Open nuhasha opened 2 weeks ago
Sounds good. Does anyone have any examples of valid cloud metadata responses, or links to ways to get them? Those sort of things would make it much easier for us to fix this...
To get cloud metadata response for https://example.com, we use:
curl https://example.com/latest/meta-data/ -H "Host: 169.254.169.254" -k
Resource: https://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/
How the detection works?
scan()
: method performs the actual scan. It iterates over a list of metadata hosts, sends requests to each host, and checks if the request is successful and if the response contains any data.
METADATA_HOSTS List from the detection:
1. 169.254.169.254
2. aws.zaproxy.org
3. 100.100.100.200
4. alibaba.zaproxy.org
in the example given in the previous comment we used metadata host: Host: 169.254.169.254
to get cloud metadata response from https://example.com by running curl command: curl https://example.com/latest/meta-data/ -H "Host: 169.254.169.254" -k
He was asking if anyone had actual legit metadata responses from cloud providers so we could model things even more specifically.
Thank you @kingthorin for clarification, here is some examples of actual metadata response from (AWS, Azure, and GCP):
AWS:
ami-id
ami-launch-index
ami-manifest-path
block-device-mapping/
events/
hostname
iam/
instance-action
instance-id
instance-type
local-hostname
local-ipv4
mac
metrics/
network/
placement/
profile
public-hostname
public-ipv4
public-keys/
reservation-id
security-groups
services/
References: Retrieve instance metadata
Google Cloud Platform (GCP)
curl -H "Metadata-Flavor: Google" http://169.254.169.254/computeMetadata/v1/instance/
attributes/
cpu-platform
description
disks/
guest-attributes/
hostname
id
image
legacy-endpoint-access/
licenses/
machine-type
maintenance-event
name
network-interfaces/
preempted
remaining-cpu-time
scheduling/
service-accounts/
tags
virtual-clock/
zone
References: Predefined instance metadata keys Gathering cloud instance metadata
Azure
attested
identity
instance
loadbalancer
scheduledevents
versions
References: Azure Endpoint categories
Is your feature request related to a problem? Please describe.
Cloud metadata potentially exploited: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CloudMetadataScanRule.java
If a successful response HTTP/1.1 200 received, the check gives alert as cloud meta data potentially exploited, this cause many false positive alerts, as upon investigating the received response it does not really include any cloud metadata.
Describe the solution you'd like
Instead of just validating http return code, we may check wether or not it’s getting answers from the metadata services, for example, check what header information metadata service may return and then compare that with the actual data received.
Another option: If html is present in the response it is most likely not metadata; instead, it is usually just text or JSON.
Describe alternatives you've considered
none.
Screenshots
No response
Additional context
Example of response received from a host where cloud metadata potentially exploited was false positive:
Would you like to help fix this issue?