id: exposed-alps-spring

info:
  name: Exposed Spring Data REST Application-Level Profile Semantics (ALPS)
  author: dwisiswant0
  severity: medium
  description: Exposed Spring Data profile semantics is exposed.
  reference:
    - https://niemand.com.ar/2021/01/08/exploiting-application-level-profile-semantics-apls-from-spring-data-rest/
  metadata:
    max-request: 3
  tags: exposure,spring,files

http:
  - method: GET
    path:
      - "{{BaseURL}}/profile"
      - "{{BaseURL}}/api/profile"
      - "{{BaseURL}}/alps/profile"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "_links"
          - "/alps/"
          - "profile"
        condition: and
        part: body

      - type: word
        words:
          - "application/hal+json"
        part: header

      - type: status
        status:
          - 200
# digest: 490a0046304402200703b103b73e6c9bfffc56b77551a83932ef1f4e983b9075e82b4a2128ffff800220240eb935da994b34aa984e070bd64175bee530216e73e19f9af3add0ee595d5e:922c64590222798bb761d5b6d8e72950