Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't dns interactions be detected at given insertion point then? #16

Closed
chain00x opened this issue Jun 21, 2023 · 6 comments
Closed

Can't dns interactions be detected at given insertion point then? #16

chain00x opened this issue Jun 21, 2023 · 6 comments
Labels
bug Something isn't working

Comments

@chain00x
Copy link

This is my code, and I know for sure that there will be a callback, but I'm reporting an error in the event log

image

This is my complete code

`metadata:
language: v1-beta
name: "Request-level collaborator based"
description: "Blind SSRF with out-of-band detection"
author: "Carlos Montoya"

given insertion point then
send payload:
replacing: {generate_collaborator_address()}
if dns interactions then
report issue:
severity: high
confidence: firm
detail: "This site fetches arbitrary URLs specified in the Referer header."
remediation: "Ensure that the site does not directly request URLs from the Referer header."
end if`
@genuinemoses
Copy link
Contributor

Hi @chain00x, could you elaborate what you're trying to achieve?
It looks like you want to insert a collaborator address to nested insertion points in a request to find potential OOB SSRF.
The code seems to work fine as executed by Burp Scanner.

@chain00x
Copy link
Author

chain00x commented Jun 21, 2023
edited
Loading

Thank you for your reply

Yes, I'll replace each parameter with a collaborator address and issue a request to see if it callback

This is my code on my server

from flask import Flask, request
import subprocess

app = Flask(__name__)

@app.route('/2', methods=['GET'])
def curl_request():
    url = request.args.get('url')
    if url is None:
        return 'Please provide a URL parameter', 400

    command = ['curl', '-I', url]
    result = subprocess.run(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    output = result.stdout.decode('utf-8')
    if result.returncode != 0:
        error = result.stderr.decode('utf-8')
        return f'curl command failed: {error}', 500

    return output, 200

if __name__ == '__main__':
    app.run(host='0.0.0.0',port=8090)

This is a base request

image

This is a request Bchecks send

image

It is clear that the request was made, but not received issue

I found an error here

image

But when I test referer, I get an issue report

Code in server Like this

from flask import Flask, request
import subprocess

app = Flask(__name__)

@app.route('/', methods=['GET'])
def curl_request():
    referer = request.headers.get('Referer')
    if referer is None:
        return 'Please provide a Referer header', 400

    command = ['curl', '-I', referer]
    result = subprocess.run(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    output = result.stdout.decode('utf-8')
    if result.returncode != 0:
        error = result.stderr.decode('utf-8')
        return f'curl command failed: {error}', 500

    return output, 200

if __name__ == '__main__':
    app.run(host='0.0.0.0',port=8090)

Bcheck code

metadata:
    language: v1-beta
    name: "Request-level collaborator based"
    description: "Blind SSRF with out-of-band detection"
    author: "Carlos Montoya"

given request then
    send request:
        headers:
            "Referer": {generate_collaborator_address()}

    if http interactions then
        report issue:
            severity: high
            confidence: firm
            detail: "This site fetches arbitrary URLs specified in the Referer header."
            remediation: "Ensure that the site does not directly request URLs from the Referer header."
    end if

What I do know for sure is that there was an error in Bchecks checking to see if there was a callback

Because this code run sucsess and report issue

metadata:
language: v1-beta
name: "ssrf"
description: "ssrf"
author: "chain00x"

given query or body insertion point then
send payload:
replacing: `https://{generate_collaborator_address()}/`
if "1" in "111" then
report issue:
severity: high
confidence: firm
detail: "ssrf"
remediation: "ssrf"
end if
image

@genuinemoses
Copy link
Contributor

It looks like this is a valid issue, I've checked the interactions with external request capturing tools like http://pingb.in/ to confirm the issue.

The Bcheck definition may not be capturing the dns interactions. It could be the case that the Bcheck definition for dns interactions is not working as expected or it's misunderstood and misused.

Let's wait for the Portswigger team to respond and confirm if this is an issue.

@chain00x , @A-J-C ,@olliewuk

@chain00x
Copy link
Author

Ok, look forward to solving the problem

@A-J-C
Copy link
Collaborator

A-J-C commented Jun 26, 2023

Hi, we are currently looking into this issue and should be able to give you an update soon.

@A-J-C A-J-C added the bug Something isn't working label Jun 26, 2023
@A-J-C
Copy link
Collaborator

A-J-C commented Jun 27, 2023

We've figured the issue out and have a fix in place. This will be live when 2023.6 hits stable later this week.

Thank you very much for the report!

@A-J-C A-J-C closed this as completed Jun 27, 2023
@A-J-C A-J-C mentioned this issue Jul 2, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Milestone
No milestone
Development

No branches or pull requests
3 participants
@A-J-C @genuinemoses @chain00x