False Positive results due to receiving a successful response HTTP/1.1 200 OK

[nuhasha]

Is your feature request related to a problem? Please describe.

Cloud metadata potentially exploited: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CloudMetadataScanRule.java

If a successful response  HTTP/1.1 200 received, the check gives alert as cloud meta data potentially exploited, this cause many false positive alerts, as upon investigating the received response it does not really include any cloud metadata.

Describe the solution you'd like

Instead of just validating http return code, we may check wether or not it’s getting answers from the metadata services, for example, check what header information metadata service may return and then compare that with the actual data received.

Another option: If html is present in the response it is most likely not metadata; instead, it is usually just text or JSON.

Describe alternatives you've considered

none.

Screenshots

No response

Additional context

Example of response received from a host where cloud metadata potentially exploited was false positive:

<html>
<head>
<meta charset="UTF-8">
<title>Site Unavailable</title>
<link rel="stylesheet" type="text/css" href="https://s3.amazonaws.com/redacted/style.css" />
<!--[if lt IE 9]>
 <script src="https://s3.amazonaws.com/redacted/html5shiv.js"></script>
<![endif]-->
</head>
<body>

<div id="hero">
<img src="https://s3.amazonaws.com/redacted/tool_icon.png" />
<h1>Site Unavailable</h1>
</div>
<section>
<script src="https://s3.amazonaws.com/redacted/language.js" ></script>
</section>
</body>
</html>

Would you like to help fix this issue?

• [ ] Yes

[psiinon]

Sounds good. Does anyone have any examples of valid cloud metadata responses, or links to ways to get them? Those sort of things would make it much easier for us to fix this...

[nuhasha]

To get cloud metadata response for https://example.com, we use: curl https://example.com/latest/meta-data/ -H "Host: 169.254.169.254" -k

Resource: https://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/

[nuhasha]

How the detection works? scan(): method performs the actual scan. It iterates over a list of metadata hosts, sends requests to each host, and checks if the request is successful and if the response contains any data.

METADATA_HOSTS List from the detection:

1. 169.254.169.254
2. aws.zaproxy.org
3. 100.100.100.200
4. alibaba.zaproxy.org

in the example given in the previous comment we used metadata host: Host: 169.254.169.254 to get cloud metadata response from https://example.com by running curl command: curl https://example.com/latest/meta-data/ -H "Host: 169.254.169.254" -k

[kingthorin]

He was asking if anyone had actual legit metadata responses from cloud providers so we could model things even more specifically.

[nuhasha]

Thank you @kingthorin for clarification, here is some examples of actual metadata response from (AWS, Azure, and GCP):

AWS:

ami-id
ami-launch-index
ami-manifest-path
block-device-mapping/
events/
hostname
iam/
instance-action
instance-id
instance-type
local-hostname
local-ipv4
mac
metrics/
network/
placement/
profile
public-hostname
public-ipv4
public-keys/
reservation-id
security-groups
services/

References: Retrieve instance metadata

Google Cloud Platform (GCP)

curl -H "Metadata-Flavor: Google" http://169.254.169.254/computeMetadata/v1/instance/
attributes/
cpu-platform
description
disks/
guest-attributes/
hostname
id
image
legacy-endpoint-access/
licenses/
machine-type
maintenance-event
name
network-interfaces/
preempted
remaining-cpu-time
scheduling/
service-accounts/
tags
virtual-clock/
zone

References: Predefined instance metadata keys Gathering cloud instance metadata

Azure

attested
identity
instance
loadbalancer
scheduledevents
versions

References: Azure Endpoint categories