daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/misconfiguration/proxy/open-proxy-localhost.yaml

59 lines
4.0 KiB
YAML
Raw Normal View History

Add cloud metadata checks for reverse proxies (#3528) * Add cloud metadata checks (proxied) for: - Amazon AWS - Alibaba Cloud - Microsoft Azure - DigitalOcean - Hetzner Cloud - OpenStack - Oracle Cloud * fixup! Add cloud metadata checks (proxied) for: - Amazon AWS - Alibaba Cloud - Microsoft Azure - DigitalOcean - Hetzner Cloud - OpenStack - Oracle Cloud * Fix URL * Remove unnecessary Flavor header * Add cgi as a file type * syntax fix * syntax update * moving files around * tags update * matchers update * * Added CVSS scores * Updated metadata tests to latest versions * Added generic proxy tests * * Update to latest versions * Remove empty lines to pass lint * removing sniper to use default attacktype * minor syntax fix * minor updates Co-authored-by: sullo <sullo@ziggy.local> Co-authored-by: sullo <sullo@cirt.net>
2022-01-16 12:25:28 +00:00
id: open-proxy-http-portscan
Dashboard Content Enhancements (#4191) Dashboard Content Enhancements
2022-04-21 21:16:41 +00:00
Add cloud metadata checks for reverse proxies (#3528) * Add cloud metadata checks (proxied) for: - Amazon AWS - Alibaba Cloud - Microsoft Azure - DigitalOcean - Hetzner Cloud - OpenStack - Oracle Cloud * fixup! Add cloud metadata checks (proxied) for: - Amazon AWS - Alibaba Cloud - Microsoft Azure - DigitalOcean - Hetzner Cloud - OpenStack - Oracle Cloud * Fix URL * Remove unnecessary Flavor header * Add cgi as a file type * syntax fix * syntax update * moving files around * tags update * matchers update * * Added CVSS scores * Updated metadata tests to latest versions * Added generic proxy tests * * Update to latest versions * Remove empty lines to pass lint * removing sniper to use default attacktype * minor syntax fix * minor updates Co-authored-by: sullo <sullo@ziggy.local> Co-authored-by: sullo <sullo@cirt.net>
2022-01-16 12:25:28 +00:00
info:
Dashboard Content Enhancements (#4191) Dashboard Content Enhancements
2022-04-21 21:16:41 +00:00
name: Open Proxy to Other Web Ports via Proxy's localhost Interface
Add cloud metadata checks for reverse proxies (#3528) * Add cloud metadata checks (proxied) for: - Amazon AWS - Alibaba Cloud - Microsoft Azure - DigitalOcean - Hetzner Cloud - OpenStack - Oracle Cloud * fixup! Add cloud metadata checks (proxied) for: - Amazon AWS - Alibaba Cloud - Microsoft Azure - DigitalOcean - Hetzner Cloud - OpenStack - Oracle Cloud * Fix URL * Remove unnecessary Flavor header * Add cgi as a file type * syntax fix * syntax update * moving files around * tags update * matchers update * * Added CVSS scores * Updated metadata tests to latest versions * Added generic proxy tests * * Update to latest versions * Remove empty lines to pass lint * removing sniper to use default attacktype * minor syntax fix * minor updates Co-authored-by: sullo <sullo@ziggy.local> Co-authored-by: sullo <sullo@cirt.net>
2022-01-16 12:25:28 +00:00
author: sullo
severity: high
description: The host is configured as a proxy which allows access to web ports on the host's internal interface.
