Added Multiple misconfiguration checks

SAP Directory Listing.bcheck Xdebug_remote_code_execution_via_xdebug_remote_connect_back.bcheck Apache Tomcat Manager Path Normalization Panel.bcheck Cloudflare External Image Resizing Misconfiguration.bcheck Etcd Server - Unauthenticated Access.bcheck Kubernetes_Pods_API_Discovery_&_Remote_Code_Execution.bcheck Rails CRLF and XSS.bcheck
PortSwigger · Jul 15, 2023 · 92f2395 · 92f2395
1 parent dabd08f
commit 92f2395
Show file tree

Hide file tree

Showing 7 changed files with 192 additions and 0 deletions.
diff --git a/other/Apache Tomcat Manager Path Normalization Panel.bcheck b/other/Apache Tomcat Manager Path Normalization Panel.bcheck
@@ -0,0 +1,31 @@
+metadata:
+	language: v1-beta
+	name: "Apache Tomcat Manager Path Normalization Panel - Detect"
+	author: "Parimal Shaw"
+	description: "Apache Tomcat Manager Path Normalization login panel was discovered via path normalization. Normalizing a path involves modifying the string that identifies a path or file so that it confirms to a valid path on the target operating system."
+	tags: "Apache Tomcat Misconfiguration"
+
+run for each:
+    potential_path = 
+		"/..;/manager/html",
+		"/..;/..;/manager/html;/",
+		"/..;/hostmanager/html",
+		"/..;/..;/hostmanager/html;/",
+		"/bchecktest/..;/manager/html",
+		"/bchecktest/..;/hostmanager/html"
+
+
+given host then
+    send request called check:
+		method: "GET"
+		path: {potential_path}
+
+			if {check.response.status_code} is "403" 
+			and "username=\"tomcat\" password=\"s3cret\"" in {check.response.body} 
+			and "manager-gui" in {check.response.body} then
+					report issue:
+						severity: info
+						confidence: certain
+						detail: "Apache Tomcat Manager Path Normalization login panel was discovered via path normalization. Normalizing a path involves modifying the string that identifies a path or file so that it conforms to a valid path on the target operating system."
+						remediation: "Ensure to accept only the whitelisted path and directory or implement proper access control to the following directory"
+			end if
diff --git a/other/Cloudflare External Image Resizing Misconfiguration.bcheck b/other/Cloudflare External Image Resizing Misconfiguration.bcheck
@@ -0,0 +1,26 @@
+metadata:
+	language: v1-beta
+	name: "Cloudflare External Image Resizing Misconfiguration"
+	author: "Parimal Shaw"
+	description: "Cloudflare Image Resizing defaults to restricting resizing to the same domain. This prevents third parties from resizing any image at any origin. However, you can enable this option if you check Resize images from any origin."
+	tags: "Cloudflare Misconfiguration"
+
+define:
+    potential_path = `/cdn-cgi/image/width/https://{generate_collaborator_address()}`
+
+
+given host then
+    send request called check:
+	method: "GET"
+	replacing headers:
+		"Accept": "*/*"
+	path: {potential_path}
+
+
+	  if http interactions then
+	  report issue:
+            severity: info
+            confidence: certain
+            detail: "Cloudflare Image Resizing defaults to restricting resizing to the same domain. This prevents third parties from resizing any image at any origin. However, you can enable this option if you check Resize images from any origin."
+            remediation: "Disable image Resizing from all origin or restrict it to certain doamins in Cloudflare."
+end if
diff --git a/other/Etcd Server - Unauthenticated Access.bcheck b/other/Etcd Server - Unauthenticated Access.bcheck
@@ -0,0 +1,27 @@
+metadata:
+	language: v1-beta
+	name: "Etcd Server - Unauthenticated Access"
+	author: "Parimal Shaw"
+	description: "A Kubernetes etcd server stores the cluster secrets and configurations files. Anonymous access on etcd allows unauthenticated access the data without providing any authentication credentials."
+	tags: "Kubernetes Misconfiguration"
+
+define:
+    potential_path = "/v2/keys/"
+
+
+given host then
+    send request called check:
+	method: "GET"
+	path: {potential_path}
+
+
+	  if {check.response.status_code} is "200" 
+	  and "\"node\":" in {check.response.body} 
+	  and "\"key\":" in {check.response.body} 
+	  and "application/json" in {check.response.headers} then
+	  report issue:
+            severity: high
+            confidence: certain
+            detail: "A Kubernetes etcd server cluster secrets and configurations files are accessible."
+            remediation: "Implement the following remediation https://etcd.io/docs/v2.3/authentication/"
+end if
diff --git a/other/Kubernetes_Pods_API_Discovery_&_Remote_Code_Execution.bcheck b/other/Kubernetes_Pods_API_Discovery_&_Remote_Code_Execution.bcheck
@@ -0,0 +1,29 @@
+metadata:
+	language: v1-beta
+	name: "Kubernetes Pods - API Discovery & Remote Code Execution"
+	author: "Parimal Shaw"
+	description: "A Kubernetes Pods API was discovered. When the service port is available, unauthenticated users can execute commands inside the container."
