverse proxies (#3528) * Add cloud metadata checks (proxied) for: - Amazon AWS - Alibaba Cloud - Microsoft Azure - DigitalOcean - Hetzner Cloud - OpenStack - Oracle Cloud * fixup! Add cloud metadata checks (proxied) for: - Amazon AWS - Alibaba Cloud - Microsoft Azure - DigitalOcean - Hetzner Cloud - OpenStack - Oracle Cloud * Fix URL * Remove unnecessary Flavor header * Add cgi as a file type * syntax fix * syntax update * moving files around * tags update * matchers update * * Added CVSS scores * Updated metadata tests to latest versions * Added generic proxy tests * * Update to latest versions * Remove empty lines to pass lint * removing sniper to use default attacktype * minor syntax fix * minor updates Co-authored-by: sullo <sullo@ziggy.local> Co-authored-by: sullo <sullo@cirt.net> 2022-01-16 12:25:28 +00:00			`reference:`
			`- https://blog.projectdiscovery.io/abusing-reverse-proxies-internal-access/`
			`- https://en.wikipedia.org/wiki/Open_proxy`
			`- https://www.acunetix.com/vulnerabilities/web/apache-configured-to-run-as-proxy/`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N`
			`cvss-score: 8.6`
			`cwe-id: CWE-441`
			`requests:`
			`- raw:`
			`- \|+`
			`GET / HTTP/1.1`
			`Host: {{Hostname}}`
			`- \|+`
			`GET http://somethingthatdoesnotexist/ HTTP/1.1`
			`Host: somethingthatdoesnotexist`
			`- \|+`
			`GET http://127.0.0.1/ HTTP/1.1`
			`Host: 127.0.0.1`
			`- \|+`
			`GET https://127.0.0.1/ HTTP/1.1`
			`Host: 127.0.0.1`
			`- \|+`
			`GET http://localhost/ HTTP/1.1`
			`Host: localhost`
			`- \|+`
			`GET https://localhost/ HTTP/1.1`
			`Host: localhost`
			`unsafe: true`
			`req-condition: true`
			`stop-at-first-match: true`
			`matchers:`
			`- type: dsl`
			`condition: or`
			`dsl:`
			`- (!contains(body_1, "<title>IIS7</title>") && !contains(body_2, "<title>IIS7</title>")) && (contains(body_3, "<title>IIS7</title>") \|\| contains(body_4, "<title>IIS7</title>") \|\| contains(body_5, "<title>IIS7</title>") \|\| contains(body_6, "<title>IIS7</title>"))`
			`- (!contains(body_1, "503 Service Unavailable") && !contains(body_2, "503 Service Unavailable")) && (contains(body_3, "503 Service Unavailable") \|\| contains(body_4, "503 Service Unavailable") \|\| contains(body_5, "503 Service Unavailable") \|\| contains(body_6, "503 Service Unavailable"))`
			`- (!contains(body_1, "default welcome page") && !contains(body_2, "default welcome page")) && (contains(body_3, "default welcome page") \|\| contains(body_4, "default welcome page") \|\| contains(body_5, "default welcome page") \|\| contains(body_6, "default welcome page"))`
			`- (!contains(body_1, "IIS Windows Server") && !contains(body_2, "IIS Windows Server")) && (contains(body_3, "IIS Windows Server") \|\| contains(body_4, "IIS Windows Server") \|\| contains(body_5, "IIS Windows Server") \|\| contains(body_6, "IIS Windows Server"))`
			`- (!contains(body_1, "Microsoft Azure App") && !contains(body_2, "Microsoft Azure App")) && (contains(body_3, "Microsoft Azure App") \|\| contains(body_4, "Microsoft Azure App") \|\| contains(body_5, "Microsoft Azure App") \|\| contains(body_6, "Microsoft Azure App"))`
			`- (!contains(body_1, "Welcome to IIS") && !contains(body_2, "Welcome to IIS")) && (contains(body_3, "Welcome to IIS") \|\| contains(body_4, "Welcome to IIS") \|\| contains(body_5, "Welcome to IIS") \|\| contains(body_6, "Welcome to IIS"))`
			`- (!contains(body_1, "Welcome to Microsoft Windows") && !contains(body_2, "Welcome to Microsoft Windows")) && (contains(body_3, "Welcome to Microsoft Windows") \|\| contains(body_4, "Welcome to Microsoft Windows") \|\| contains(body_5, "Welcome to Microsoft Windows") \|\| contains(body_6, "Welcome to Microsoft Windows"))`
