search

Ph33rr / cirrusgo

A fast tool to scan SAAS,PAAS App written in Go
MIT License
83 stars 16 forks source link

An Error Occured invalid URL escape "%Ma" #7

Closed marz-hunter closed 2 years ago

marz-hunter commented 2 years ago

run cirrusgo salesforce -u https://aura.co -cw

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[VLN] https://aura.co/aura Vulnerable
[VLN] https://aura.co/sfsites/aura Vulnerable
[vulnerable Endpoint] [/aura,/sfsites/aura]
2022/07/29 23:08:12 An Error Occured invalid URL escape "%Ma"

error:

2022/07/29 23:08:12 An Error Occured invalid URL escape "%Ma

Go Version go version go version go1.18 linux/amd64

OS

Ubuntu 18

marz-hunter commented 2 years ago

options -lobj -gobj also shows the same error

Ph33rr commented 2 years ago

command:

curl -v https://yyyy.com

copy

headers and body here

marz-hunter commented 2 years ago

cirrusgo salesforce -u https://aaa -gobj

Ph33rr commented 2 years ago

command

curl -X POST https://aaaa/aura -d " "

response : 

{"event":{"descriptor":"markup://aura:invalidSession","attributes":{"values":{}},"eventDef":{"descriptor":"markup://aura:invalidSession","t":"APPLICATION","xs":"I","a":{"newToken":["newToken","aura://String","I",false]}}},"exceptionMessage":"Guest user access is not allowed","exceptionEvent":true}

endpoint vuln

but

Guest user access is not allowed

check here

6

Thanks for sharing this error