nuclei-templates/http/misconfiguration/microsoft/ms-exchange-local-domain.yaml

45 lines
1.5 KiB
YAML

id: ms-exchange-local-domain
info:
name: Microsoft Exchange Autodiscover - Local Domain Exposure
author: userdehghani
severity: info
description: |
Microsoft Exchange is prone to a local domain exposure using the Autodiscover v2 endpoint.
impact: |
An attacker can leverage this information for reconnaissance and targeted attacks.
remediation: |
Restrict access to the Autodiscover service or configure it to not expose local domain information.
reference:
- https://support.microsoft.com/en-gb/topic/autodiscover-v2-returns-internalurl-not-externalurls-in-other-site-774301e2-2d1e-d5e0-aa41-a49f6e9b06f4
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
cwe-id: CWE-200
metadata:
verified: true
max-request: 1
shodan-query: http.title:outlook exchange
tags: misconfig, microsoft,ms-exchange,ad,dc
http:
- method: GET
path:
- "{{BaseURL}}/autodiscover/autodiscover.json?Protocol=ActiveSync&Email=user@domain.tld&RedirectCount=1"
matchers-condition: and
matchers:
- type: regex
part: header
regex:
- "(?i)(X-Calculatedbetarget:)"
- type: status
status:
- 200
- 302
extractors:
- type: kval
kval:
- x_calculatedbetarget
# digest: 4a0a0047304502210097f4e7ab5764e0db53da23c04266b429b571322e42b0fad09912690d7b6b6fdd02202724f2e0e85ee16b159f4fea95e7e21447c003fae169973816932c90f362a2c0:922c64590222798bb761d5b6d8e72950