id: open-proxy-internal info: name: Open Proxy To Internal Network author: sullo severity: high description: The host is configured as a proxy which allows access to other hosts on the internal network. reference: - https://blog.projectdiscovery.io/abusing-reverse-proxies-internal-access/ - https://en.wikipedia.org/wiki/Open_proxy - https://www.acunetix.com/vulnerabilities/web/apache-configured-to-run-as-proxy/ classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N cvss-score: 8.6 cwe-id: CWE-441 remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. tags: exposure,config,proxy,misconfig,fuzz metadata: max-request: 25 http: - raw: - |+ GET / HTTP/1.1 Host: {{Hostname}} - |+ GET http://192.168.0.1/ HTTP/1.1 Host: 192.168.0.1 - |+ GET https://192.168.0.1/ HTTP/1.1 Host: 192.168.0.1 - |+ GET http://192.168.0.1:22/ HTTP/1.1 Host: 192.168.0.1 - |+ GET http://192.168.1.1/ HTTP/1.1 Host: 192.168.1.1 - |+ GET https://192.168.1.1/ HTTP/1.1 Host: 192.168.1.1 - |+ GET http://192.168.1.1:22/ HTTP/1.1 Host: 192.168.1.1 - |+ GET http://192.168.2.1/ HTTP/1.1 Host: 192.168.2.1 - |+ GET https://192.168.2.1/ HTTP/1.1 Host: 192.168.2.1 - |+ GET http://192.168.2.1:22/ HTTP/1.1 Host: 192.168.2.1 - |+ GET http:/10.0.0.1/ HTTP/1.1 Host: 10.0.0.1 - |+ GET https://10.0.0.1/ HTTP/1.1 Host: 10.0.0.1 - |+ GET http://10.0.0.1:22/ HTTP/1.1 Host: 10.0.0.1 - |+ GET http:/172.16.0.1/ HTTP/1.1 Host: 172.16.0.1 - |+ GET https://172.16.0.1/ HTTP/1.1 Host: 172.16.0.1 - |+ GET http://172.16.0.1:22/ HTTP/1.1 Host: 172.16.0.1 - |+ GET http:/intranet/ HTTP/1.1 Host: intranet - |+ GET https://intranet/ HTTP/1.1 Host: intranet - |+ GET http://intranet:22/ HTTP/1.1 Host: intranet - |+ GET http:/mail/ HTTP/1.1 Host: mail - |+ GET https://mail/ HTTP/1.1 Host: mail - |+ GET http://mail:22/ HTTP/1.1 Host: mail - |+ GET http:/ntp/ HTTP/1.1 Host: ntp - |+ GET https://ntp/ HTTP/1.1 Host: ntp - |+ GET http://ntp:22/ HTTP/1.1 Host: ntp unsafe: true matchers: - type: dsl dsl: - (!contains(body_1, "It works")) && (contains(body_2, "It works") || contains(body_3, "It works")) || contains(body_4, "It works") || contains(body_5, "It works") || contains(body_6, "It works") || contains(body_7, "It works") || contains(body_8, "It works") || contains(body_9, "It works") || contains(body_10, "It works") || contains(body_11, "It works") || contains(body_12, "It works") || contains(body_13, "It works") || contains(body_14, "It works") || contains(body_15, "It works") || contains(body_16, "It works") || contains(body_17, "It works") || contains(body_18, "It works") || contains(body_19, "It works") || contains(body_20, "It works") || contains(body_21, "It works") || contains(body_22, "It works") || contains(body_23, "It works") - (!contains(body_1, "IIS Windows Server")) && (contains(body_2, "IIS Windows Server") || contains(body_3, "IIS Windows Server")) || contains(body_4, "IIS Windows Server") || contains(body_5, "IIS Windows Server") || contains(body_6, "IIS Windows Server") || contains(body_7, "IIS Windows Server") || contains(body_8, "IIS Windows Server") || contains(body_9, "IIS Windows Server") || contains(body_10, "IIS Windows Server") || contains(body_11, "IIS Windows Server") || contains(body_12, "IIS Windows Server") || contains(body_13, "IIS Windows Server") || contains(body_14, "IIS Windows Server") || contains(body_15, "IIS Windows Server") || contains(body_16, "IIS Windows Server") || contains(body_17, "IIS Windows Server") || contains(body_18, "IIS Windows Server") || contains(body_19, "IIS Windows Server") || contains(body_20, "IIS Windows Server") || contains(body_21, "IIS Windows Server") || contains(body_22, "IIS Windows Server") || contains(body_23, "IIS Windows