From b422587f79d9dbf7a804e14aa097b9c45acc70b9 Mon Sep 17 00:00:00 2001 From: brenocss <57222005+brenocss@users.noreply.github.com> Date: Mon, 21 Feb 2022 18:37:35 -0300 Subject: [PATCH 1/3] Adding randstr path --- .../apache/tomcat-pathnormalization.yaml | 29 ++++++++++--------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/exposed-panels/apache/tomcat-pathnormalization.yaml b/exposed-panels/apache/tomcat-pathnormalization.yaml index 21bf67d83b..5cd23ac0f9 100644 --- a/exposed-panels/apache/tomcat-pathnormalization.yaml +++ b/exposed-panels/apache/tomcat-pathnormalization.yaml @@ -2,7 +2,7 @@ id: tomcat-manager-pathnormalization info: name: Tomcat Manager Path Normalization - author: organiccrap + author: brenocss,organiccrap severity: info reference: https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf tags: panel,tomcat,apache @@ -12,17 +12,20 @@ requests: path: - '{{BaseURL}}/..;/manager/html' - '{{BaseURL}}/..;/host-manager/html' + - '{{BaseURL}}/{{randstr}}/..;/manager/html' + - '{{BaseURL}}/{{randstr}}/..;/host-manager/html' - matchers-condition: and + matchers-condition: or matchers: - - type: word - words: - - 'username="tomcat" password="s3cret"' - - 'manager-gui' - condition: and - - - type: status - negative: true - status: - - 403 - - 401 + - type: dsl + name: '200' + dsl: + - 'status_code==200 && contains(body,"Tomcat")' + - type: dsl + name: '401' + dsl: + - 'status_code==401 && contains(body,"Tomcat")' + - type: dsl + name: '403' + dsl: + - 'status_code==403 && contains(body,"Tomcat")' From 1f2eb873b932e75bf94980e9fdef3dc816217392 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Fri, 5 Aug 2022 14:53:19 +0530 Subject: [PATCH 2/3] Update tomcat-pathnormalization.yaml --- .../apache/tomcat-pathnormalization.yaml | 24 +++++++++---------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/exposed-panels/apache/tomcat-pathnormalization.yaml b/exposed-panels/apache/tomcat-pathnormalization.yaml index 5cd23ac0f9..624d308333 100644 --- a/exposed-panels/apache/tomcat-pathnormalization.yaml +++ b/exposed-panels/apache/tomcat-pathnormalization.yaml @@ -15,17 +15,15 @@ requests: - '{{BaseURL}}/{{randstr}}/..;/manager/html' - '{{BaseURL}}/{{randstr}}/..;/host-manager/html' - matchers-condition: or + matchers-condition: and matchers: - - type: dsl - name: '200' - dsl: - - 'status_code==200 && contains(body,"Tomcat")' - - type: dsl - name: '401' - dsl: - - 'status_code==401 && contains(body,"Tomcat")' - - type: dsl - name: '403' - dsl: - - 'status_code==403 && contains(body,"Tomcat")' + - type: word + words: + - 'username="tomcat" password="s3cret"' + - 'manager-gui' + condition: and + + - type: status + status: + - 403 + negative: true From 9aa31673225c4383efdad88827a0a9e488b55aa8 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Thu, 25 Aug 2022 12:12:34 +0530 Subject: [PATCH 3/3] Update and rename exposed-panels/apache/tomcat-pathnormalization.yaml to misconfiguration/apache/tomcat-pathnormalization.yaml --- .../apache/tomcat-pathnormalization.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename {exposed-panels => misconfiguration}/apache/tomcat-pathnormalization.yaml (100%) diff --git a/exposed-panels/apache/tomcat-pathnormalization.yaml b/misconfiguration/apache/tomcat-pathnormalization.yaml similarity index 100% rename from exposed-panels/apache/tomcat-pathnormalization.yaml rename to misconfiguration/apache/tomcat-pathnormalization.yaml index 624d308333..afe11e462b 100644 --- a/exposed-panels/apache/tomcat-pathnormalization.yaml +++ b/misconfiguration/apache/tomcat-pathnormalization.yaml @@ -24,6 +24,6 @@ requests: condition: and - type: status + negative: true status: - 403 - negative: true