You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This check was written by @DeliciousBounty, waiting on improvements to GET requests that should be added soon and will make these easier to write and test
pub async fn check_for_ssrf(&self, auth: &Authorization) -> (CheckRetVal, Vec<String>) {
let mut ret_val = CheckRetVal::default();
let mut provider_vec = vec![];
let provider_hash = HashMap::from([
("Amazon", "http://169.254.169.254/"),
("Google", "http://169.254.169.254/computeMetadata/v1/"),
("Digital", "http://169.254.169.254/metadata/v1.json"),
("Azure", "http://169.254.169.254/metadata/v1/maintenance"),
]);
let base_url = self.oas.servers().unwrap().get(0).unwrap().clone(); //todo ouch
for (path, item) in &self.oas.get_paths() {
for (m, op) in item.get_ops().iter().filter(|(m, _)| m == &Method::GET) {
let mut param_is_good_to_send = false;
for (provider_item, value_to_send) in &provider_hash {
let mut params_vec = vec![];
let payload_get_param = create_payload_for_get(
&self.oas_value,
op,
Some(value_to_send.to_string()),
);
for parameter_item in payload_get_param {
if parameter_item.dm == QuePay::Query {
if LIST_PARAM.contains(¶meter_item.name.as_str()) {
params_vec.push(parameter_item);
param_is_good_to_send = true;
}
} else {
params_vec.push(parameter_item);
}
}
if param_is_good_to_send {
provider_vec.push(provider_item.to_string());
println!("SSRF GET: ----");
let req = AttackRequest::builder()
.uri(&base_url.url, path)
.parameters(params_vec.clone())
.auth(auth.clone())
.method(m.to_owned())
.headers(vec![])
.auth(auth.clone())
.build();
if let Ok(res) = req.send_request(true).await {
//logging
//logging request/response/description
ret_val
.1
.push(&req, &res, "Testing ssrf for get ".to_string());
ret_val.0.push((
ResponseData{
location: path.clone(),
alert_text: format!("The parameter {:?} seems to be vulerable to open-redirect on the {} endpoint",¶ms_vec.last().unwrap(),path)//TODO Chekc if is it the correct parameter
},
res.clone(),
));
} else {
println!("REQUEST FAILED");
}
}
}
}
}
(ret_val, provider_vec)
}
pub async fn check_ssrf_post(&self, auth: &Authorization) -> (CheckRetVal, Vec<String>) {
println!("-------------------------POST SSRF-----------------------");
let mut ret_val = CheckRetVal::default();
let mut provider_vec = vec![];
let provider_hash = HashMap::from([
("Amazon", "http://169.254.169.254/"),
("Google", "http://169.254.169.254/computeMetadata/v1/"),
("Digital", "http://169.254.169.254/metadata/v1.json"),
("Azure", "http://169.254.169.254/metadata/v1/maintenance"),
]);
for oas_map in self.payloads.iter() {
for json_path in oas_map.payload.map.keys() {
for (m, _) in oas_map
.path
.path_item
//.filter(|| path_item==p)
.get_ops()
.iter()
.filter(|(m, _)| m == &Method::POST)
//947
{
let param_to_test =
&json_path.last().unwrap_or(&"empty".to_string()).to_owned()[..];
if LIST_PARAM.contains(¶m_to_test) {
for (provider_item, provider_value) in &provider_hash {
if let Some(server) = self.oas.servers().and_then(|servers| servers.first().cloned()){
provider_vec.push(provider_item.to_string());
let req = AttackRequest::builder()
.uri(&server.url, &oas_map.path.path)
.method(*m)
.headers(vec![])
.parameters(vec![])
.auth(auth.clone())
.payload(
&change_payload(
&oas_map.payload.payload,
json_path,
json!(provider_value),
)
.to_string(),
)
.build();
print!("POST SSRF : ");
if let Ok(res) = req.send_request(true).await {
//logging request/response/description
ret_val
.1
.push(&req, &res, "Testing SSRF VALUES".to_string());
ret_val.0.push((
ResponseData {
location: oas_map.path.path.clone(),
alert_text: format!(
"This {} parameter on the {} endpoint seems to be vulerable to ssrf.", json_path[json_path.len() - 1],¶m_to_test// json_path[json_path.len() - 1]
),
},
res.clone(),
));
println!(
"{}:{}",
"Status".green().bold(),
res.status.to_string().magenta()
);
} else {
println!("REQUEST FAILED");
}
}
}
}
}
}
}
(ret_val, provider_vec)
}
The text was updated successfully, but these errors were encountered:
This check was written by @DeliciousBounty, waiting on improvements to GET requests that should be added soon and will make these easier to write and test
The text was updated successfully, but these errors were encountered: