⛏️ Write test for fetching data using SFTP, DICT, GOPHER, LDAP, TFTP protocols via SSRF

[aktoboy]

💭 Introduction: We want to test whether API's which take in url as a param are vulnerable to fetch information via protocols like SFTP, DICT, GOPHER, LDAP, TFTP using SSRF. You can refer this blog for more details about the attack.

🎯 Requirements: This test should only run for APIs which are taking url as a parameter in input. The test should cover the protocols mentioned in Introduction section. An SSRF example is implemented here already.

📚 Reading You can find a detailed documentation of test editor rules here Find 100+ examples of YAML tests here

✅ Task summary:

• [ ] Ask to be assigned to the issue.
• [ ] Wait to be assigned. We will try to assign in less than 2 hours.
• [ ] Fork the tests-library repository, create a new branch and commit the yaml file which will be called in your test.
• [ ] Signup for Akto
• [ ] Check in the Attempt tab, if the payload changes, then task is done.
• [ ] Submit the PR here.

✌🏻 Hints: You can build the yaml template by referring this link

🙋🏼‍♂️ Questions: If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

[adripo]

I would like to attempt to solve this issue. Can I be assigned please?

[avneesh-akto]

Done

[adripo]

I am not able to validate the response through tests so I assume that a 2xx answer is enough for validation.

[avneesh-akto]

No @adripo. Just validating 2xx response code will lead to lot of false positives. Try to add more validation

[adripo]

@avneesh-akto I added some payloads and headers for the validation

[adripo]

@avneesh-akto can you have a look at my PR please? thanks

[avneesh-akto]

Hi @adripo. Your test looks good. Only issue is with test validation. contains_either doesn't support regex. So .* won't work

[adripo]

Thanks for the input @avneesh-akto What should I use instead of contains_either? I used regex following the docs here: https://docs.akto.io/test-editor/test-yaml-syntax-detailed/api-selection-filters#regex

[avneesh-akto]

Just use contains_either without regex

[adripo]

@avneesh-akto done. It should work correctly now. Could you also please tag the PR as hacktoberfest-accepted before October 31? Thank you

[avneesh-akto]

Hey your PR LGTM 🚀 . Thank you for your submission. Please change base branch to develop.

[adripo]

If I rebase to develop it will keep all the commits not synced between them. I should create a new branch and cherry-pick my commits. Does this sounds good to you?

[ankush-jain-akto]

Hi @adripo - ~that sounds good. Please create a new PR~

Time was running out for Hacktoerfest. I simply created a new branch from master called hacktoberfest. I have merged your PR there. We will take care of merging hacktoberfest to master.

[adripo]

Thank you @ankush-jain-akto ! This is really nice of you.