In some scenarios, input data could be crafted to have the scanner make a blind request to a target controlled by the input data. Typically this would effectively be a blind, unauthenticated GET request to the endpoint.
Mitigations include,
stripping any paths or params, and setting those explicitly in the detector as needed
disabling following redirects
a http client that does not allow local IPs
Only a few detectors were affected by this issue, but the new http clients were also introduced for some detectors that were only detecting subdomains to a trusted domain, or domains to be used in a query parameter on the upstream provider.
Checklist:
[x] Tests passing (make test-community)?
[x] Lint passing (make lint this requires golangci-lint)?
Description:
In some scenarios, input data could be crafted to have the scanner make a blind request to a target controlled by the input data. Typically this would effectively be a blind, unauthenticated GET request to the endpoint.
Mitigations include,
Only a few detectors were affected by this issue, but the new http clients were also introduced for some detectors that were only detecting subdomains to a trusted domain, or domains to be used in a query parameter on the upstream provider.
Checklist:
make test-community
)?make lint
this requires golangci-lint)?