AI PRP: Exposed argo workflows UI

[JamesFoxxx]

We can confirm the exposed argo workflows UI with OOB. This is an AI PRP to improve the current plugin.

[maoning]

Hi @JamesFoxxx ,

Please complete the following items before starting the plugin improvement work:

• [ ] Submit the vulnerable & secure configurations of the target application to google/security-testbeds.
• [ ] Submit our participation form.

[JamesFoxxx]

@maoning everything is nice on my side. please read this https://github.com/google/security-testbeds/pull/44 two questions:

1. should I improve the current plugin(from Google) or I should create a new one?
2. I need to access the callback address and port and the token to make a custom payload because docker images don't have commands like curl by default usually ( you can see my payload in the testbed), could you show me an example for this, please?

[JamesFoxxx]

for the second question, I have the following solution:

 private Payload generatePayload() {
    return this.payloadGenerator.generateNoCallback(
        PayloadGeneratorConfig.newBuilder()
            .setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.SSRF)
            .setInterpretationEnvironment(
                PayloadGeneratorConfig.InterpretationEnvironment.INTERPRETATION_ANY)
            .setExecutionEnvironment(PayloadGeneratorConfig.ExecutionEnvironment.EXEC_ANY)
            .build());
  }
URL callbackURL = new URL(generatePayload().getPayload());
System.out.println(callbackURL.getHost());
System.out.println(callbackURL.getPort());
System.out.println(callbackURL.getPath().substring(1));

it is an OOB but not direct RCE from the plugin, it is just SSRF. but still, it is executing a command.

[JamesFoxxx]

Also, a solution for the second question is that we can use the curlimages/curl:latest image which has the curl command and we can use tsunami payloads.

[JamesFoxxx]

@maoning as the curlimages/curl:7.78.0 image is the official image from public docker hub, I updated the testbed so we can use the tsunami payload with curl command.

[maoning]

@maoning everything is nice on my side. please read this google/security-testbeds#44 two questions:

1. should I improve the current plugin(from Google) or I should create a new one?

Please improve the existing plugin, you can add yourself to the author field.

2. I need to access the callback address and port and the token to make a custom payload because docker images don't have commands like curl by default usually ( you can see my payload in the testbed), could you show me an example for this, please?

Great question.

https://github.com/google/tsunami-security-scanner-callback-server has instruction of how to set up a callback server locally.

Here is the instruction for generating the token (I will add this to be part of the official doc):

1. Generating a secret, it should be an unique string

SECRET="<uniq_id>"

2. Create a SHA3 hashed callback ID

CBID=$(printf "${SECRET}" | openssl sha3-224 -binary | xxd -p)

3.1 Call callback server using HTTP

curl http://localhost:<recording-port>/${CBID}

3.2 Call callback server using DNS

dig ${CBID}.<callback-server-addr>

4. Verify callback is recorded using the original (unhashed) string.

curl "http://<callback-server-addr>:<polling-port>/?secret=${SECRET}"

[maoning]

@JamesFoxxx please confirm that you are still working on this issue. Otherwise I will close it.

[JamesFoxxx]

Hii @maoning my main issue is https://github.com/google/tsunami-security-scanner-plugins/issues/419 which I created a PR for months ago. If you want to make this a priority, I can start working from tomorrow. I already created the payload with Curl PoC. I can quickly implement it as a tsunami plugin too.

[JamesFoxxx]

@maoning the testbeds is ready: https://github.com/google/security-testbeds/pull/44 (from months ago) but I implemented the argo CD weak credential tester first.