OWASP / OFFAT

The OWASP OFFAT tool autonomously assesses your API for prevalent vulnerabilities, though full compatibility with OAS v3 is pending. The project remains a work in progress, continuously evolving towards completion.
http://owasp.org/OFFAT/
MIT License
460 stars 67 forks source link

False positive on SSTI check #96

Closed nrathaus closed 7 months ago

nrathaus commented 7 months ago

Broken Crystals is a demo site (listed here: https://owasp.org/www-project-vulnerable-web-applications-directory/ ) that can be used for testing your skills/software

The site highlights a few false positives that the engine generates, the most notable one is this one:

A few issues here:

  1. The value of 49 appears unrelated to user input
  2. There is no user input here, i.e. no where to put the payload in - from what I can see in the code, {7*7} is not sent - this test should have been skipped or at the very least: A. Check if the 49 appears without sending anything B. If it appears because of our payload, try another similar payload like {8*8} and if that also matches - return it as vulnerable
{
      "url": "https://brokencrystals.com:443/api/secrets",
      "endpoint": "/api/secrets",
      "method": "GET",
      "body_params": [],
      "query_params": [],
      "path_params": [],
      "security": [],
      "test_name": "SSTI Test",
      "malicious_payload": "*{7*7}",
      "result_details": "One or more parameter is vulnerable to SSTI Attack",
      "response_filter": "BODY_REGEX_FILTER",
      "response_match_regex": "49",
      "request_headers": {
        "Host": "brokencrystals.com",
        "Accept": "*/*",
        "Accept-Encoding": "gzip, deflate",
        "User-Agent": "Python/3.10 aiohttp/3.9.5"
      },
      "response_headers": {
        "Date": "Mon, 06 May 2024 06:30:00 GMT",
        "Content-Type": "application/json; charset=utf-8",
        "Content-Length": "1186",
        "Connection": "keep-alive",
        "Vary": "Origin",
        "Access-Control-Allow-Origin": "*",
        "x-xss-protection": "0",
        "strict-transport-security": "max-age=15724800; includeSubDomains",
        "x-content-type-options": "1",
        "content-security-policy": "default-src  * 'unsafe-inline' 'unsafe-eval'",
        "Set-Cookie": "bc-calls-counter=1714977000008"
      },
      "response_body": "{\"codeclimate\":\"CODECLIMATE_REPO_TOKEN=62864c476ade6ab9d10d0ce0901ae2c211924852a28c5f960ae5165c1fdfec73\",\"facebook\":\"EAACEdEose0cBAHyDF5HI5o2auPWv3lPP3zNYuWWpjMrSaIhtSvX73lsLOcas5k8GhC5HgOXnbF3rXRTczOpsbNb54CQL8LcQEMhZAWAJzI0AzmL23hZByFAia5avB6Q4Xv4u2QVoAdH0mcJhYTFRpyJKIAyDKUEBzz0GgZDZD\",\"google_b64\":\"QUl6YhT6QXlEQnbTr2dSdEI1W7yL2mFCX3c4PPP5NlpkWE65NkZV\",\"google_oauth\":\"188968487735-c7hh7k87juef6vv84697sinju2bet7gn.apps.googleusercontent.com\",\"google_oauth_token\":\"ya29.a0TgU6SMDItdQQ9J7j3FVgJuByTTevl0FThTEkBs4pA4-9tFREyf2cfcL-_JU6Trg1O0NWwQKie4uGTrs35kmKlxohWgcAl8cg9DTxRx-UXFS-S1VYPLVtQLGYyNTfGp054Ad3ej73-FIHz3RZY43lcKSorbZEY4BI\",\"heroku\":\"herokudev.staging.endosome.975138 pid=48751 request_id=0e9a8698-a4d2-4925-a1a5-113234af5f60\",\"hockey_app\":\"HockeySDK: 203d3af93f4a218bfb528de08ae5d30ff65e1cf\",\"outlook\":\"https://outlook.office.com/webhook/7dd49fc6-1975-443d-806c-08ebe8f81146@a532313f-11ec-43a2-9a7a-d2e27f4f3478/IncomingWebhook/8436f62b50ab41b3b93ba1c0a50a0b88/eff4cd58-1bb8-4899-94de-795f656b4a18\",\"paypal\":\"access_token$production$x0lb4r69dvmmnufd$3ea7cb281754b7da7dac131ef5783321\",\"slack\":\"xoxo-175588824543-175748345725-176608801663-826315f84e553d482bb7e73e8322sdf3\"}",
      "response_status_code": 200,
      "redirection": "()",
      "error": false,
      "regex_match_result": "<re.Match object; span=(717, 719), match='49'>",
      "result": false,
      "data_leak": {
        "ato_data": ["access_token"],
        "PhoneNumberIN": [
          [
            "188968487735",
            "",
            "",
            "",
            "",
            "",
            "188968487735",
            "188968487735",
            "",
            ""
          ],
          [
            "175588824543",
            "",
            "",
            "",
            "",
            "",
            "175588824543",
            "175588824543",
            "",
            ""
          ],
          [
            "175748345725",
            "",
            "",
            "",
            "",
            "",
            "175748345725",
            "175748345725",
            "",
            ""
          ],
          [
            "176608801663",
            "",
            "",
            "",
            "",
            "",
            "176608801663",
            "176608801663",
            "",
            ""
          ]
        ]
      }
    },
dmdhrumilmistry commented 7 months ago