			`- (!contains(body_1, "Welcome to Windows") && !contains(body_2, "Welcome to Windows")) && (contains(body_3, "Welcome to Windows") \|\| contains(body_4, "Welcome to Windows") \|\| contains(body_5, "Welcome to Windows") \|\| contains(body_6, "Welcome to Windows"))`
			`- (!contains(body_1, "Welcome to Windows") && !contains(body_2, "Welcome to Windows")) && (contains(body_3, "Welcome to Windows") \|\| contains(body_4, "Welcome to Windows") \|\| contains(body_5, "Welcome to Windows") \|\| contains(body_6, "Welcome to Windows"))`
			`- (!contains(body_1, "It works") && !contains(body_2, "It works")) && (contains(body_3, "It works") \|\| contains(body_4, "It works") \|\| contains(body_5, "It works") \|\| contains(body_6, "It works"))`
Dashboard (#3706) * Enhancement: cves/2010/CVE-2010-1353.yaml by mp * Enhancement: cves/2010/CVE-2010-1352.yaml by mp * Enhancement: cves/2010/CVE-2010-1345.yaml by mp * Enhancement: cves/2010/CVE-2010-1340.yaml by mp * Enhancement: cves/2010/CVE-2010-1345.yaml by mp * Enhancement: cves/2010/CVE-2010-1315.yaml by mp * Enhancement: cves/2010/CVE-2010-1314.yaml by mp * Enhancement: cves/2010/CVE-2010-1313.yaml by mp * Enhancement: cves/2010/CVE-2010-1312.yaml by mp * Enhancement: cves/2010/CVE-2010-1308.yaml by mp * Enhancement: cves/2010/CVE-2010-1307.yaml by mp * Enhancement: cves/2010/CVE-2010-1306.yaml by mp * Enhancement: cves/2010/CVE-2010-1305.yaml by mp * Enhancement: cves/2010/CVE-2010-1304.yaml by mp * Enhancement: cves/2010/CVE-2010-1302.yaml by mp * Enhancement: cves/2010/CVE-2010-1219.yaml by mp * Enhancement: cves/2010/CVE-2010-1352.yaml by mp * Enhancement: cves/2010/CVE-2010-1354.yaml by mp * Enhancement: cves/2010/CVE-2010-1461.yaml by mp * Enhancement: cves/2010/CVE-2010-1469.yaml by mp * Enhancement: cves/2010/CVE-2010-1470.yaml by mp * Enhancement: cves/2010/CVE-2010-1471.yaml by mp * Enhancement: cves/2010/CVE-2010-1472.yaml by mp * Enhancement: cves/2010/CVE-2010-1473.yaml by mp * Enhancement: cves/2010/CVE-2010-1474.yaml by mp * Enhancement: cves/2010/CVE-2010-1475.yaml by mp * Enhancement: cves/2010/CVE-2010-1476.yaml by mp * Enhancement: cves/2010/CVE-2010-1478.yaml by mp * Enhancement: cves/2010/CVE-2010-1491.yaml by mp * Enhancement: cves/2010/CVE-2010-1494.yaml by mp * Enhancement: cves/2010/CVE-2010-1495.yaml by mp * Enhancement: cves/2010/CVE-2010-1531.yaml by mp * Enhancement: cves/2010/CVE-2010-1473.yaml by mp * Enhancement: misconfiguration/proxy/metadata-alibaba.yaml by cs * Enhancement: misconfiguration/proxy/metadata-openstack.yaml by cs * Enhancement: misconfiguration/proxy/metadata-oracle.yaml by cs * Enhancement: cves/2016/CVE-2016-4975.yaml by cs * Enhancement: misconfiguration/proxy/metadata-openstack.yaml by cs * Enhancement: misconfiguration/proxy/metadata-oracle.yaml by cs * Enhancement: misconfiguration/proxy/metadata-openstack.yaml by cs * Enhancement: misconfiguration/proxy/metadata-digitalocean.yaml by cs * Enhancement: misconfiguration/proxy/metadata-alibaba.yaml by cs * Enhancement: misconfiguration/proxy/metadata-hetzner.yaml by cs * Enhancement: misconfiguration/proxy/metadata-aws.yaml by cs * Enhancement: misconfiguration/proxy/metadata-google.yaml by cs * Enhancement: misconfiguration/proxy/metadata-azure.yaml by cs * Enhancement: misconfiguration/proxy/open-proxy-localhost.yaml by cs * Enhancement: misconfiguration/proxy/open-proxy-internal.yaml by cs * Enhancement: cves/2021/CVE-2021-1497.yaml by cs * Spacing fixes and enhancement to CNVD-2019-01348.yaml * Spacing fixes, and enhancement to CNVD-2019-01348.yaml * Merge artifact * Spacing Co-authored-by: sullo <sullo@cirt.net> 2022-02-15 06:09:56 +00:00			`# Enhanced by cs on 2022/02/14`