chore(BChecks): Add UUID Detected - GUID versions

PortSwigger · Nov 2, 2023 · 67e794c · 67e794c
1 parent e7ed2fc
commit 67e794c
Showing 1 changed file with 87 additions and 0 deletions.
diff --git a/other/uuid-detected-guid-versions.bcheck b/other/uuid-detected-guid-versions.bcheck
@@ -0,0 +1,87 @@
+metadata:
+    language: v1-beta
+    name: "UUID detected"
+    description: "GUID Versions"
+    description: "This bcheck template passively identifies and reports the use of various UUID versions within application requests."
+
+    author: "vavkamil"
+    tags: "passive", "guid", "uuid"
+
+define:
+    references = "References
+- https://www.intruder.io/research/in-guid-we-trust
+- https://portswigger.net/bappstore/65f32f209a72480ea5f1a0dac4f38248
+- https://datatracker.ietf.org/doc/html/rfc4122
+- https://www.uuidtools.com/uuid-versions-explained"
+    detail_uuid_v1 = `The request contains GUID Version 1 at
+
+{latest.request.url}
+
+The GUID is generated using
+    - Current timestamp
+    - A clock sequence that remains static for the duration of the system's uptime
+    - A node ID, often based on the system's MAC address (if accessible).
+
+{references}`
+    detail_uuid_v3 = `The request contains GUID Version 3 at
+
+{latest.request.url}
+
+The GUID is generated using the MD5 hash of a name combined with a namespace ID.
+
+{references}`
+    detail_uuid_v4 = `The request contains GUID Version 4 at
+
+{latest.request.url}
+
+The GUID is generated randomly, making it unpredictable and more complicated to reproduce.
+
+It's considered safer for most use-cases compared to other versions, although its entropy should be checked.
+
+{references}`
+    detail_uuid_v5 = `The request contains GUID Version 5 at
+
+{latest.request.url}
+
+The GUID is generated using the SHA-1 hash of a name combined with a namespace ID.
+
+{references}`
+    issueRemediation = "The application should use GUID v4, which is randomly generated.
+
+An attacker might be able to generate UUID using predictable data."
+    issueRemediation_ok = "The application is using GUID v4, which is randomly generated."
+
+given response then
+    # UUID v1 - RFC 4122 variant
+    # Example: 0f9a9c50-79b9-11ee-b962-0242ac120002
+    if {base.request.url} matches "[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}" then
+        report issue:
+            severity: high
+            confidence: firm
+            detail: `{detail_uuid_v1}`
+            remediation: `{issueRemediation}`
+    # UUID v3 - RFC 4122 variant
+    # Example: 3d813cbb-47fb-32ba-91df-831e1593ac29
+    else if {base.request.url} matches "[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[3][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}" then
+        report issue:
+            severity: low
+            confidence: firm
+            detail: `{detail_uuid_v3}`
+            remediation: `{issueRemediation}`
+    # UUID v4 - RFC 4122 variant
+    # Example: 9f1e379d-e839-4d3a-9c2a-1d4dde67f75c
+    else if {base.request.url} matches "[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[4][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}" then
+        report issue:
+            severity: info
+            confidence: firm
+            detail: `{detail_uuid_v4}`
+            remediation: `{issueRemediation_ok}`
+    # UUID v5 - RFC 4122 variant
+    # Example: 74738ff5-5367-5958-9aee-98fffdcd1876
+    else if {base.request.url} matches "[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}" then
+        report issue:
+            severity: low
+            confidence: firm
+            detail: `{detail_uuid_v5}`
+            remediation: `{issueRemediation}`
+    end if