id: exposed-alps-spring

info:
  name: Exposed Spring Data REST Application-Level Profile Semantics (ALPS)
  author: dwisiswant0
  severity: medium
  reference:
    - https://niemand.com.ar/2021/01/08/exploiting-application-level-profile-semantics-apls-from-spring-data-rest/
  metadata:
    max-request: 3
  tags: exposure,spring,files

http:
  - method: GET
    path:
      - "{{BaseURL}}/profile"
      - "{{BaseURL}}/api/profile"
      - "{{BaseURL}}/alps/profile"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "_links"
          - "/alps/"
          - "profile"
        condition: and
        part: body

      - type: word
        words:
          - "application/hal+json"
        part: header

      - type: status
        status:
          - 200

# digest: 4a0a004730450221008effeb5aae8d37c9efc3977ae666d2d9bc29d349b383f5b1e5874c36fef3d904022063df669f2b2891fffdf9c6402310352de8e782426d77b3ed69cf1a90b54cbf7a:922c64590222798bb761d5b6d8e72950