search

google / tsunami-security-scanner-plugins

This project aims to provide a central repository for many useful Tsunami Security Scanner plugins.
Apache License 2.0
872 stars 176 forks source link

AI PRP: Request Airflow Exposed UI #413

Closed maoning closed 2 months ago

maoning commented 6 months ago

https://github.com/projectdiscovery/nuclei-templates/blob/b686b1aea279093c30b35486db65a0e9917b66c4/http/misconfiguration/airflow/unauthenticated-airflow.yaml#L4

Please use callback server to verify the exposure, instead of the simple html response regex matching in the nuclei template.

Please read the rules of engagement first at https://github.com/google/tsunami-security-scanner-plugins/issues/409.

am0o0 commented 6 months ago

@maoning please assign this PRP to me, I want to focus on airflow. I can definitely implement airflow-related plugins faster because of my current airflow plugin.

am0o0 commented 4 months ago

Hi @maoning I already wrote a plugin for Airflow, could you please allow me to work on this plugin and this https://github.com/google/tsunami-security-scanner-plugins/issues/429 plugin? because I can write a plugin with much less time than others now because I'm familiar with Airflow. please notify me ASAP as my first PRP request will be merged soon.

maoning commented 4 months ago

Hi @am0o0 ,

Thank you for picking up this request! Please make sure the following items are completed before the plugin implementation:

I've assigned this airflow plugin to you, as this one seems to be more straightforward than #429. Once you complete this one, please remind me to assign the other one to you.

am0o0 commented 4 months ago

@maoning is the simple setup config for having an anonymous airflow dashboard/UI access. for testing the out-of-band call we can create connections( like http, and FTP). Still, this option has been disabled since it was reported as a vulnerability which makes this option enabled by default for airflow versions before 2.7.0. ( current version is 2.9.1) there are also other CVEs that help us for post-auth(which we don't have auth here) code execution but these CVEs have a narrow scope and are limited to a few versions, the connection feature has an extensive scope according to vulnerable instances, Also we can enable it in the following setup:

# on ubuntu
sudo apt install python3
sudo apt install python3-venv
sudo apt install python3-pip
mkdir airflowWorkSpace
cd airflowWorkSpace
python3 -m venv .venv
source .venv/bin/activate
pip install apache-airflow

mkdir config
export AIRFLOW_HOME="$(pwd)/config"
export AIRFLOW__CORE__TEST_CONNECTION=Enabled

# create and edit config/webserver_config.py file
touch config/webserver_config.py
nano config/webserver_config.py

add the following in the editor:

from __future__ import annotations
import os
from flask_appbuilder.const import AUTH_DB
basedir = os.path.abspath(os.path.dirname(__file__))
WTF_CSRF_ENABLED = True
WTF_CSRF_TIME_LIMIT = None
AUTH_TYPE = AUTH_DB
AUTH_ROLE_PUBLIC = 'Admin'

run airflow standalone and go to http://127.0.0.1:8080/home there is no auth needed for anything you want to do. go to http://127.0.0.1:8080/connection/add and select HTTP connection type, you can see the test button is enabled and so we can test out of band call to verify the exposed Dashboard/UI.

ref: https://airflow.apache.org/docs/apache-airflow-providers-fab/stable/auth-manager/webserver-authentication.html#webserver-authentication

for a safe setup, we should remove AUTH_ROLE_PUBLIC = 'Admin' from config/webserver_config.py

am0o0 commented 4 months ago

@maoning I can check with OOB as a first step, and then if it fails I can try to retrieve an endpoint that returns a lot of data to avoid missing the instances that don't enable the new connection test feature. this is a convenience method IMO.

maoning commented 4 months ago

@am0o0 sounds good, please submit our participation form and you can start working on the testbed and plugin development.

tooryx commented 2 months ago

Hi @am0o0,

Your PR has been merged. This usually means a reward will be granted. Google will start the internal QC process and the reward amount will be determined based on the quality of the detector report. Please be patient and allow up to a week for the QC process to finish. You'll be notified once the decision is made.

Thanks!

am0o0 commented 2 months ago

Hey @tooryx Can I follow up on this issue, please?

tooryx commented 2 months ago

Hi @am0o0,

This plugin is still in internal QC. You will receive more information once this is over (it usually last around 2 weeks, so it should be very soon).

~tooryx

am0o0 commented 2 months ago

@tooryx I think you should update this part of your message which says: " Please be patient and allow up to a week for the QC process to finish. You'll be notified once the decision is made. "

Otherwise, I will not send you a follow-up message if it is one week late.

tooryx commented 2 months ago

Thanks for letting me know. I will consider updating it.

~tooryx

tooryx commented 2 months ago

Hi @am0o0,

You should receive the reward message soon.

~tooryx