Dashboard (#3706) * Enhancement: cves/2010/CVE-2010-1353.yaml by mp * Enhancement: cves/2010/CVE-2010-1352.yaml by mp * Enhancement: cves/2010/CVE-2010-1345.yaml by mp * Enhancement: cves/2010/CVE-2010-1340.yaml by mp * Enhancement: cves/2010/CVE-2010-1345.yaml by mp * Enhancement: cves/2010/CVE-2010-1315.yaml by mp * Enhancement: cves/2010/CVE-2010-1314.yaml by mp * Enhancement: cves/2010/CVE-2010-1313.yaml by mp * Enhancement: cves/2010/CVE-2010-1312.yaml by mp * Enhancement: cves/2010/CVE-2010-1308.yaml by mp * Enhancement: cves/2010/CVE-2010-1307.yaml by mp * Enhancement: cves/2010/CVE-2010-1306.yaml by mp * Enhancement: cves/2010/CVE-2010-1305.yaml by mp * Enhancement: cves/2010/CVE-2010-1304.yaml by mp * Enhancement: cves/2010/CVE-2010-1302.yaml by mp * Enhancement: cves/2010/CVE-2010-1219.yaml by mp * Enhancement: cves/2010/CVE-2010-1352.yaml by mp * Enhancement: cves/2010/CVE-2010-1354.yaml by mp * Enhancement: cves/2010/CVE-2010-1461.yaml by mp * Enhancement: cves/2010/CVE-2010-1469.yaml by mp * Enhancement: cves/2010/CVE-2010-1470.yaml by mp * Enhancement: cves/2010/CVE-2010-1471.yaml by mp * Enhancement: cves/2010/CVE-2010-1472.yaml by mp * Enhancement: cves/2010/CVE-2010-1473.yaml by mp * Enhancement: cves/2010/CVE-2010-1474.yaml by mp * Enhancement: cves/2010/CVE-2010-1475.yaml by mp * Enhancement: cves/2010/CVE-2010-1476.yaml by mp * Enhancement: cves/2010/CVE-2010-1478.yaml by mp * Enhancement: cves/2010/CVE-2010-1491.yaml by mp * Enhancement: cves/2010/CVE-2010-1494.yaml by mp * Enhancement: cves/2010/CVE-2010-1495.yaml by mp * Enhancement: cves/2010/CVE-2010-1531.yaml by mp * Enhancement: cves/2010/CVE-2010-1473.yaml by mp * Enhancement: misconfiguration/proxy/metadata-alibaba.yaml by cs * Enhancement: misconfiguration/proxy/metadata-openstack.yaml by cs * Enhancement: misconfiguration/proxy/metadata-oracle.yaml by cs * Enhancement: cves/2016/CVE-2016-4975.yaml by cs * Enhancement: misconfiguration/proxy/metadata-openstack.yaml by cs * Enhancement: misconfiguration/proxy/metadata-oracle.yaml by cs * Enhancement: misconfiguration/proxy/metadata-openstack.yaml by cs * Enhancement: misconfiguration/proxy/metadata-digitalocean.yaml by cs * Enhancement: misconfiguration/proxy/metadata-alibaba.yaml by cs * Enhancement: misconfiguration/proxy/metadata-hetzner.yaml by cs * Enhancement: misconfiguration/proxy/metadata-aws.yaml by cs * Enhancement: misconfiguration/proxy/metadata-google.yaml by cs * Enhancement: misconfiguration/proxy/metadata-azure.yaml by cs * Enhancement: misconfiguration/proxy/open-proxy-localhost.yaml by cs * Enhancement: misconfiguration/proxy/open-proxy-internal.yaml by cs * Enhancement: cves/2021/CVE-2021-1497.yaml by cs * Spacing fixes and enhancement to CNVD-2019-01348.yaml * Spacing fixes, and enhancement to CNVD-2019-01348.yaml * Merge artifact * Spacing Co-authored-by: sullo <sullo@cirt.net>
2022-02-15 06:09:56 +00:00
remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports.
Add cloud metadata checks for reverse proxies (#3528) * Add cloud metadata checks (proxied) for: - Amazon AWS - Alibaba Cloud - Microsoft Azure - DigitalOcean - Hetzner Cloud - OpenStack - Oracle Cloud * fixup! Add cloud metadata checks (proxied) for: - Amazon AWS - Alibaba Cloud - Microsoft Azure - DigitalOcean - Hetzner Cloud - OpenStack - Oracle Cloud * Fix URL * Remove unnecessary Flavor header * Add cgi as a file type * syntax fix * syntax update * moving files around * tags update * matchers update * * Added CVSS scores * Updated metadata tests to latest versions * Added generic proxy tests * * Update to latest versions * Remove empty lines to pass lint * removing sniper to use default attacktype * minor syntax fix * minor updates Co-authored-by: sullo <sullo@ziggy.local> Co-authored-by: sullo <sullo@cirt.net>
2022-01-16 12:25:28 +00:00
reference:
- https://blog.projectdiscovery.io/abusing-reverse-proxies-internal-access/
- https://en.wikipedia.org/wiki/Open_proxy
- https://www.acunetix.com/vulnerabilities/web/apache-configured-to-run-as-proxy/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 8.6
cwe-id: CWE-441