Server") - (!contains(body_1, "IIS7")) && (contains(body_2, "IIS7") || contains(body_3, "IIS7")) || contains(body_4, "IIS7") || contains(body_5, "IIS7") || contains(body_6, "IIS7") || contains(body_7, "IIS7") || contains(body_8, "IIS7") || contains(body_9, "IIS7") || contains(body_10, "IIS7") || contains(body_11, "IIS7") || contains(body_12, "IIS7") || contains(body_13, "IIS7") || contains(body_14, "IIS7") || contains(body_15, "IIS7") || contains(body_16, "IIS7") || contains(body_17, "IIS7") || contains(body_18, "IIS7") || contains(body_19, "IIS7") || contains(body_20, "IIS7") || contains(body_21, "IIS7") || contains(body_22, "IIS7") || contains(body_23, "IIS7") - (!contains(body_1, "Welcome to Windows")) && (contains(body_2, "Welcome to Windows") || contains(body_3, "Welcome to Windows")) || contains(body_4, "Welcome to Windows") || contains(body_5, "Welcome to Windows") || contains(body_6, "Welcome to Windows") || contains(body_7, "Welcome to Windows") || contains(body_8, "Welcome to Windows") || contains(body_9, "Welcome to Windows") || contains(body_10, "Welcome to Windows") || contains(body_11, "Welcome to Windows") || contains(body_12, "Welcome to Windows") || contains(body_13, "Welcome to Windows") || contains(body_14, "Welcome to Windows") || contains(body_15, "Welcome to Windows") || contains(body_16, "Welcome to Windows") || contains(body_17, "Welcome to Windows") || contains(body_18, "Welcome to Windows") || contains(body_19, "Welcome to Windows") || contains(body_20, "Welcome to Windows") || contains(body_21, "Welcome to Windows") || contains(body_22, "Welcome to Windows") || contains(body_23, "Welcome to Windows") - (!contains(body_1, "Welcome to Microsoft Windows")) && (contains(body_2, "Welcome to Microsoft Windows") || contains(body_3, "Welcome to Microsoft Windows")) || contains(body_4, "Welcome to Microsoft Windows") || contains(body_5, "Welcome to Microsoft Windows") || contains(body_6, "Welcome to Microsoft Windows") || contains(body_7, "Welcome to Microsoft Windows") || contains(body_8, "Welcome to Microsoft Windows") || contains(body_9, "Welcome to Microsoft Windows") || contains(body_10, "Welcome to Microsoft Windows") || contains(body_11, "Welcome to Microsoft Windows") || contains(body_12, "Welcome to Microsoft Windows") || contains(body_13, "Welcome to Microsoft Windows") || contains(body_14, "Welcome to Microsoft Windows") || contains(body_15, "Welcome to Microsoft Windows") || contains(body_16, "Welcome to Microsoft Windows") || contains(body_17, "Welcome to Microsoft Windows") || contains(body_18, "Welcome to Microsoft Windows") || contains(body_19, "Welcome to Microsoft Windows") || contains(body_20, "Welcome to Microsoft Windows") || contains(body_21, "Welcome to Microsoft Windows") || contains(body_22, "Welcome to Microsoft Windows") || contains(body_23, "Welcome to Microsoft Windows") - (!contains(body_1, "Welcome to IIS")) && (contains(body_2, "Welcome to IIS") || contains(body_3, "Welcome to IIS")) || contains(body_4, "Welcome to IIS") || contains(body_5, "Welcome to IIS") || contains(body_6, "Welcome to IIS") || contains(body_7, "Welcome to IIS") || contains(body_8, "Welcome to IIS") || contains(body_9, "Welcome to IIS") || contains(body_10, "Welcome to IIS") || contains(body_11, "Welcome to IIS") || contains(body_12, "Welcome to IIS") || contains(body_13, "Welcome to IIS") || contains(body_14, "Welcome to IIS") || contains(body_15, "Welcome to IIS") || contains(body_16, "Welcome to IIS") || contains(body_17, "Welcome to IIS") || contains(body_18, "Welcome to IIS") || contains(body_19, "Welcome to IIS") || contains(body_20, "Welcome to IIS") || contains(body_21, "Welcome to IIS") || contains(body_22, "Welcome to IIS") || contains(body_23, "Welcome to IIS") - (!contains(body_1, "503 Service Unavailable")) && (contains(body_2, "503 Service Unavailable") || contains(body_3, "503 Service Unavailable")) || contains(body_4, "503 Service Unavailable") || contains(body_5, "503 Service Unavailable") || contains(body_6, "503 Service Unavailable") || contains(body_7, "503 Service Unavailable") || contains(body_8, "503 Service Unavailable") || contains(body_9, "503 Service Unavailable") || contains(body_10, "503 Service Unavailable") || contains(body_11, "503 Service