search

PortSwigger / BChecks

BChecks collection for Burp Suite Professional and Burp Suite Enterprise Edition
https://portswigger.net/burp/documentation/scanner/bchecks
GNU Lesser General Public License v3.0
606 stars 107 forks source link

Can't dns interactions be detected at given insertion point then? #16

Closed chain00x closed 1 year ago

chain00x commented 1 year ago

This is my code, and I know for sure that there will be a callback, but I'm reporting an error in the event log

image

This is my complete code

`metadata: language: v1-beta name: "Request-level collaborator based" description: "Blind SSRF with out-of-band detection" author: "Carlos Montoya"

given insertion point then send payload: replacing: {generate_collaborator_address()} if dns interactions then report issue: severity: high confidence: firm detail: "This site fetches arbitrary URLs specified in the Referer header." remediation: "Ensure that the site does not directly request URLs from the Referer header." end if`

genuinemoses commented 1 year ago

Hi @chain00x, could you elaborate what you're trying to achieve? It looks like you want to insert a collaborator address to nested insertion points in a request to find potential OOB SSRF. The code seems to work fine as executed by Burp Scanner.

chain00x commented 1 year ago

Thank you for your reply

Yes, I'll replace each parameter with a collaborator address and issue a request to see if it callback

This is my code on my server

from flask import Flask, request
import subprocess

app = Flask(__name__)

@app.route('/2', methods=['GET'])
def curl_request():
    url = request.args.get('url')
    if url is None:
        return 'Please provide a URL parameter', 400

    command = ['curl', '-I', url]
    result = subprocess.run(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    output = result.stdout.decode('utf-8')
    if result.returncode != 0:
        error = result.stderr.decode('utf-8')
        return f'curl command failed: {error}', 500

    return output, 200

if __name__ == '__main__':
    app.run(host='0.0.0.0',port=8090)

This is a base request

image

This is a request Bchecks send

image

It is clear that the request was made, but not received issue

I found an error here

image

But when I test referer, I get an issue report

Code in server Like this

from flask import Flask, request
import subprocess

app = Flask(__name__)

@app.route('/', methods=['GET'])
def curl_request():
    referer = request.headers.get('Referer')
    if referer is None:
        return 'Please provide a Referer header', 400

    command = ['curl', '-I', referer]
    result = subprocess.run(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    output = result.stdout.decode('utf-8')
    if result.returncode != 0:
        error = result.stderr.decode('utf-8')
        return f'curl command failed: {error}', 500

    return output, 200

if __name__ == '__main__':
    app.run(host='0.0.0.0',port=8090)

Bcheck code

metadata:
    language: v1-beta
    name: "Request-level collaborator based"
    description: "Blind SSRF with out-of-band detection"
    author: "Carlos Montoya"

given request then
    send request:
        headers:
            "Referer": {generate_collaborator_address()}

    if http interactions then
        report issue:
            severity: high
            confidence: firm
            detail: "This site fetches arbitrary URLs specified in the Referer header."
            remediation: "Ensure that the site does not directly request URLs from the Referer header."
    end if

What I do know for sure is that there was an error in Bchecks checking to see if there was a callback

Because this code run sucsess and report issue

metadata:
language: v1-beta
name: "ssrf"
description: "ssrf"
author: "chain00x"

given query or body insertion point then
send payload:
replacing: `https://{generate_collaborator_address()}/`
if "1" in "111" then
report issue:
severity: high
confidence: firm
detail: "ssrf"
remediation: "ssrf"
end if
image
genuinemoses commented 1 year ago

It looks like this is a valid issue, I've checked the interactions with external request capturing tools like http://pingb.in/ to confirm the issue.

The Bcheck definition may not be capturing the dns interactions. It could be the case that the Bcheck definition for dns interactions is not working as expected or it's misunderstood and misused.

Let's wait for the Portswigger team to respond and confirm if this is an issue.

@chain00x , @A-J-C ,@olliewuk

chain00x commented 1 year ago

Ok, look forward to solving the problem

A-J-C commented 1 year ago

Hi, we are currently looking into this issue and should be able to give you an update soon.

A-J-C commented 1 year ago

We've figured the issue out and have a fix in place. This will be live when 2023.6 hits stable later this week.

Thank you very much for the report!