Enhancing OAST Templates

[princechaddha]

Here are the IDs of templates that solely match based on the interact callback, but there can be instances where false positive results occur when running against a honeypot or a host that indiscriminately sends callbacks to any URL it receives in GET/POST data. To mitigate such cases, we can consider the following approaches:

• Add additional matcher from the request endpoints and use them with the callback to confirm the vulnerability. You can refer to this template as an example: CVE-2021-33357.

• If there is no response on the endpoint, we can extract any string from the {{BaseURL}} to confirm the product. Using DSL condition matching, we can verify the product and the callback to confirm the presence of a vulnerable host.

• In the case of Remote Code Execution, we can add a payload with curl and include an additional matcher to verify if the user-agent was set to curl for the callback. This template can serve as an example: CVE-2020-11981.

By using these mitigation approaches, we can minimize false positive results and ensure more accurate identification of vulnerabilities.

### Templates with OAST Matchers only
- [ ] CNVD-2021-09650
- [ ] CVE-2014-3206
- [ ] CVE-2015-8813
- [ ] CVE-2016-1555
- [ ] CVE-2017-3506
- [ ] CVE-2017-9506
- [ ] CVE-2017-18638
- [ ] CVE-2018-15517
- [ ] CVE-2018-16167
- [ ] CVE-2018-1000600
- [ ] CVE-2019-2616
- [ ] CVE-2019-2767
- [ ] CVE-2019-3929
- [ ] CVE-2019-8451
- [ ] CVE-2019-10758
- [ ] CVE-2019-18394
- [ ] CVE-2019-19824
- [ ] CVE-2020-5775
- [ ] CVE-2020-7796
- [ ] CVE-2020-10770
- [ ] CVE-2020-24148
- [ ] CVE-2020-25223
- [ ] CVE-2020-26919
- [ ] CVE-2020-35713
- [x] CVE-2021-20167
- [ ] CVE-2021-26855
- [ ] CVE-2021-27931
- [ ] CVE-2021-31755
- [ ] CVE-2021-32305
- [ ] CVE-2021-32819
- [ ] CVE-2021-33544
- [ ] CVE-2021-36380
- [ ] CVE-2022-0591
- [ ] targa-camera-ssrf
- [ ] cloudflare-external-image-resize
- [ ] linkerd-ssrf-detection
- [ ] ssrf-via-oauth-misconfig
- [ ] tls-sni-proxy
- [ ] xmlrpc-pingback-ssrf
- [ ] hashicorp-consul-rce
- [ ] mirai-unknown-rce
- [ ] optilink-ont1gew-gpon-rce
- [ ] sar2html-rce
- [x] sponip-network-system-ping-rce
- [ ] zimbra-preauth-ssrf
- [ ] wordpress-ssrf-oembed
- [ ] wp-under-construction-ssrf
- [ ] wp-xmlrpc-pingback-detection

### OAST Templates with 200 status code matcher
- [ ] CVE-2009-4223
- [x] CVE-2014-4210
- [ ] CVE-2019-9978
- [ ] CVE-2019-20224
- [ ] CVE-2021-1498
- [ ] CVE-2021-25052
- [ ] CVE-2021-24472
- [ ] CVE-2021-45967
- [ ] fastjson-1-2-41-rce
- [ ] fastjson-1-2-42-rce
- [ ] fastjson-1-2-43-rce
- [ ] fastjson-1-2-62-rce
- [ ] fastjson-1-2-67-rce
- [ ] fastjson-1-2-68-rce

### OAST Templates with status code matcher different from 200 OK
- [ ] CVE-2014-4210
- [ ] openbmcs-ssrf
- [ ] fastjson-1-2-47-rce
- [ ] hasura-graphql-ssrf
- [ ] CVE-2022-2486
- [ ] CVE-2022-2488
- [ ] CVE-2022-22963
- [ ] CVE-2022-23881
- [ ] CVE-2022-30525
- [ ] CVE-2017-0929
- [ ] CVE-2021-22053

[sharma7ay]

how can we rxploit fastjson-1-2-47-rce

here is no any path only domain show please provide full path that can be easy to exploit manually

[princechaddha]

@sharma7ay, could you please clarify what you mean by "here is not path only domain"? Are you suggesting that there is no specific path mentioned in the raw request within the fastjson-1-2-47-rce template?