Unavailable") || contains(body_12, "503 Service Unavailable") || contains(body_13, "503 Service Unavailable") || contains(body_14, "503 Service Unavailable") || contains(body_15, "503 Service Unavailable") || contains(body_16, "503 Service Unavailable") || contains(body_17, "503 Service Unavailable") || contains(body_18, "503 Service Unavailable") || contains(body_19, "503 Service Unavailable") || contains(body_20, "503 Service Unavailable") || contains(body_21, "503 Service Unavailable") || contains(body_22, "503 Service Unavailable") || contains(body_23, "503 Service Unavailable") - (!contains(body_1, "default welcome page")) && (contains(body_2, "default welcome page") || contains(body_3, "default welcome page")) || contains(body_4, "default welcome page") || contains(body_5, "default welcome page") || contains(body_6, "default welcome page") || contains(body_7, "default welcome page") || contains(body_8, "default welcome page") || contains(body_9, "default welcome page") || contains(body_10, "default welcome page") || contains(body_11, "default welcome page") || contains(body_12, "default welcome page") || contains(body_13, "default welcome page") || contains(body_14, "default welcome page") || contains(body_15, "default welcome page") || contains(body_16, "default welcome page") || contains(body_17, "default welcome page") || contains(body_18, "default welcome page") || contains(body_19, "default welcome page") || contains(body_20, "default welcome page") || contains(body_21, "default welcome page") || contains(body_22, "default welcome page") || contains(body_23, "default welcome page") - (!contains(body_1, "Microsoft Azure App")) && (contains(body_2, "Microsoft Azure App") || contains(body_3, "Microsoft Azure App")) || contains(body_4, "Microsoft Azure App") || contains(body_5, "Microsoft Azure App") || contains(body_6, "Microsoft Azure App") || contains(body_7, "Microsoft Azure App") || contains(body_8, "Microsoft Azure App") || contains(body_9, "Microsoft Azure App") || contains(body_10, "Microsoft Azure App") || contains(body_11, "Microsoft Azure App") || contains(body_12, "Microsoft Azure App") || contains(body_13, "Microsoft Azure App") || contains(body_14, "Microsoft Azure App") || contains(body_15, "Microsoft Azure App") || contains(body_16, "Microsoft Azure App") || contains(body_17, "Microsoft Azure App") || contains(body_18, "Microsoft Azure App") || contains(body_19, "Microsoft Azure App") || contains(body_20, "Microsoft Azure App") || contains(body_21, "Microsoft Azure App") || contains(body_22, "Microsoft Azure App") || contains(body_23, "Microsoft Azure App") - (!contains(body_1, "ssh")) && (contains(body_2, "ssh") || contains(body_3, "ssh")) || contains(body_4, "ssh") || contains(body_5, "ssh") || contains(body_6, "ssh") || contains(body_7, "ssh") || contains(body_8, "ssh") || contains(body_9, "ssh") || contains(body_10, "ssh") || contains(body_11, "ssh") || contains(body_12, "ssh") || contains(body_13, "ssh") || contains(body_14, "ssh") || contains(body_15, "ssh") || contains(body_16, "ssh") || contains(body_17, "ssh") || contains(body_18, "ssh") || contains(body_19, "ssh") || contains(body_20, "ssh") || contains(body_21, "ssh") || contains(body_22, "ssh") || contains(body_23, "ssh") || contains(body_24, "ssh") - (!contains(body_1, "SSH")) && (contains(body_2, "SSH") || contains(body_3, "SSH")) || contains(body_4, "SSH") || contains(body_5, "SSH") || contains(body_6, "SSH") || contains(body_7, "SSH") || contains(body_8, "SSH") || contains(body_9, "SSH") || contains(body_10, "SSH") || contains(body_11, "SSH") || contains(body_12, "SSH") || contains(body_13, "SSH") || contains(body_14, "SSH") || contains(body_15, "SSH") || contains(body_16, "SSH") || contains(body_17, "SSH") || contains(body_18, "SSH") || contains(body_19, "SSH") || contains(body_20, "SSH") || contains(body_21, "SSH") || contains(body_22, "SSH") || contains(body_23, "SSH") condition: or # Enhanced by mp on 2022/04/21