+	tags: "Kubernetes Misconfiguration"
+
+
+run for each:
+    potential_path = 
+		"/pods",
+		"/api/v1/pods"
+
+
+given host then
+    send request called check:
+	method: "GET"
+	path: {potential_path}
+
+
+	  if {check.response.status_code} is "200" 
+	  and "apiVersion" in {check.response.body}
+	  and "application/json" in {check.response.headers} then
+	  report issue:
+            severity: high
+            confidence: certain
+            detail: "A Kubernetes Pods API was discovered. When the service port is available, unauthenticated users can execute commands inside the container."
+            remediation: "Ensure to Disable access to following instances in Kubernetes."
+end if
diff --git a/other/Rails CRLF and XSS.bcheck b/other/Rails CRLF and XSS.bcheck
@@ -0,0 +1,24 @@
+metadata:
+	language: v1-beta
+	name: "Ruby on Rails - CRLF Injection and Cross-Site Scripting"
+	author: "Parimal Shaw"
+	description: "Ruby on Rails 6.0.0-6.0.3.1 contains a CRLF issue which allows JavaScript to be injected into the response, resulting in cross-site scripting."
+	tags: "Rails CRLF and XSS"
+
+define:
+    potential_path = "/rails/actions?error=ActiveRecord::PendingMigrationError&action=Run%20pending%20migrations&location=%0djavascript:alert(1)//%0aaaaaa"
+
+
+given host then
+    send request called check:
+	method: "POST"
+	path: {potential_path}
+
+
+	  if {check.response.status_code} is "302" and "javascript:alert(1)" in {check.response.body} and "Location: aaaaa" in {check.response.headers} and "text/html" in {check.response.headers} then
+	  report issue:
+            severity: medium
+            confidence: certain
+            detail: `Ruby on Rails 6.0.0-6.0.3.1 contains a CRLF issue which allows JavaScript to be injected into the response, resulting in cross-site scripting.`
+            remediation: "Ensure the location value is set as default value and XSS,CRLF payloads should be Blocked by application"
+end if
diff --git a/other/SAP Directory Listing.bcheck b/other/SAP Directory Listing.bcheck
@@ -0,0 +1,27 @@
+metadata:
+	language: v1-beta
+	name: "SAP Directory Listing"
+	author: "Parimal Shaw"
+	description: "Within SAP NetWeaver, directory listing is enabled."
+	tags: "SAP NetWeaver Misconfiguration"
+
+define:
+    potential_path = "/irj/go/km/navigation/"
+
+
+given host then
+    send request called check:
+	method: "GET"
+	path: {potential_path}
+
+
+	  if {check.response.status_code} is "200" 
+	  and "title=\"~system\"" in {check.response.body} 
+	  and "NetWeaver" in {check.response.body} 
+	  and "text/html" in {check.response.headers} then
+	  report issue:
+            severity: medium
+            confidence: certain
+            detail: "In SAP NetWeaver the directory listing is enabled or not configured properly."
+            remediation: "Ensure to Disable directory listing."
+end if
diff --git a/other/Xdebug_remote_code_execution_via_xdebug_remote_connect_back.bcheck b/other/Xdebug_remote_code_execution_via_xdebug_remote_connect_back.bcheck
@@ -0,0 +1,28 @@
+metadata:
+	language: v1-beta
+	name: "Xdebug remote code execution via xdebug.remote_connect_back"
+	author: "Parimal Shaw"
+	description: "The XDebug extension <= v2.6.0 for PHP is designed to expand the debugging capabilities of developers, including the ability to perform remote debugging. A misconfigured server, with ‘xdebug.remote_connect_back’ enabled, exposed to the internet could allow an unauthenticated remote attacker to trigger a debugging session using any IP via a simple web request. With a remote debugging session established, the attacker effectively has remote code execution (RCE) capabilities with which to establish persistence, exfiltrate data, or launch further attacks against the system or network."
+	tags: "Cloudflare Misconfiguration"
+
+define:
+    potential_path = "/?XDEBUG_SESSION_START=bchecks"
+
+
+given host then
+    send request called check:
+	method: "GET"
+        headers:
+		"X-Forwarded-For:": `{generate_collaborator_address()}`
+	path: {potential_path}
+
+
+	  if dns interactions
+	  and {check.response.status_code} is "200"
+	  and "Set-Cookie: XDEBUG_SESSION=" in {check.response.headers} then
+	  report issue:
+            severity: high
+            confidence: certain
+            detail: "The XDebug extension <= v2.6.0 for PHP is designed to expand the debugging capabilities of developers, including the ability to perform remote debugging. A misconfigured server, with ‘xdebug.remote_connect_back’ enabled, exposed to the internet could allow an unauthenticated remote attacker to trigger a debugging session using any IP via a simple web request. With a remote debugging session established, the attacker effectively has remote code execution (RCE) capabilities with which to establish persistence, exfiltrate data, or launch further attacks against the system or network."
+            remediation: "Upgrade the XDebug extension to the latest version."
+end if