Merge pull request #1900 from pdelteil/patch-20

Update openam-detection.yaml
2021-07-10 01:38:47 +05:30 · 2021-07-10 01:38:47 +05:30 · ad1c273261
parent d4cdafefdb 6c11d0714f
commit ad1c273261
1 changed files with 44 additions and 10 deletions
--- a/technologies/openam-detection.yaml
+++ b/technologies/openam-detection.yaml
@ -1,20 +1,54 @@
 id: openam-detection

 info:
-  name: Detect openam
-  author: melbadry9,xelkomy
+  name: Detect OpenAM and OpenSSO
+  author: philippedelteil,melbadry9,xelkomy
  severity: info
-  description: The vulnerability was found in the password reset feature that OpenAM provides. When a user tries to reset his password, he is asked to enter his username then the backend validates whether the user exists or not through an LDAP query before the password reset token is sent to the userâ€™s email.
-  reference: https://blog.cybercastle.io/ldap-injection-in-openam/

 requests:
  - method: GET
    path:
-      - "{{BaseURL}}/openam/ui/PWResetUserValidation"
-      - "{{BaseURL}}/OpenAM-11.0.0/ui/PWResetUserValidation"
-      - "{{BaseURL}}/ui/PWResetUserValidation"
+      - "{{BaseURL}}/openam/XUI"
+      - "{{BaseURL}}/XUI"
+      - "{{BaseURL}}/XUI/#login"
+      - "{{BaseURL}}/UI"
+      - "{{BaseURL}}/sso/XUI"
+      - "{{BaseURL}}/sso/UI"
+      - "{{BaseURL}}/sso/UI/#login"
+      - "{{BaseURL}}/openam/UI/login"
+      - "{{BaseURL}}/openam/UI/#loginlogin"
+      - "{{BaseURL}}/openam/UI/Login"
+      - "{{BaseURL}}/openam/XUI/Login"
+      - "{{BaseURL}}/openam/XUI/login"
+      - "{{BaseURL}}/openam/XUI/#login"
+      - "{{BaseURL}}/am/UI/Login"
+      - "{{BaseURL}}/am/UI/#login"
+      - "{{BaseURL}}/am/XUI/"
+      - "{{BaseURL}}/am/XUI/Login"
+      - "{{BaseURL}}/am/json/serverinfo/*"
+      - "{{BaseURL}}/openam/json/serverinfo/*"

+    redirects: true
+    max-redirects: 2
+    matchers-condition: and
    matchers:
-      - type: dsl
-        dsl:
-          - 'contains(body, "jato.pageSession") && status_code==200'
+      - type: word
+        words:
+          - 'urlArgs : "v='
+          - 'Sign in to OpenAM'
+          - 'ForgeRock'
+          - 'forgerock'
+          - 'FRForgotUsername'
+          - 'successfulUserRegistrationDestination'
+        condition: or
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - 'urlArgs : "v=([0-9.abcd]+)'