Merge pull request #2175 from shelld3v/patch-5

Fix false positive
2021-07-25 15:25:02 +05:30 · 2021-07-25 15:25:02 +05:30 · c4fa0a9715
parent 3abd2ec8fc bb8a22401b
commit c4fa0a9715
2 changed files with 39 additions and 53 deletions
--- a/misconfiguration/linkerd-ssrf-detect.yaml
+++ b/misconfiguration/linkerd-ssrf-detect.yaml
@ -1,67 +1,21 @@
-id: linkerd-ssrf-detect
-
-# Detect the Linkerd service by overriding the delegation table and
-# inspect the response for:
-#   - a "Via: .. linkerd .."
-#   - a "l5d-err" and/or a "l5d-success" header
-#   - a verbose timeout error (binding timeout)
-#   - a full response
-# The full-response case indicates a possible SSRF condition, the others
-# only indicates the service presence.
-#
-# If a full-response is returned you should really manually probe requests with
-# the following header values:
-#
-#   - "l5d-dtab: /svc/* => /$/inet/yourserver.com/80", to get to other external hosts
-#   - "l5d-dtab: /svc/* => /$/inet/169.254.169.254/80", to get to cloud metadata
+id: linkerd-ssrf-detection

 info:
  name: Linkerd SSRF detection
  author: dudez
-  severity: info
-  tags: ssrf,linkerd
+  severity: high
+  tags: ssrf,linkerd,oob
+  reference: https://twitter.com/nirvana_msu/status/1084144955034165248

 requests:
  - method: GET
    path:
      - "{{BaseURL}}"
    headers:
-      l5d-dtab: /svc/* => /$/inet/example.com/443
+      l5d-dtab: /svc/* => /$/inet/{{interactsh-url}}/443

-    matchers-condition: or
    matchers:
-      - type: regex
-        name: via-linkerd-present
-        regex:
-          - '(?mi)^Via\s*?:.*?linkerd.*$'
-        part: header
-
-      - type: regex
-        name: l5d-err-present
-        regex:
-          - '(?mi)^l5d-err:.*$'
-        part: header
-
-      - type: regex
-        name: l5d-success-class-present
-        regex:
-          - '(?mi)^l5d-success-class: 0.*$'
-        part: header
-
      - type: word
-        name: ssrf-response-body
+        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
-          - '<p>This domain is for use in illustrative examples in documents.'
-        part: body
-
-      - type: regex
-        name: resolve-timeout-error-present
-        regex:
-          - '(?mi)Exceeded .*? binding timeout while resolving name'
-        part: body
-
-      - type: regex
-        name: dynbind-error-present
-        regex:
-          - '(?mi)exceeded .*? to unspecified while dyn binding'
-        part: body
+          - "http"
--- a/technologies/linkerd-service-detect.yaml
+++ b/technologies/linkerd-service-detect.yaml
@ -0,0 +1,32 @@
+id: linkerd-service-detect
+
+info:
+  name: Linkerd Service detection
+  author: dudez
+  severity: info
+  tags: tech,linkerd
+  reference: https://twitter.com/nirvana_msu/status/1084144955034165248
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+    headers:
+      l5d-dtab: /svc/* => /$/inet/example.com/443
+
+    matchers-condition: or
+    matchers:
+      - type: regex
+        regex:
+          - '(?mi)^l5d-err:.*$'
+          - '(?mi)^l5d-success-class: 0.*$'
+          - '(?mi)^Via\s*?:.*?linkerd.*$'
+        part: header
+        condition: or
+
+      - type: regex
+        regex:
+          - '(?mi)Exceeded .*? binding timeout while resolving name'
+          - '(?mi)exceeded .*? to unspecified while dyn binding'
+        part: body
+        condition: or