Ahh, I'm aware of this issue.

nrathaus commented 7 months ago

Maybe a good idea (generally speaking) would be to add this https://github.com/ofw/curlify

To the results? It will allow easier recreation of the finding outside of the tool?

On Mon, 6 May 2024 at 16:55, dmdhrumilmistry @.***> wrote:

Ahh, I'm aware of this issue.

  • I'll need to filter out GET methods without any query params this will fix generating unnecessary tests and using bandwidth.
  • Currently, re-sending payload will require extra handling, I want to implement another class function which can be used for verifying vulnerability. For now, I'm transferring this problem at the moment to the user, until I figure a long term solution. For now users can use -pr tag for verifying vulnerability in specific endpoint.

— Reply to this email directly, view it on GitHub https://github.com/OWASP/OFFAT/issues/96#issuecomment-2096077132, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAPQE3UAR7PSFZXS57JRTBDZA6DVFAVCNFSM6AAAAABHIO5EUGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJWGA3TOMJTGI . You are receiving this because you authored the thread.Message ID: @.***>

dmdhrumilmistry commented 7 months ago

Maybe a good idea (generally speaking) would be to add this https://github.com/ofw/curlify To the results? It will allow easier recreation of the finding outside of the tool? On Mon, 6 May 2024 at 16:55, dmdhrumilmistry @.> wrote: Ahh, I'm aware of this issue. - I'll need to filter out GET methods without any query params this will fix generating unnecessary tests and using bandwidth. - Currently, re-sending payload will require extra handling, I want to implement another class function which can be used for verifying vulnerability. For now, I'm transferring this problem at the moment to the user, until I figure a long term solution. For now users can use -pr tag for verifying vulnerability in specific endpoint. — Reply to this email directly, view it on GitHub <#96 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAPQE3UAR7PSFZXS57JRTBDZA6DVFAVCNFSM6AAAAABHIO5EUGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJWGA3TOMJTGI . You are receiving this because you authored the thread.Message ID: @.>

Nice suggestion, I would also love this kinda feature in the tool. I'll need find an alternative for this since OFFAT uses aiohttp instead of requests. Additionally, curlify doesn't seem to be maintained anymore.

nrathaus commented 7 months ago

Not sure what the status of this: https://github.com/vzhirnov/asyncurlify

Even if its not maintained the code base seems pretty easy to integrate/use/assimilate

dmdhrumilmistry commented 7 months ago

Not sure what the status of this: https://github.com/vzhirnov/asyncurlify

Even if its not maintained the code base seems pretty easy to integrate/use/assimilate

ohh great, thanks for sharing. Before I saw your comment, I've already written a custom util function to curlify the result.

dmdhrumilmistry commented 7 months ago

Hopefully, #101 should reduce false positives for most of the test cases.

curl command can be found in exported JSON results