Dashboard Content Enhancements (#4191) Dashboard Content Enhancements
2022-04-21 21:16:41 +00:00
tags: exposure,config,proxy,misconfig,fuzz
Add cloud metadata checks for reverse proxies (#3528) * Add cloud metadata checks (proxied) for: - Amazon AWS - Alibaba Cloud - Microsoft Azure - DigitalOcean - Hetzner Cloud - OpenStack - Oracle Cloud * fixup! Add cloud metadata checks (proxied) for: - Amazon AWS - Alibaba Cloud - Microsoft Azure - DigitalOcean - Hetzner Cloud - OpenStack - Oracle Cloud * Fix URL * Remove unnecessary Flavor header * Add cgi as a file type * syntax fix * syntax update * moving files around * tags update * matchers update * * Added CVSS scores * Updated metadata tests to latest versions * Added generic proxy tests * * Update to latest versions * Remove empty lines to pass lint * removing sniper to use default attacktype * minor syntax fix * minor updates Co-authored-by: sullo <sullo@ziggy.local> Co-authored-by: sullo <sullo@cirt.net>
2022-01-16 12:25:28 +00:00
requests:
- raw:
- |+
GET / HTTP/1.1
Host: {{Hostname}}
- |+
GET http://somethingthatdoesnotexist/ HTTP/1.1
Host: somethingthatdoesnotexist
- |+
GET http://127.0.0.1/ HTTP/1.1
Host: 127.0.0.1
- |+
GET https://127.0.0.1/ HTTP/1.1
Host: 127.0.0.1
- |+
GET http://localhost/ HTTP/1.1
Host: localhost
- |+
GET https://localhost/ HTTP/1.1
Host: localhost
unsafe: true
req-condition: true
stop-at-first-match: true
matchers:
- type: dsl
condition: or
dsl:
- (!contains(body_1, "<title>IIS7</title>") && !contains(body_2, "<title>IIS7</title>")) && (contains(body_3, "<title>IIS7</title>") || contains(body_4, "<title>IIS7</title>") || contains(body_5, "<title>IIS7</title>") || contains(body_6, "<title>IIS7</title>"))
- (!contains(body_1, "503 Service Unavailable") && !contains(body_2, "503 Service Unavailable")) && (contains(body_3, "503 Service Unavailable") || contains(body_4, "503 Service Unavailable") || contains(body_5, "503 Service Unavailable") || contains(body_6, "503 Service Unavailable"))
- (!contains(body_1, "default welcome page") && !contains(body_2, "default welcome page")) && (contains(body_3, "default welcome page") || contains(body_4, "default welcome page") || contains(body_5, "default welcome page") || contains(body_6, "default welcome page"))
- (!contains(body_1, "IIS Windows Server") && !contains(body_2, "IIS Windows Server")) && (contains(body_3, "IIS Windows Server") || contains(body_4, "IIS Windows Server") || contains(body_5, "IIS Windows Server") || contains(body_6, "IIS Windows Server"))
- (!contains(body_1, "Microsoft Azure App") && !contains(body_2, "Microsoft Azure App")) && (contains(body_3, "Microsoft Azure App") || contains(body_4, "Microsoft Azure App") || contains(body_5, "Microsoft Azure App") || contains(body_6, "Microsoft Azure App"))
- (!contains(body_1, "Welcome to IIS") && !contains(body_2, "Welcome to IIS")) && (contains(body_3, "Welcome to IIS") || contains(body_4, "Welcome to IIS") || contains(body_5, "Welcome to IIS") || contains(body_6, "Welcome to IIS"))
- (!contains(body_1, "Welcome to Microsoft Windows") && !contains(body_2, "Welcome to Microsoft Windows")) && (contains(body_3, "Welcome to Microsoft Windows") || contains(body_4, "Welcome to Microsoft Windows") || contains(body_5, "Welcome to Microsoft Windows") || contains(body_6, "Welcome to Microsoft Windows"))
- (!contains(body_1, "Welcome to Windows") && !contains(body_2, "Welcome to Windows")) && (contains(body_3, "Welcome to Windows") || contains(body_4, "Welcome to Windows") || contains(body_5, "Welcome to Windows") || contains(body_6, "Welcome to Windows"))
- (!contains(body_1, "Welcome to Windows") && !contains(body_2, "Welcome to Windows")) && (contains(body_3, "Welcome to Windows") || contains(body_4, "Welcome to Windows") || contains(body_5, "Welcome to Windows") || contains(body_6, "Welcome to Windows"))
- (!contains(body_1, "It works") && !contains(body_2, "It works")) && (contains(body_3, "It works") || contains(body_4, "It works") || contains(body_5, "It works") || contains(body_6, "It works"))
Dashboard Content Enhancements (#4191) Dashboard Content Enhancements
2022-04-21 21:16:41 +00:00
# Enhanced by mp on 2022/04/21