afreen23
commented
2 years ago Hello, I am working on a solution for this,
Open JBAhire opened 2 years ago
afreen23
commented
2 years ago Hello, I am working on a solution for this,
afreen23
commented
2 years ago Hello @piyushroshan @JBAhire ,
Can we use the api /identity/api/v2/user/videos/convert_video for exposing this vulnerability since it requires to run conversion command in bash ?
Though I am not sure what command is passed there ⬆️ . Only params are being passed now: https://github.com/OWASP/crAPI/blob/ea6625d2dd9cf6b78435da2aabab791169bdd8bd/services/identity/src/main/java/com/crapi/entity/ProfileVideo.java#L31
While running on dev mode it kept saying "Failed to convert" since x-forwarded-host headers were missing.
https://github.com/OWASP/crAPI/blob/ea6625d2dd9cf6b78435da2aabab791169bdd8bd/services/identity/src/main/java/com/crapi/service/Impl/ProfileServiceImpl.java#L221-L248
I am looking into this but if you have any pointers or other suggestions please guide. Thanks!
piyushroshan
commented
2 years ago That's the indirect command injection in crAPI. We can for sure enhance in that direction. Since this is get request maybe provide a query param as conversion param in the get request that can invoke the same pipeline
Is your feature request related to a problem? Please describe. Currently, we can use crAPI to demonstrate indirect command injection but we also want to add capabilities to demonstrate direct command injection.
Describe the solution you'd like @piyushroshan , can you guide us here for a solution?