diff --git a/technologies/openam-detection.yaml b/technologies/openam-detection.yaml index 28620e5bd8..db7dd418c2 100644 --- a/technologies/openam-detection.yaml +++ b/technologies/openam-detection.yaml @@ -1,20 +1,54 @@ id: openam-detection info: - name: Detect openam - author: melbadry9,xelkomy + name: Detect OpenAM and OpenSSO + author: philippedelteil,melbadry9,xelkomy severity: info - description: The vulnerability was found in the password reset feature that OpenAM provides. When a user tries to reset his password, he is asked to enter his username then the backend validates whether the user exists or not through an LDAP query before the password reset token is sent to the user’s email. - reference: https://blog.cybercastle.io/ldap-injection-in-openam/ requests: - method: GET path: - - "{{BaseURL}}/openam/ui/PWResetUserValidation" - - "{{BaseURL}}/OpenAM-11.0.0/ui/PWResetUserValidation" - - "{{BaseURL}}/ui/PWResetUserValidation" + - "{{BaseURL}}/openam/XUI" + - "{{BaseURL}}/XUI" + - "{{BaseURL}}/XUI/#login" + - "{{BaseURL}}/UI" + - "{{BaseURL}}/sso/XUI" + - "{{BaseURL}}/sso/UI" + - "{{BaseURL}}/sso/UI/#login" + - "{{BaseURL}}/openam/UI/login" + - "{{BaseURL}}/openam/UI/#loginlogin" + - "{{BaseURL}}/openam/UI/Login" + - "{{BaseURL}}/openam/XUI/Login" + - "{{BaseURL}}/openam/XUI/login" + - "{{BaseURL}}/openam/XUI/#login" + - "{{BaseURL}}/am/UI/Login" + - "{{BaseURL}}/am/UI/#login" + - "{{BaseURL}}/am/XUI/" + - "{{BaseURL}}/am/XUI/Login" + - "{{BaseURL}}/am/json/serverinfo/*" + - "{{BaseURL}}/openam/json/serverinfo/*" + redirects: true + max-redirects: 2 + matchers-condition: and matchers: - - type: dsl - dsl: - - 'contains(body, "jato.pageSession") && status_code==200' \ No newline at end of file + - type: word + words: + - 'urlArgs : "v=' + - 'Sign in to OpenAM' + - 'ForgeRock' + - 'forgerock' + - 'FRForgotUsername' + - 'successfulUserRegistrationDestination' + condition: or + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + group: 1 + regex: + - 'urlArgs : "v=([0-9.abcd]+)'